diff --git a/daemon/daemon.c b/daemon/daemon.c index acef317b2..9ce791a06 100644 --- a/daemon/daemon.c +++ b/daemon/daemon.c @@ -171,6 +171,8 @@ daemon_init() /* init timezone info while we are not chrooted yet */ tzset(); #endif + /* open /dev/random if needed */ + ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67); daemon->need_to_exit = 0; modstack_init(&daemon->mods); if(!(daemon->env = (struct module_env*)calloc(1, diff --git a/doc/Changelog b/doc/Changelog index 4263e1a53..3a7b94942 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,7 @@ - Fixup LDFLAGS from libevent sourcedir compile configure restore. - Fixup so no non-absolute rpaths are added. - Fixup validation of RRSIG queries, they are let through. + - read /dev/random before chroot 27 March 2009: Wouter - nicer -h output. report linked libraries and modules. diff --git a/doc/unbound.doxygen b/doc/unbound.doxygen index 2baaeb3a2..fca4aad5f 100644 --- a/doc/unbound.doxygen +++ b/doc/unbound.doxygen @@ -495,6 +495,7 @@ EXCLUDE = ./build \ util/configparser.h \ util/configlexer.c \ util/locks.h \ + pythonmod/Unbound.py \ ./ldns-src # The EXCLUDE_SYMLINKS tag can be used select whether or not files or diff --git a/util/random.c b/util/random.c index 02368ebe4..c86fdf673 100644 --- a/util/random.c +++ b/util/random.c @@ -81,6 +81,31 @@ struct ub_randstate { /** Number of bytes to reseed after */ #define REKEY_BYTES (1 << 24) +/** (re)setup system seed */ +void +ub_systemseed(unsigned int seed) +{ + /* RAND_ is threadsafe, by the way */ + if(!RAND_status()) { + /* try to seed it */ + unsigned char buf[256]; + unsigned int v = seed; + size_t i; + for(i=0; i<256/sizeof(seed); i++) { + memmove(buf+i*sizeof(seed), &v, sizeof(seed)); + v = v*seed + (unsigned int)i; + } + RAND_seed(buf, 256); + if(!RAND_status()) { + log_err("Random generator has no entropy " + "(error %ld)", ERR_get_error()); + } else { + verbose(VERB_OPS, "openssl has no entropy, " + "seeding with time and pid"); + } + } +} + /** reseed random generator */ static void ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from) @@ -94,9 +119,16 @@ ub_arc4random_stir(struct ub_randstate* s, struct ub_randstate* from) for(i=0; irc4_ready = 256; + return; + } } RC4_set_key(&s->rc4, SEED_SIZE, rand_buf); @@ -120,26 +152,7 @@ ub_initstate(unsigned int seed, struct ub_randstate* from) log_err("malloc failure in random init"); return NULL; } - - /* RAND_ is threadsafe, by the way */ - if(!RAND_status()) { - /* try to seed it */ - unsigned char buf[256]; - unsigned int v = seed; - size_t i; - for(i=0; i<256/sizeof(seed); i++) { - memmove(buf+i*sizeof(seed), &v, sizeof(seed)); - v = v*seed + (unsigned int)i; - } - RAND_seed(buf, 256); - if(!RAND_status()) { - log_err("Random generator has no entropy (error %ld)", - ERR_get_error()); - return NULL; - } - verbose(VERB_OPS, "openssl has no entropy, seeding with time" - " and pid"); - } + ub_systemseed(seed); ub_arc4random_stir(s, from); return s; } diff --git a/util/random.h b/util/random.h index f5e3cce1d..62e3033a7 100644 --- a/util/random.h +++ b/util/random.h @@ -47,6 +47,14 @@ */ struct ub_randstate; +/** + * Initialize the system randomness. Obtains entropy from the system + * before a chroot or privilege makes it unavailable. + * You do not have to call this, otherwise ub_initstate does so. + * @param seed: seed value to create state (if no good entropy is found). + */ +void ub_systemseed(unsigned int seed); + /** * Initialize a random generator state for use * @param seed: seed value to create state contents.