Read dev/random before chroot.

git-svn-id: file:///svn/unbound/trunk@1567 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/daemon.c

@@ -171,6 +171,8 @@ daemon_init()
 	/* init timezone info while we are not chrooted yet */
 	tzset();
 #endif
+	/* open /dev/random if needed */
+	ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67);
 	daemon->need_to_exit = 0;
 	modstack_init(&daemon->mods);
 	if(!(daemon->env = (struct module_env*)calloc(1, 

doc/Changelog

@@ -2,6 +2,7 @@
 	- Fixup LDFLAGS from libevent sourcedir compile configure restore.
 	- Fixup so no non-absolute rpaths are added.
 	- Fixup validation of RRSIG queries, they are let through.
+	- read /dev/random before chroot
 
 27 March 2009: Wouter
 	- nicer -h output. report linked libraries and modules.

doc/unbound.doxygen

@@ -495,6 +495,7 @@ EXCLUDE                = ./build \
                          util/configparser.h \
                          util/configlexer.c \
                          util/locks.h \
+			 pythonmod/Unbound.py \
 			 ./ldns-src
 
 # The EXCLUDE_SYMLINKS tag can be used select whether or not files or 

util/random.c

@@ -81,6 +81,31 @@ struct ub_randstate {
 /** Number of bytes to reseed after */
 #define REKEY_BYTES	(1 << 24)
 
+/** (re)setup system seed */
+void
+ub_systemseed(unsigned int seed)
+{
+	/* RAND_ is threadsafe, by the way */
+	if(!RAND_status()) {
+		/* try to seed it */
+		unsigned char buf[256];
+		unsigned int v = seed;
+		size_t i;
+		for(i=0; i<256/sizeof(seed); i++) {
+			memmove(buf+i*sizeof(seed), &v, sizeof(seed));
+			v = v*seed + (unsigned int)i;
+		}
+		RAND_seed(buf, 256);
+		if(!RAND_status()) {
+			log_err("Random generator has no entropy "
+				"(error %ld)", ERR_get_error());
+		} else {
+			verbose(VERB_OPS, "openssl has no entropy, "
+				"seeding with time and pid");
+		}
+	}
+}
+
 /** reseed random generator */
 static void
 ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
@@ -94,9 +119,16 @@ ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from)
 		for(i=0; i<SEED_SIZE; i++)
 			rand_buf[i] = (unsigned char)ub_random(from);
 	} else {
-		if (RAND_bytes(rand_buf, (int)sizeof(rand_buf)) <= 0)
+		if(!RAND_status())
-			fatal_exit("Couldn't obtain random bytes (error %ld)",
+			ub_systemseed((unsigned)getpid()^(unsigned)time(NULL));
+		if (RAND_bytes(rand_buf, (int)sizeof(rand_buf)) <= 0) {
+			/* very unlikely that this happens, since we seeded
+			 * above, if it does; complain and keep going */
+			log_err("Couldn't obtain random bytes (error %ld)",
 				    ERR_get_error());
+			s->rc4_ready = 256;
+			return;
+		}
 	}
 	RC4_set_key(&s->rc4, SEED_SIZE, rand_buf);
 
@@ -120,26 +152,7 @@ ub_initstate(unsigned int seed, struct ub_randstate* from)
 		log_err("malloc failure in random init");
 		return NULL;
 	}
-
+	ub_systemseed(seed);
-	/* RAND_ is threadsafe, by the way */
-	if(!RAND_status()) {
-		/* try to seed it */
-		unsigned char buf[256];
-		unsigned int v = seed;
-		size_t i;
-		for(i=0; i<256/sizeof(seed); i++) {
-			memmove(buf+i*sizeof(seed), &v, sizeof(seed));
-			v = v*seed + (unsigned int)i;
-		}
-		RAND_seed(buf, 256);
-		if(!RAND_status()) {
-			log_err("Random generator has no entropy (error %ld)",
-				ERR_get_error());
-			return NULL;
-		}
-		verbose(VERB_OPS, "openssl has no entropy, seeding with time"
-			" and pid");
-	}
 	ub_arc4random_stir(s, from);
 	return s;
 }

util/random.h

@@ -47,6 +47,14 @@
  */
 struct ub_randstate;
 
+/**
+ * Initialize the system randomness.  Obtains entropy from the system
+ * before a chroot or privilege makes it unavailable. 
+ * You do not have to call this, otherwise ub_initstate does so.
+ * @param seed: seed value to create state (if no good entropy is found).
+ */
+void ub_systemseed(unsigned int seed);
+
 /**
  * Initialize a random generator state for use 
  * @param seed: seed value to create state contents.