On Fri, Aug 8, 2025 at 3:25 PM Masahiko Sawada <sawada.m...@gmail.com> wrote: > On the other hand, I found a blog post[3] (10 years-old post) that on > Solaris the output of getentropy() should not be used where randomness > is needed. I'm not sure it's still true but I guess that it might be > reasonable to consider that this is correct behavior in principle, and > that the behavior of glibc etc. is in some sense an exception.
Thanks for finding that! Ah, FIPS: > More specifically the data returned by getentropy(2) has not had the required > FIPS 140-2 processing for the DRBG applied to it. So FIPS compliance is a case where "a stream of numbers would be suitable for seeding a CSPRNG, but not suitable as output from a CSPRNG". That's evidence enough for me to abandon my preference for getentropy() (whether Solaris still does that or not). I've been looking at libsodium's randomness implementations [1]: > On Windows systems, the RtlGenRandom() function is used. > On OpenBSD and Bitrig, the arc4random() function is used. > On recent FreeBSD and Linux kernels, the getrandom system call is used. > On other Unices, the /dev/urandom device is used. (Note that libsodium has some internal concept of a "safe" arc4random implementation, which it locks to certain platforms. If an OS is still literally using RC4 we would not want to use it.) So, my next question: is getrandom() always preferable to /dev/urandom? --Jacob [1] https://doc.libsodium.org/generating_random_data
