[RESEND PATCH] crypto: add option to use getrandom()

Jouni Malinen j at w1.fi
Sun Nov 26 03:49:01 PST 2017 

On Mon, Oct 16, 2017 at 09:33:07AM +0200, Lubomir Rintel wrote:
> According to random(4) manual, /dev/random is essentially deprecated on Linux
> for quite some time:
> 
>   The /dev/random interface is considered a legacy interface, and
>   /dev/urandom is preferred and sufficient in all use cases, with the
>   exception of applications which require randomness during early boot time;
>   for these applications, getrandom(2) must be used instead, because it will
>   block until the entropy pool is initialized.

'man 4 random' on Ubuntu 16.04 does not have such language, so I'm not
sure I'd agree about the "quite some time" part..

> An attempt to use it would cause unnecessary blocking on machines
> without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
> a getrandom(2) call is available that will block only until the
> randomness pool has been seeded.

What unnecessary blocking are you referring to here? /dev/random is
opened in non-blocking mode and more data is fetched from it once it
becomes available. How would getrandom(2) help here?

Please also note that I won't be accepting changes that would
practically move from /dev/random to /dev/urandom pool without very
thorough explanation on how that would not have a negative impact on
security especially as far as key derivation is concerned (this data is
used to generate encryption keys).


There is something odd here:

> diff --git a/hostapd/Makefile b/hostapd/Makefile
>  ifdef CONFIG_NO_RANDOM_POOL
> +ifdef CONFIG_GETRANDOM
> +CFLAGS += -DCONFIG_GETRANDOM
> +endif
>  CFLAGS += -DCONFIG_NO_RANDOM_POOL
>  else
>  OBJS += ../src/crypto/random.o

> diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> @@ -1476,6 +1476,9 @@ endif
>  ifdef CONFIG_NO_RANDOM_POOL
>  CFLAGS += -DCONFIG_NO_RANDOM_POOL
>  else
> +ifdef CONFIG_GETRANDOM
> +CFLAGS += -DCONFIG_GETRANDOM
> +endif
>  OBJS += ../src/crypto/random.o
>  endif

Why would this be different (related to CONFIG_NO_RANDOM_POOL) between
wpa_supplicant and hostapd? Furthermore, Android.mk should likely have
similar changes for both.


> diff --git a/src/crypto/random.c b/src/crypto/random.c

> @@ -229,30 +232,49 @@ int random_pool_ready(void)
>  		return 1; /* Already initialized - good to continue */
>  
>  	/*
> -	 * Try to fetch some more data from the kernel high quality
> -	 * /dev/random. There may not be enough data available at this point,
> +	 * Try to fetch some more data from the kernel high quality RNG
> +	 * There may not be enough data available at this point,
>  	 * so use non-blocking read to avoid blocking the application
>  	 * completely.
>  	 */
> -	fd = open("/dev/random", O_RDONLY | O_NONBLOCK);

Please note that this is using /dev/random on purpose (i.e., not
/dev/urandom) since the material is used for key derivation..

> +#ifdef CONFIG_GETRANDOM
> +	res = getrandom(dummy_key + dummy_key_avail,
> +		        sizeof(dummy_key) - dummy_key_avail, GRND_NONBLOCK);

While this would default to use the /dev/urandom pool since GRND_RANDOM
is not specified. I don't think this is a good change taken into account
the need for secure enough randomness for key derivation.

> @@ -272,8 +294,8 @@ int random_pool_ready(void)
>  		return 1;
>  	}
>  
> -	wpa_printf(MSG_INFO, "random: Not enough entropy pool available for "
> -		   "secure operations");
> +	wpa_printf(MSG_INFO, "random: Not enough entropy pool available "
> +		   "from for secure operations");

??

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list