diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2022-03-28 00:25:56 -0400 |
|---|---|---|
| committer | Petr Štetiar <ynezz@true.cz> | 2022-03-28 09:27:56 +0200 |
| commit | 2edc017a6e0cb92b72b768aaa46c6d336ad84eff (patch) | |
| tree | c8084c6f07eef05a157ef811e9af979098d3b550 /package/system/urandom-seed/files/lib | |
| parent | 9d8f620679df7f6f58ba1452311400da088a404b (diff) | |
| download | upstream-2edc017a6e0cb92b72b768aaa46c6d336ad84eff.tar.gz upstream-2edc017a6e0cb92b72b768aaa46c6d336ad84eff.tar.bz2 upstream-2edc017a6e0cb92b72b768aaa46c6d336ad84eff.zip | |
urandom-seed: use seedrng for seeding the random number generator
The RNG can't actually be seeded from a shell script, due to the
reliance on ioctls. For this reason, the seedrng project provides a
basic script meant to be copy and pasted into projects like OpenWRT
and tweaked as needed: <https://git.zx2c4.com/seedrng/about/>.
This commit imports it into the urandom-seed package and wires up the
init scripts to call it. This also is a significant improvement over the
current init script, which does not robustly handle cleaning up of seeds
and syncing to prevent reuse. Additionally, the existing script creates
a new seed immediately after writing an old one, which means that the
amount of entropy might actually regress, due to failing to credit the
old seed.
Closes: https://github.com/openwrt/openwrt/issues/9570
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixed missing INSTALL_DIR]
Diffstat (limited to 'package/system/urandom-seed/files/lib')
| -rw-r--r-- | package/system/urandom-seed/files/lib/preinit/81_urandom_seed | 16 |
1 files changed, 3 insertions, 13 deletions
diff --git a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed index 2adc6c47f0..b3014daeaf 100644 --- a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed +++ b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed @@ -2,21 +2,11 @@ log_urandom_seed() { echo "urandom-seed: $1" > /dev/kmsg } -_do_urandom_seed() { - [ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; } - [ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; } - - log_urandom_seed "Seeding with $1" - cat "$1" > /dev/urandom -} - do_urandom_seed() { [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; } - - _do_urandom_seed "/etc/urandom.seed" - - SEED="$(uci -q get system.@system[0].urandom_seed)" - [ "${SEED:0:1}" = "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED" + seedrng 2>&1 | while read -r line; do + log_urandom_seed "$line" + done } boot_hook_add preinit_main do_urandom_seed |