mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
- Fix Weak Entropy Used For Nettle,
reported by X41 D-Sec.
This commit is contained in:
W.C.A. Wijngaards
parent
7e3da817c3
commit
d8809c672a
8 changed files with 15 additions and 42 deletions
|
|
@ -429,9 +429,7 @@ daemon_create_workers(struct daemon* daemon)
|
|||
int* shufport;
|
||||
log_assert(daemon && daemon->cfg);
|
||||
if(!daemon->rand) {
|
||||
unsigned int seed = (unsigned int)time(NULL) ^
|
||||
(unsigned int)getpid() ^ 0x438;
|
||||
daemon->rand = ub_initstate(seed, NULL);
|
||||
daemon->rand = ub_initstate(NULL);
|
||||
if(!daemon->rand)
|
||||
fatal_exit("could not init random generator");
|
||||
hash_set_raninit((uint32_t)ub_random(daemon->rand));
|
||||
|
|
|
|||
|
|
@ -1681,11 +1681,7 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
|
|||
return NULL;
|
||||
}
|
||||
/* create random state here to avoid locking trouble in RAND_bytes */
|
||||
seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
|
||||
(((unsigned int)worker->thread_num)<<17);
|
||||
/* shift thread_num so it does not match out pid bits */
|
||||
if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
|
||||
explicit_bzero(&seed, sizeof(seed));
|
||||
if(!(worker->rndstate = ub_initstate(daemon->rand))) {
|
||||
log_err("could not init random numbers.");
|
||||
tube_delete(worker->cmd);
|
||||
free(worker->ports);
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@
|
|||
- Fix Shared Memory World Writeable,
|
||||
reported by X41 D-Sec.
|
||||
- Adjust unbound-control to make stats_shm a read only operation.
|
||||
- Fix Weak Entropy Used For Nettle,
|
||||
reported by X41 D-Sec.
|
||||
|
||||
19 November 2019: Wouter
|
||||
- Fix CVE-2019-18934, shell execution in ipsecmod.
|
||||
|
|
|
|||
|
|
@ -86,7 +86,6 @@ int ctx_logfile_overridden = 0;
|
|||
static struct ub_ctx* ub_ctx_create_nopipe(void)
|
||||
{
|
||||
struct ub_ctx* ctx;
|
||||
unsigned int seed;
|
||||
#ifdef USE_WINSOCK
|
||||
int r;
|
||||
WSADATA wsa_data;
|
||||
|
|
@ -111,15 +110,12 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
|
|||
return NULL;
|
||||
}
|
||||
alloc_init(&ctx->superalloc, NULL, 0);
|
||||
seed = (unsigned int)time(NULL) ^ (unsigned int)getpid();
|
||||
if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) {
|
||||
explicit_bzero(&seed, sizeof(seed));
|
||||
if(!(ctx->seed_rnd = ub_initstate(NULL))) {
|
||||
ub_randfree(ctx->seed_rnd);
|
||||
free(ctx);
|
||||
errno = ENOMEM;
|
||||
return NULL;
|
||||
}
|
||||
explicit_bzero(&seed, sizeof(seed));
|
||||
lock_basic_init(&ctx->qqpipe_lock);
|
||||
lock_basic_init(&ctx->rrpipe_lock);
|
||||
lock_basic_init(&ctx->cfglock);
|
||||
|
|
|
|||
|
|
@ -122,7 +122,6 @@ libworker_delete_event(struct libworker* w)
|
|||
static struct libworker*
|
||||
libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
|
||||
{
|
||||
unsigned int seed;
|
||||
struct libworker* w = (struct libworker*)calloc(1, sizeof(*w));
|
||||
struct config_file* cfg = ctx->env->cfg;
|
||||
int* ports;
|
||||
|
|
@ -177,17 +176,13 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
|
|||
}
|
||||
w->env->worker = (struct worker*)w;
|
||||
w->env->probe_timer = NULL;
|
||||
seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
|
||||
(((unsigned int)w->thread_num)<<17);
|
||||
seed ^= (unsigned int)w->env->alloc->next_id;
|
||||
if(!w->is_bg || w->is_bg_thread) {
|
||||
lock_basic_lock(&ctx->cfglock);
|
||||
}
|
||||
if(!(w->env->rnd = ub_initstate(seed, ctx->seed_rnd))) {
|
||||
if(!(w->env->rnd = ub_initstate(ctx->seed_rnd))) {
|
||||
if(!w->is_bg || w->is_bg_thread) {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
