diff options
| author | Pauli <paul.dale@oracle.com> | 2019-08-20 16:10:49 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2019-08-20 16:10:49 +1000 |
| commit | 3a5777501a97cc3fbf2884f6f3f966661a3f2e41 (patch) | |
| tree | f95df2f239495c917bdecc02567130695552fab7 /e_os.h | |
| parent | cf0932cdd94f067ed18ce78bea038d919f69038f (diff) | |
| download | openssl-new-3a5777501a97cc3fbf2884f6f3f966661a3f2e41.tar.gz | |
Start up DEVRANDOM entropy improvement for older Linux devices.
Improve handling of low entropy at start up from /dev/urandom by waiting for
a read(2) call on /dev/random to succeed. Once one such call has succeeded,
a shared memory segment is created and persisted as an indicator to other
processes that /dev/urandom is properly seeded.
This does not fully prevent against attacks weakening the entropy source.
An attacker who has control of the machine early in its boot sequence
could create the shared memory segment preventing detection of low entropy
conditions. However, this is no worse than the current situation.
An attacker would also be capable of removing the shared memory segment
and causing seeding to reoccur resulting in a denial of service attack.
This is partially mitigated by keeping the shared memory alive for the
duration of the process's existence. Thus, an attacker would not only need
to have called call shmctl(2) with the IPC_RMID command but the system
must subsequently enter a state where no instances of libcrypto exist in
any process. Even one long running process will prevent this attack.
The System V shared memory calls used here go back at least as far as
Linux kernel 2.0. Linux kernels 4.8 and later, don't have a reliable way
to detect that /dev/urandom has been properly seeded, so a failure is raised
for this case (i.e. the getentropy(2) call has already failed).
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9595)
Diffstat (limited to 'e_os.h')
| -rw-r--r-- | e_os.h | 29 |
1 files changed, 29 insertions, 0 deletions
@@ -28,6 +28,35 @@ * default, we will try to read at least one of these files */ # define DEVRANDOM "/dev/urandom", "/dev/random", "/dev/hwrng", "/dev/srandom" +# ifdef __linux +# ifndef DEVRANDOM_WAIT +# define DEVRANDOM_WAIT "/dev/random" +# endif +/* + * Linux kernels 4.8 and later changes how their random device works and there + * is no reliable way to tell that /dev/urandom has been seeded -- getentropy(2) + * should be used instead. + */ +# ifndef DEVRANDOM_SAFE_KERNEL +# define DEVRANDOM_SAFE_KERNEL 4, 8 +# endif +/* + * Some operating systems do not permit select(2) on their random devices, + * defining this to zero will force the used of read(2) to extract one byte + * from /dev/random. + */ +# ifndef DEVRANDM_WAIT_USE_SELECT +# define DEVRANDM_WAIT_USE_SELECT 1 +# endif +/* + * Define the shared memory identifier used to indicate if the operating + * system has properly seeded the DEVRANDOM source. + */ +# ifndef OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID +# define OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID 114 +# endif + +# endif # endif # if !defined(OPENSSL_NO_EGD) && !defined(DEVRANDOM_EGD) /* |