[krbdev.mit.edu #8499] Use getrandom system call on recent Linux kernels
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Sep 22 13:38:29 EDT 2016
Recent Linux kernels provide a getrandom system call which can have better
behavior than reading from /dev/urandom--it can block when the kernel PRNG
is unseeded, but not when the kernel thinks the acquired entropy pool is
depleted. Using a system call is also more efficient and requires less
from a chroot environment than reading from a device. Unfortunately, glibc
does not currently provide a binding to the new system call, so we need to
use syscall() to access it.
As part of this work, we will rename prng_os.c to prng_device.c, and create
a new prng_os.c which does not burn a file descriptor. Downstream
integrators who do not want the user-space Fortuna PRNG can choose
prng_os.c for platforms which use a getrandom system call, and
prng_device.c for platforms which do not.
More information about the krb5-bugs
mailing list