[PATCH] fastd: generate the key from urandom

robert rlanghammer at web.de
Fr Dez 22 13:44:11 CET 2017 

Hallo Adrian,

das hat nix mit dem Patch zu tun.

Wenn der Router das erste mal startet, wird die Datei /etc/urandom.seed
angelegt.

/etc/init.d/urandom_seed -> /sbin/urandom_seed

Jetzt sollte die Datei da sein und die Meldung weg.

Da hab ich eine Jahre lange Diskussion bei LEDE/OpenWrt gefunden, da die
Datei nur einmal beim ersten Boot geschrieben wird. Dadurch wird urandom
jedes mal aus dem gleichen seed gross gezogen. Ist aus Sicht der
Entropie nicht optimal. Man nimmt das aber in Kauf, da man sonst jedes
mal im Flash rumkritzeln wuerde.

Robert


Am 22.12.2017 um 13:14 schrieb Adrian Schmutzler:
> Hab heute folgendes im Logread gefunden:
>
> Sat Oct 28 18:32:57 2017 user.warn kernel: [   10.016531] urandom-seed: Seed
> file not found (/etc/urandom.seed)
> Sat Oct 28 18:32:57 2017 user.info kernel: [   10.066231] procd: - early -
> Sat Oct 28 18:32:57 2017 user.info kernel: [   10.070117] procd: - watchdog
> -
> Sat Oct 28 18:32:57 2017 user.info kernel: [   10.625076] procd: - watchdog
> -
> Sat Oct 28 18:32:57 2017 user.info kernel: [   10.628601] procd: - ubus -
> Sat Oct 28 18:32:57 2017 kern.notice kernel: [   10.681969] random: ubusd:
> uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> Sat Oct 28 18:32:57 2017 kern.notice kernel: [   10.691858] random: ubusd:
> uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> Sat Oct 28 18:32:57 2017 kern.notice kernel: [   10.701242] random: ubusd:
> uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> Sat Oct 28 18:32:57 2017 kern.notice kernel: [   10.710979] random: ubusd:
> uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> Sat Oct 28 18:32:57 2017 kern.notice kernel: [   10.720351] random: ubusd:
> uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> Sat Oct 28 18:32:57 2017 kern.notice kernel: [   10.729896] random: ubusd:
> uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> Sat Oct 28 18:32:57 2017 kern.notice kernel: [   10.739428] random: ubusd:
> uninitialized urandom read (4 bytes read, 17 bits of entropy available)
>
> Ist das so geplant?
>
> Grüße
>
> Adrian
>
>> -----Original Message-----
>> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
>> Of Robert Langhammer
>> Sent: Dienstag, 14. November 2017 01:15
>> To: franken-dev at freifunk.net
>> Subject: [PATCH] fastd: generate the key from urandom
>>
>> We do not use encrypted tunnels, so we can use urandom generating the
>> keys to prevent blocking due to low entropy.
>>
>> Signed-off-by: Robert Langhammer <rlanghammer at web.de>
>> ---
>>  .../0020-fastd_generate_key_from_urandom.patch     | 33
>> ++++++++++++++++++++++
>>  buildscript                                        |  3 +-
>>  2 files changed, 35 insertions(+), 1 deletion(-)  create mode 100644
>> build_patches/openwrt/fastd/0020-
>> fastd_generate_key_from_urandom.patch
>>
>> diff --git a/build_patches/openwrt/fastd/0020-
>> fastd_generate_key_from_urandom.patch
>> b/build_patches/openwrt/fastd/0020-
>> fastd_generate_key_from_urandom.patch
>> new file mode 100644
>> index 0000000..252af39
>> --- /dev/null
>> +++ b/build_patches/openwrt/fastd/0020-
>> fastd_generate_key_from_urandom.p
>> +++ atch
>> @@ -0,0 +1,33 @@
>> +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00
>> 2001
>> +From: Robert Langhammer <rlanghammer at web.de>
>> +Date: Mon, 13 Nov 2017 21:04:55 +0100
>> +Subject: [PATCH] fastd_generate_key_from_urandom
>> +
>> +---
>> + net/fastd/patches/001-generate_key_from_urandom.patch | 14
>> +++++++++++++++
>> + 1 file changed, 14 insertions(+)
>> + create mode 100644
>> +net/fastd/patches/001-generate_key_from_urandom.patch
>> +
>> +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch
>> +b/net/fastd/patches/001-generate_key_from_urandom.patch
>> +new file mode 100644
>> +index 00000000..47280e52
>> +--- /dev/null
>> ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch
>> +@@ -0,0 +1,14 @@
>> ++--- a/src/protocols/ec25519_fhmqvc/util.c
>> +++++ b/src/protocols/ec25519_fhmqvc/util.c
>> ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener
>> ++ 	ecc_int256_t public_key;
>> ++
>> ++ 	if (!conf.machine_readable)
>> ++-		pr_info("Reading 32 bytes from /dev/random...");
>> +++		pr_info("Reading 32 bytes from /dev/urandom...");
>> ++
>> ++-	fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true);
>> +++	fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false);
>> ++ 	ecc_25519_gf_sanitize_secret(&secret_key, &secret_key);
>> ++
>> ++ 	ecc_25519_work_t work;
>> +--
>> +2.11.0
>> +
>> diff --git a/buildscript b/buildscript
>> index 2fb1794..b2030ba 100755
>> --- a/buildscript
>> +++ b/buildscript
>> @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede-
>> project.org/feed/packages.git"
>>  #official openwrt packages
>>  OPENWRT=(openwrt
>>           $PACKAGEURL
>> -         $PACKAGEREV)
>> +         $PACKAGEREV
>> +         fastd/0020-fastd_generate_key_from_urandom.patch)
>>  OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl"
>>
>>  ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment.
>> --
>> 2.11.0
>>
>> --
>> franken-dev mailing list
>> franken-dev at freifunk.net
>> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net

Mehr Informationen über die Mailingliste franken-dev