Re: [chrony-users] Chrony vs. Linux RNG

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx, Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Subject: Re: [chrony-users] Chrony vs. Linux RNG
From: Holger Hoffstätte <holger@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Apr 2018 12:05:55 +0200
Organization: Applied Asynchrony, Inc.

On 04/23/18 11:52, Holger Hoffstätte wrote:

I guess it could use a non-blocking read for the urandom device (or
getrandom() syscall) and fall back to random(), but I'm not sure if it
would be a good idea from the security point of view.


I found in util.c that it *should* be using getrandom() already?
Maybe the HAVE_GETRANDOM detection didn't work, but even then the
urandom fallback should not be blocking either. I'll double-check the
package script's autoconf log.


As I suspected..everything looking good:

$ebuild chrony-3.3.ebuild configure
 * chrony-3.3.tar.gz BLAKE2B SHA512 size ;-) ...                  [ ok ]

Unpacking source...
Unpacking chrony-3.3.tar.gz to /tmp/portage/net-misc/chrony-3.3/work
Source unpacked in /tmp/portage/net-misc/chrony-3.3/work
Preparing source in /tmp/portage/net-misc/chrony-3.3/work/chrony-3.3 ...
Source prepared.
Configuring source in /tmp/portage/net-misc/chrony-3.3/work/chrony-3.3 ...

 * ./configure --enable-scfilter --disable-pps --without-editline --docdir=/usr/share/doc/chrony-3.3 --chronysockdir=/run/chrony --mandir=/usr/share/man --prefix=/usr --sysconfdir=/etc/chrony --disable-sechash --without-nss --without-tomcrypt
Configuring for  Linux-x86_64
Checking for x86_64-pc-linux-gnu-gcc : Yes
Checking for 64-bit time_t : Yes
NTP time mapped to 1968-05-05T09:56:04Z/2104-06-11T16:24:20Z
Checking for math : No
Checking for math in -lm : Yes
Checking for <stdint.h> : Yes
Checking for <inttypes.h> : Yes
Checking for struct in_pktinfo : Yes
Checking for IPv6 support : Yes
Checking for struct in6_pktinfo : No
Checking for struct in6_pktinfo with _GNU_SOURCE : Yes
Checking for clock_gettime() : Yes
Checking for getaddrinfo() : Yes
Checking for pthread : Yes
Checking for arc4random_buf() : No
Checking for getrandom() : Yes
Checking for recvmmsg() : Yes
Checking for SW/HW timestamping : Yes
Checking for other timestamping options : Yes
Checking for libcap : Yes
Checking for seccomp : Yes
Checking for <linux/rtc.h> : Yes
Checking for <linux/ptp_clock.h> : Yes
Checking for sched_setscheduler() : Yes
Checking for mlockall() : Yes
Checking for readline : Yes
Features : +CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER -SIGND +ASYNCDNS +READLINE -SECHASH +IPV6 -DEBUG
Creating Makefile
Creating doc/Makefile
Creating test/unit/Makefile

Source configured.


So it's probably indeed blocking in too-early getrandom() (thanks for
pointing that out!)and falling back to urandom with GRND_NONBLOCK could
work. Let me know if I can try any patches.

thanks,
Holger

--

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxxwith "unsubscribe" in the subject.For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxxwith "help" in the subject.

Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] Chrony vs. Linux RNG
  - From: Miroslav Lichvar

References:
- [chrony-users] Chrony vs. Linux RNG
  - From: Holger Hoffstätte
- Re: [chrony-users] Chrony vs. Linux RNG
  - From: Miroslav Lichvar
- Re: [chrony-users] Chrony vs. Linux RNG
  - From: Holger Hoffstätte

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Chrony vs. Linux RNG
Next by Date: Re: [chrony-users] Chrony vs. Linux RNG
Previous by thread: Re: [chrony-users] Chrony vs. Linux RNG
Next by thread: Re: [chrony-users] Chrony vs. Linux RNG

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/