Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

select() on /dev/random before first read from /dev/urandom #374

Closed
dfoxfranke opened this Issue Mar 28, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@dfoxfranke
Copy link

commented Mar 28, 2016

Linux has the familiar problem that /dev/random blocks too much (insisting on being information-theoretically secure), while /dev/urandom doesn't block even when it should (at early boot, prior to being adequately seeded). The new getrandom() system call does the Right Thing, but as of this writing it's not yet universally available in the major distros. Currently, on Linux systems that lack getrandom(), libsodium reads from /dev/urandom without attempting to guard against the possibility that it has not been seeded yet.

As detailed by my question and answer in this crypto.StackExchange thread, if /dev/random unblocks it implies that /dev/urandom has been seeded, because the kernel gives 128 bits of entropy to the nonblocking pool before it gives any at all to the blocking pool or the input pool.

I propose that libsodium take advantage of this behavior by select()ing on /dev/random before reading from /dev/urandom for the first time. The select call will always block when it should (i.e., once it unblocks, it's safe from then on to read an arbirary amount of data from /dev/urandom). It's possible that it'll block when it shouldn't, in the case where /dev/urandom has been seeded but some other process has subsequently exhausted the /dev/random pool. However, I think this issue will rarely come up in practice because ever since about ten years ago (IIRC) when the kernel entropy estimates were modified to be much more conservative, /dev/random has been sufficiently slow that hardly anything still uses it.

Obviously, on systems that do have getrandom(), the select() call is pointless and should be skipped.

I'll be happy to contribute a pull request for this feature if you indicate interest in taking it.

@jedisct1

This comment has been minimized.

Copy link
Owner

commented Mar 29, 2016

It's a bit ugly and hairy. This is a temporary unreliable hack for a platform-specific problem that has already been solved. And it introduces a change in semantics since sodium_init() would then become a blocking call.

On the other hand, it can prevents actual security issues especially on embedded devices

This will have to wait after 1.0.9 is released, but I think this is still worth having, and a pull request would be nice (but please use poll(), not select()).

@jedisct1

This comment has been minimized.

Copy link
Owner

commented May 15, 2016

Done.

@jedisct1 jedisct1 closed this May 15, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.