This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Harald Welte laforge at gnumonks.orgHi RS,
> After running the above tests and reading the related documentation, my
> conclusion is that it would be reasonable to use syscall(SYS_getrandom,
> &buf, bufsize, 0) as a suitable replacement for rand() in all cases
> without any concrete security or performance concerns. The overhead is
> also significantly less than importing or otherwise depending on
> OpenSSL, GnuTLS, NaCL, or probably even glibc.
Thanks again for your investigation.
So the conclusion is probably, for now:
* use getrandom() with zero flags for TMSIs and other random identifiers
* use getrandom() with zero flags for RAND challenges
* use getrandom() with GRND_RANDOM flag for K/OP/OPc/Ki generation
> It may make sense to use the platform's libc interface if it is available.
I would go for that, and I believe the current patch under discussion is doing
exactly that: use getrandom() if available, and fall back to the raw syscall,
if not.
Further falling back on rand() is probably a bad idea, we could simply
make this a fatal runtime error ending the program and see if anyone
ever reports that error to the mailing list. If at all, the fall-back
should not happen automatically, but should be explicitly requested at
compile-time ("--enable-unsafe-rand"), or depend on an environment
variable, or the like. Basically to make sure the default configuration
will be safe, and any unsafe operation requires explicit user
intervention.
> It may also be worthwhile to try to ensure that buffer is indeed
> changed.
good point, I like that.
> The small program below could also easily be modified to test that the
> buffer is indeed completely filled with some new data and to
> additionally hash the buffer before use in any cryptographic
> application.
Yes, we could improve on that by using some hashing function on the
result, rather than using the (cs)prng output directly. But let's keep
that as a possible future improvement for now. Out of curiosity: What
would you recommend?
Regards,
Harald
--
- Harald Welte <laforge at gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)