diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2022-03-28 00:25:56 -0400 |
|---|---|---|
| committer | Petr Štetiar <ynezz@true.cz> | 2022-03-28 09:27:56 +0200 |
| commit | 2edc017a6e0cb92b72b768aaa46c6d336ad84eff (patch) | |
| tree | c8084c6f07eef05a157ef811e9af979098d3b550 /package/system/urandom-seed/files | |
| parent | 9d8f620679df7f6f58ba1452311400da088a404b (diff) | |
| download | upstream-2edc017a6e0cb92b72b768aaa46c6d336ad84eff.tar.gz upstream-2edc017a6e0cb92b72b768aaa46c6d336ad84eff.tar.bz2 upstream-2edc017a6e0cb92b72b768aaa46c6d336ad84eff.zip | |
urandom-seed: use seedrng for seeding the random number generator
The RNG can't actually be seeded from a shell script, due to the
reliance on ioctls. For this reason, the seedrng project provides a
basic script meant to be copy and pasted into projects like OpenWRT
and tweaked as needed: <https://git.zx2c4.com/seedrng/about/>.
This commit imports it into the urandom-seed package and wires up the
init scripts to call it. This also is a significant improvement over the
current init script, which does not robustly handle cleaning up of seeds
and syncing to prevent reuse. Additionally, the existing script creates
a new seed immediately after writing an old one, which means that the
amount of entropy might actually regress, due to failing to credit the
old seed.
Closes: https://github.com/openwrt/openwrt/issues/9570
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixed missing INSTALL_DIR]
Diffstat (limited to 'package/system/urandom-seed/files')
3 files changed, 4 insertions, 34 deletions
diff --git a/package/system/urandom-seed/files/etc/init.d/urandom_seed b/package/system/urandom-seed/files/etc/init.d/urandom_seed index 17d9c13400..d6e81c6079 100755 --- a/package/system/urandom-seed/files/etc/init.d/urandom_seed +++ b/package/system/urandom-seed/files/etc/init.d/urandom_seed @@ -5,7 +5,7 @@ USE_PROCD=1 start_service() { procd_open_instance "urandom_seed" - procd_set_param command "/sbin/urandom_seed" + procd_set_param command "/sbin/seedrng" procd_set_param stdout 1 procd_set_param stderr 1 procd_close_instance diff --git a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed index 2adc6c47f0..b3014daeaf 100644 --- a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed +++ b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed @@ -2,21 +2,11 @@ log_urandom_seed() { echo "urandom-seed: $1" > /dev/kmsg } -_do_urandom_seed() { - [ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; } - [ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; } - - log_urandom_seed "Seeding with $1" - cat "$1" > /dev/urandom -} - do_urandom_seed() { [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; } - - _do_urandom_seed "/etc/urandom.seed" - - SEED="$(uci -q get system.@system[0].urandom_seed)" - [ "${SEED:0:1}" = "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED" + seedrng 2>&1 | while read -r line; do + log_urandom_seed "$line" + done } boot_hook_add preinit_main do_urandom_seed diff --git a/package/system/urandom-seed/files/sbin/urandom_seed b/package/system/urandom-seed/files/sbin/urandom_seed deleted file mode 100755 index 7043e8af4e..0000000000 --- a/package/system/urandom-seed/files/sbin/urandom_seed +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -set -e - -trap '[ "$?" -eq 0 ] || echo "An error occured" >&2' EXIT - -save() { - touch "$1.tmp" - chown root:root "$1.tmp" - chmod 600 "$1.tmp" - getrandom 512 > "$1.tmp" - mv "$1.tmp" "$1" - echo "Seed saved ($1)" -} - -SEED="$(uci -q get system.@system[0].urandom_seed || true)" -[ "${SEED:0:1}" = "/" ] && save "$SEED" - -SEED=/etc/urandom.seed -[ ! -f $SEED ] && save "$SEED" -true |