}
|
||||
explicit_bzero(&seed, sizeof(seed));
|
||||
libworker_delete(w);
|
||||
return NULL;
|
||||
}
|
||||
|
|
@ -207,7 +202,6 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
|
|||
hash_set_raninit((uint32_t)ub_random(w->env->rnd));
|
||||
}
|
||||
}
|
||||
explicit_bzero(&seed, sizeof(seed));
|
||||
|
||||
if(eb)
|
||||
w->base = comm_base_create_event(eb);
|
||||
|
|
|
|||
|
|
@ -538,10 +538,8 @@ rnd_test(void)
|
|||
struct ub_randstate* r;
|
||||
int num = 1000, i;
|
||||
long int a[1000];
|
||||
unsigned int seed = (unsigned)time(NULL);
|
||||
unit_show_feature("ub_random");
|
||||
printf("ub_random seed is %u\n", seed);
|
||||
unit_assert( (r = ub_initstate(seed, NULL)) );
|
||||
unit_assert( (r = ub_initstate(NULL)) );
|
||||
for(i=0; i<num; i++) {
|
||||
a[i] = ub_random(r);
|
||||
unit_assert(a[i] >= 0);
|
||||
|
|
|
|||
|
|
@ -86,8 +86,7 @@ ub_systemseed(unsigned int ATTR_UNUSED(seed))
|
|||
}
|
||||
|
||||
struct ub_randstate*
|
||||
ub_initstate(unsigned int ATTR_UNUSED(seed),
|
||||
struct ub_randstate* ATTR_UNUSED(from))
|
||||
ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
|
||||
{
|
||||
struct ub_randstate* s = (struct ub_randstate*)malloc(1);
|
||||
if(!s) {
|
||||
|
|
@ -123,8 +122,7 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
|
|||
{
|
||||
}
|
||||
|
||||
struct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed),
|
||||
struct ub_randstate* ATTR_UNUSED(from))
|
||||
struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
|
||||
{
|
||||
struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
|
||||
if(!s) {
|
||||
|
|
@ -166,8 +164,7 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
|
|||
log_err("Re-seeding not supported, generator untouched");
|
||||
}
|
||||
|
||||
struct ub_randstate* ub_initstate(unsigned int seed,
|
||||
struct ub_randstate* ATTR_UNUSED(from))
|
||||
struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
|
||||
{
|
||||
struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
|
||||
uint8_t buf[YARROW256_SEED_FILE_SIZE];
|
||||
|
|
@ -183,15 +180,10 @@ struct ub_randstate* ub_initstate(unsigned int seed,
|
|||
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
|
||||
s->seeded = yarrow256_is_seeded(&s->ctx);
|
||||
} else {
|
||||
/* Stretch the uint32 input seed and feed it to Yarrow */
|
||||
uint32_t v = seed;
|
||||
size_t i;
|
||||
for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
|
||||
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
|
||||
v = v*seed + (uint32_t)i;
|
||||
}
|
||||
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
|
||||
s->seeded = yarrow256_is_seeded(&s->ctx);
|
||||
log_err("nettle random(yarrow) cannot initialize, "
|
||||
"getentropy failed: %s", strerror(errno));
|
||||
free(s);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return s;
|
||||
|
|
|
|||
|
|
@ -57,15 +57,12 @@ void ub_systemseed(unsigned int seed);
|
|||
|
||||
/**
|
||||
* Initialize a random generator state for use
|
||||
* @param seed: seed value to create state contents.
|
||||
* (ignored for arc4random).
|
||||
* @param from: if not NULL, the seed is taken from this random structure.
|
||||
* can be used to seed random states via a parent-random-state that
|
||||
* is itself seeded with entropy.
|
||||
* @return new state or NULL alloc failure.
|
||||
*/
|
||||
struct ub_randstate* ub_initstate(unsigned int seed,
|
||||
struct ub_randstate* from);
|
||||
struct ub_randstate* ub_initstate(struct ub_randstate* from);
|
||||
|
||||
/**
|
||||
* Generate next random number from the state passed along.
|
||||
|
|
|
|||
Loading…
Reference in a new issue