libexpat and XML_POOR_ENTROPY

Ben Walton bwalton at opencsw.org
Sat Feb 26 21:41:32 CET 2022


No, ideally we should target 10+ these days as 9 is out of support. But
even building for 9+ should be fine here.

On Sat 26 Feb 2022, 19:22 Jeffrey Walton, <noloader at gmail.com> wrote:

> On Sat, Feb 26, 2022 at 2:14 PM Jeffrey Walton <noloader at gmail.com> wrote:
> >
> > On Fri, Feb 25, 2022 at 10:52 AM Ben Walton <bwalton at opencsw.org> wrote:
> > >
> > > On Fri 25 Feb 2022, 11:39 Jeffrey Walton via users, <
> users at lists.opencsw.org> wrote:
> > >>
> > >> I was looking at the libexpat recipe again. This kind of jumps out
> > >> from
> https://sourceforge.net/p/gar/code/HEAD/tree/csw/mgar/pkg/libexpat1/trunk/Makefile#l42
> :
> > >>
> > >> # No high-entropy random in old Solaris versions
> > >> EXTRA_CPPFLAGS += -DXML_POOR_ENTROPY
> > >>
> > >> Solaris has /dev/urandom. It meets requirements. As far as I know,
> > >> even the earlier versions of the device were sufficient for
> > >> cryptographic needs. It may be time to revisit that define.
> > >
> > > Yeah, I'd drop it and see that it passes the test suite. Not sure how
> far back you'd need to go os and hardware worse to still need it, but arms
> pretty ancient to me.
> >
> > Here's some more reading on XML_POOR_ENTROPY:
> > https://github.com/libexpat/libexpat/issues/172.
> >
> > It looks like libexpat needs a good random source for some hash
> > tables. Or more specifically, to avoid collisions due to a poor
> > entropy source. If the entropy source produces collisions, then it is
> > considered poor.
> >
> > I personally think this problem should probably be addressed
> > differently. Instead of asking users to evaluate their entropy source,
> > I think libexpat should obtain a uniform distribution via something
> > like operating system random source + SipHash. SipHash should produce
> > a uniform distribution and it only requires entropy once to key the
> > algorithm. It does not need a constant stream of bytes.
> >
> > Getting back to libexpat, it looks like /dev/urandom is sufficient
> > nowadays. Also see
> >
> https://github.com/libexpat/libexpat/blob/master/expat/lib/xmlparse.c#L122
> .
> > You would get into trouble if the /dev/urandom device was missing.
>
> Ok, here's the missing piece. According to
> https://docs.oracle.com/cd/E88353_01/html/E37851/urandom-4d.html ,
> /dev/random and /dev/urandom was added at Solaris 9 with a patch for
> Solaris 8.
>
> I'm not sure how that affects the define. Does OpenCSW support Solaris
> 7 and below?
>
> Jeff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opencsw.org/pipermail/users/attachments/20220226/7da69cdb/attachment.html>


More information about the users mailing list