mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
Read dev/random before chroot.
git-svn-id: file:///svn/unbound/trunk@1567 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
a12dcdcdc4
commit
64e3db1f04
@ -171,6 +171,8 @@ daemon_init()
|
|||||||
/* init timezone info while we are not chrooted yet */
|
/* init timezone info while we are not chrooted yet */
|
||||||
tzset();
|
tzset();
|
||||||
#endif
|
#endif
|
||||||
|
/* open /dev/random if needed */
|
||||||
|
ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67);
|
||||||
daemon->need_to_exit = 0;
|
daemon->need_to_exit = 0;
|
||||||
modstack_init(&daemon->mods);
|
modstack_init(&daemon->mods);
|
||||||
if(!(daemon->env = (struct module_env*)calloc(1,
|
if(!(daemon->env = (struct module_env*)calloc(1,
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
- Fixup LDFLAGS from libevent sourcedir compile configure restore.
|
- Fixup LDFLAGS from libevent sourcedir compile configure restore.
|
||||||
- Fixup so no non-absolute rpaths are added.
|
- Fixup so no non-absolute rpaths are added.
|
||||||
- Fixup validation of RRSIG queries, they are let through.
|
- Fixup validation of RRSIG queries, they are let through.
|
||||||
|
- read /dev/random before chroot
|
||||||
|
|
||||||
27 March 2009: Wouter
|
27 March 2009: Wouter
|
||||||
- nicer -h output. report linked libraries and modules.
|
- nicer -h output. report linked libraries and modules.
|
||||||
|
@ -495,6 +495,7 @@ EXCLUDE = ./build \
|
|||||||
util/configparser.h \
|
util/configparser.h \
|
||||||
util/configlexer.c \
|
util/configlexer.c \
|
||||||
util/locks.h \
|
util/locks.h \
|
||||||
|
pythonmod/Unbound.py \
|
||||||
./ldns-src
|
./ldns-src
|
||||||
|
|
||||||
# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
|
# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
|
||||||
|
@ -81,6 +81,31 @@ struct ub_randstate {
|
|||||||
/** Number of bytes to reseed after */
|
/** Number of bytes to reseed after */
|
||||||
#define REKEY_BYTES (1 << 24)
|
#define REKEY_BYTES (1 << 24)
|
||||||
|
|
||||||
|
/** (re)setup system seed */
|
||||||
|
void
|
||||||
|
ub_systemseed(unsigned int seed)
|
||||||
|
{
|
||||||
|
/* RAND_ is threadsafe, by the way */
|
||||||
|
if(!RAND_status()) {
|
||||||
|
/* try to seed it */
|
||||||
|
unsigned char buf[256];
|
||||||
|
unsigned int v = seed;
|
||||||
|
size_t i;
|
||||||
|
for(i=0; i<256/sizeof(seed); i++) {
|
||||||
|
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
|
||||||
|
v = v*seed + (unsigned int)i;
|
||||||
|
}
|
||||||
|
RAND_seed(buf, 256);
|
||||||
|
if(!RAND_status()) {
|
||||||
|
log_err("Random generator has no entropy "
|
||||||
|
"(error %ld)", ERR_get_error());
|
||||||
|
} else {
|
||||||
|
verbose(VERB_OPS, "openssl has no entropy, "
|
||||||
|
"seeding with time and pid");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/** reseed random generator */
|
/** reseed random generator */
|
||||||
static void
|
static void
|
||||||
ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
|
ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
|
||||||
@ -94,9 +119,16 @@ ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
|
|||||||
for(i=0; i<SEED_SIZE; i++)
|
for(i=0; i<SEED_SIZE; i++)
|
||||||
rand_buf[i] = (unsigned char)ub_random(from);
|
rand_buf[i] = (unsigned char)ub_random(from);
|
||||||
} else {
|
} else {
|
||||||
if (RAND_bytes(rand_buf, (int)sizeof(rand_buf)) <= 0)
|
if(!RAND_status())
|
||||||
fatal_exit("Couldn't obtain random bytes (error %ld)",
|
ub_systemseed((unsigned)getpid()^(unsigned)time(NULL));
|
||||||
|
if (RAND_bytes(rand_buf, (int)sizeof(rand_buf)) <= 0) {
|
||||||
|
/* very unlikely that this happens, since we seeded
|
||||||
|
* above, if it does; complain and keep going */
|
||||||
|
log_err("Couldn't obtain random bytes (error %ld)",
|
||||||
ERR_get_error());
|
ERR_get_error());
|
||||||
|
s->rc4_ready = 256;
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
RC4_set_key(&s->rc4, SEED_SIZE, rand_buf);
|
RC4_set_key(&s->rc4, SEED_SIZE, rand_buf);
|
||||||
|
|
||||||
@ -120,26 +152,7 @@ ub_initstate(unsigned int seed, struct ub_randstate* from)
|
|||||||
log_err("malloc failure in random init");
|
log_err("malloc failure in random init");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
ub_systemseed(seed);
|
||||||
/* RAND_ is threadsafe, by the way */
|
|
||||||
if(!RAND_status()) {
|
|
||||||
/* try to seed it */
|
|
||||||
unsigned char buf[256];
|
|
||||||
unsigned int v = seed;
|
|
||||||
size_t i;
|
|
||||||
for(i=0; i<256/sizeof(seed); i++) {
|
|
||||||
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
|
|
||||||
v = v*seed + (unsigned int)i;
|
|
||||||
}
|
|
||||||
RAND_seed(buf, 256);
|
|
||||||
if(!RAND_status()) {
|
|
||||||
log_err("Random generator has no entropy (error %ld)",
|
|
||||||
ERR_get_error());
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
verbose(VERB_OPS, "openssl has no entropy, seeding with time"
|
|
||||||
" and pid");
|
|
||||||
}
|
|
||||||
ub_arc4random_stir(s, from);
|
ub_arc4random_stir(s, from);
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
@ -47,6 +47,14 @@
|
|||||||
*/
|
*/
|
||||||
struct ub_randstate;
|
struct ub_randstate;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initialize the system randomness. Obtains entropy from the system
|
||||||
|
* before a chroot or privilege makes it unavailable.
|
||||||
|
* You do not have to call this, otherwise ub_initstate does so.
|
||||||
|
* @param seed: seed value to create state (if no good entropy is found).
|
||||||
|
*/
|
||||||
|
void ub_systemseed(unsigned int seed);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initialize a random generator state for use
|
* Initialize a random generator state for use
|
||||||
* @param seed: seed value to create state contents.
|
* @param seed: seed value to create state contents.
|
||||||
|
Loading…
Reference in New Issue
Block a user