Skip to content
  • Pauli's avatar
    Start up DEVRANDOM entropy improvement for older Linux devices. · 3ff98f55
    Pauli authored
    
    
    Improve handling of low entropy at start up from /dev/urandom by waiting for
    a read(2) call on /dev/random to succeed.  Once one such call has succeeded,
    a shared memory segment is created and persisted as an indicator to other
    processes that /dev/urandom is properly seeded.
    
    This does not fully prevent against attacks weakening the entropy source.
    An attacker who has control of the machine early in its boot sequence
    could create the shared memory segment preventing detection of low entropy
    conditions.  However, this is no worse than the current situation.
    
    An attacker would also be capable of removing the shared memory segment
    and causing seeding to reoccur resulting in a denial of service attack.
    This is partially mitigated by keeping the shared memory alive for the
    duration of the process's existence.  Thus, an attacker would not only need
    to have called call shmctl(2) with the IPC_RMID command but the system
    must subsequently enter a state where no instances of libcrypto exist in
    any process.  Even one long running process will prevent this attack.
    
    The System V shared memory calls used here go back at least as far as
    Linux kernel 2.0.  Linux kernels 4.8 and later, don't have a reliable way
    to detect that /dev/urandom has been properly seeded, so a failure is raised
    for this case (i.e. the getentropy(2) call has already failed).
    
    Reviewed-by: default avatarBernd Edlinger <bernd.edlinger@hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/9595)
    
    [manual merge]
    3ff98f55
To find the state of this project's repository at the time of any of these versions, check out the tags.