mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
Read dev/random before chroot.
git-svn-id: file:///svn/unbound/trunk@1567 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
a12dcdcdc4
commit
64e3db1f04
@ -171,6 +171,8 @@ daemon_init()
|
||||
/* init timezone info while we are not chrooted yet */
|
||||
tzset();
|
||||
#endif
|
||||
/* open /dev/random if needed */
|
||||
ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67);
|
||||
daemon->need_to_exit = 0;
|
||||
modstack_init(&daemon->mods);
|
||||
if(!(daemon->env = (struct module_env*)calloc(1,
|
||||
|
@ -2,6 +2,7 @@
|
||||
- Fixup LDFLAGS from libevent sourcedir compile configure restore.
|
||||
- Fixup so no non-absolute rpaths are added.
|
||||
- Fixup validation of RRSIG queries, they are let through.
|
||||
- read /dev/random before chroot
|
||||
|
||||
27 March 2009: Wouter
|
||||
- nicer -h output. report linked libraries and modules.
|
||||
|
@ -495,6 +495,7 @@ EXCLUDE = ./build \
|
||||
util/configparser.h \
|
||||
util/configlexer.c \
|
||||
util/locks.h \
|
||||
pythonmod/Unbound.py \
|
||||
./ldns-src
|
||||
|
||||
# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
|
||||
|
@ -81,6 +81,31 @@ struct ub_randstate {
|
||||
/** Number of bytes to reseed after */
|
||||
#define REKEY_BYTES (1 << 24)
|
||||
|
||||
/** (re)setup system seed */
|
||||
void
|
||||
ub_systemseed(unsigned int seed)
|
||||
{
|
||||
/* RAND_ is threadsafe, by the way */
|
||||
if(!RAND_status()) {
|
||||
/* try to seed it */
|
||||
unsigned char buf[256];
|
||||
unsigned int v = seed;
|
||||
size_t i;
|
||||
for(i=0; i<256/sizeof(seed); i++) {
|
||||
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
|
||||
v = v*seed + (unsigned int)i;
|
||||
}
|
||||
RAND_seed(buf, 256);
|
||||
if(!RAND_status()) {
|
||||
log_err("Random generator has no entropy "
|
||||
"(error %ld)", ERR_get_error());
|
||||
} else {
|
||||
verbose(VERB_OPS, "openssl has no entropy, "
|
||||
"seeding with time and pid");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/** reseed random generator */
|
||||
static void
|
||||
ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
|
||||
@ -94,9 +119,16 @@ ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
|
||||
for(i=0; i<SEED_SIZE; i++)
|
||||
rand_buf[i] = (unsigned char)ub_random(from);
|
||||
} else {
|
||||
if (RAND_bytes(rand_buf, (int)sizeof(rand_buf)) <= 0)
|
||||
fatal_exit("Couldn't obtain random bytes (error %ld)",
|
||||
if(!RAND_status())
|
||||
ub_systemseed((unsigned)getpid()^(unsigned)time(NULL));
|
||||
if (RAND_bytes(rand_buf, (int)sizeof(rand_buf)) <= 0) {
|
||||
/* very unlikely that this happens, since we seeded
|
||||
* above, if it does; complain and keep going */
|
||||
log_err("Couldn't obtain random bytes (error %ld)",
|
||||
ERR_get_error());
|
||||
s->rc4_ready = 256;
|
||||
return;
|
||||
}
|
||||
}
|
||||
RC4_set_key(&s->rc4, SEED_SIZE, rand_buf);
|
||||
|
||||
@ -120,26 +152,7 @@ ub_initstate(unsigned int seed, struct ub_randstate* from)
|
||||
log_err("malloc failure in random init");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* RAND_ is threadsafe, by the way */
|
||||
if(!RAND_status()) {
|
||||
/* try to seed it */
|
||||
unsigned char buf[256];
|
||||
unsigned int v = seed;
|
||||
size_t i;
|
||||
for(i=0; i<256/sizeof(seed); i++) {
|
||||
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
|
||||
v = v*seed + (unsigned int)i;
|
||||
}
|
||||
RAND_seed(buf, 256);
|
||||
if(!RAND_status()) {
|
||||
log_err("Random generator has no entropy (error %ld)",
|
||||
ERR_get_error());
|
||||
return NULL;
|
||||
}
|
||||
verbose(VERB_OPS, "openssl has no entropy, seeding with time"
|
||||
" and pid");
|
||||
}
|
||||
ub_systemseed(seed);
|
||||
ub_arc4random_stir(s, from);
|
||||
return s;
|
||||
}
|
||||
|
@ -47,6 +47,14 @@
|
||||
*/
|
||||
struct ub_randstate;
|
||||
|
||||
/**
|
||||
* Initialize the system randomness. Obtains entropy from the system
|
||||
* before a chroot or privilege makes it unavailable.
|
||||
* You do not have to call this, otherwise ub_initstate does so.
|
||||
* @param seed: seed value to create state (if no good entropy is found).
|
||||
*/
|
||||
void ub_systemseed(unsigned int seed);
|
||||
|
||||
/**
|
||||
* Initialize a random generator state for use
|
||||
* @param seed: seed value to create state contents.
|
||||
|
Loading…
Reference in New Issue
Block a user