Support for /dev/*random in OpenSSL 1.1.1
Michael Brunnbauer
brunni at netestate.de
Wed Sep 11 15:48:01 UTC 2019
hi all,
I have glibc 2.30 with Kernel 4.9.191 but unfortunately I compiled glibc with
old Kernel headers from Linux 3.16.46. It seems that as a result of this, my
getrandom() and getentropy() are stubs that always fail with ENOSYS. This
leads to:
./util/shlib_wrap.sh apps/openssl rand -hex 10
4145686272:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
...
Fine I thought, supply --with-rand-seed=devrandom to Configure and be done
with it until you can fix your glibc. Nope - same result.
Now I see this in e_os.h:
/*
* Linux kernels 4.8 and later changes how their random device works and there
* is no reliable way to tell that /dev/urandom has been seeded -- getentropy(2)
* should be used instead.
*/
# ifndef DEVRANDOM_SAFE_KERNEL
# define DEVRANDOM_SAFE_KERNEL 4, 8
# endif
So openSSL 1.1.1 will not support /dev/*random with Kernels > 4.8 ?
I can fix the kernel headers before compiling the next release of glibc but
this is some months away.
Is there anything I can do now? I don't like the idea to recompile glibc -
Version upgrades are much easier to deploy than replacing the current version.
Regards,
Michael Brunnbauer
--
++ Michael Brunnbauer
++ netEstate GmbH
++ Geisenhausener Straße 11a
++ 81379 München
++ Tel +49 89 32 19 77 80
++ Fax +49 89 32 19 77 89
++ E-Mail brunni at netestate.de
++ https://www.netestate.de/
++
++ Sitz: München, HRB Nr.142452 (Handelsregister B München)
++ USt-IdNr. DE221033342
++ Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++ Prokurist: Dipl. Kfm. (Univ.) Markus Hendel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190911/83d65c69/attachment.sig>
More information about the openssl-users
mailing list