[PATCH] fastd: generate the key from urandom
Adrian Schmutzler
mail at adrianschmutzler.de
Fr Dez 22 13:46:42 CET 2017
Hallo Robert,
ja, passt zu meinem Log.
Damit erledigt.
Grüße
Adrian
> -----Original Message-----
> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
> Of robert
> Sent: Freitag, 22. Dezember 2017 13:44
> To: franken-dev at freifunk.net
> Subject: Re: [PATCH] fastd: generate the key from urandom
>
> Hallo Adrian,
>
> das hat nix mit dem Patch zu tun.
>
> Wenn der Router das erste mal startet, wird die Datei /etc/urandom.seed
> angelegt.
>
> /etc/init.d/urandom_seed -> /sbin/urandom_seed
>
> Jetzt sollte die Datei da sein und die Meldung weg.
>
> Da hab ich eine Jahre lange Diskussion bei LEDE/OpenWrt gefunden, da die
> Datei nur einmal beim ersten Boot geschrieben wird. Dadurch wird urandom
> jedes mal aus dem gleichen seed gross gezogen. Ist aus Sicht der Entropie
> nicht optimal. Man nimmt das aber in Kauf, da man sonst jedes mal im Flash
> rumkritzeln wuerde.
>
> Robert
>
>
> Am 22.12.2017 um 13:14 schrieb Adrian Schmutzler:
> > Hab heute folgendes im Logread gefunden:
> >
> > Sat Oct 28 18:32:57 2017 user.warn kernel: [ 10.016531] urandom-seed:
> Seed
> > file not found (/etc/urandom.seed)
> > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.066231] procd: - early
-
> > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.070117] procd: -
watchdog
> > -
> > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.625076] procd: -
watchdog
> > -
> > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.628601] procd: - ubus
-
> > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.681969] random:
ubusd:
> > uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.691858] random:
ubusd:
> > uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.701242] random:
ubusd:
> > uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.710979] random:
ubusd:
> > uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.720351] random:
ubusd:
> > uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.729896] random:
ubusd:
> > uninitialized urandom read (4 bytes read, 17 bits of entropy available)
> > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.739428] random:
ubusd:
> > uninitialized urandom read (4 bytes read, 17 bits of entropy
> > available)
> >
> > Ist das so geplant?
> >
> > Grüße
> >
> > Adrian
> >
> >> -----Original Message-----
> >> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On
> Behalf
> >> Of Robert Langhammer
> >> Sent: Dienstag, 14. November 2017 01:15
> >> To: franken-dev at freifunk.net
> >> Subject: [PATCH] fastd: generate the key from urandom
> >>
> >> We do not use encrypted tunnels, so we can use urandom generating the
> >> keys to prevent blocking due to low entropy.
> >>
> >> Signed-off-by: Robert Langhammer <rlanghammer at web.de>
> >> ---
> >> .../0020-fastd_generate_key_from_urandom.patch | 33
> >> ++++++++++++++++++++++
> >> buildscript | 3 +-
> >> 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644
> >> build_patches/openwrt/fastd/0020-
> >> fastd_generate_key_from_urandom.patch
> >>
> >> diff --git a/build_patches/openwrt/fastd/0020-
> >> fastd_generate_key_from_urandom.patch
> >> b/build_patches/openwrt/fastd/0020-
> >> fastd_generate_key_from_urandom.patch
> >> new file mode 100644
> >> index 0000000..252af39
> >> --- /dev/null
> >> +++ b/build_patches/openwrt/fastd/0020-
> >> fastd_generate_key_from_urandom.p
> >> +++ atch
> >> @@ -0,0 +1,33 @@
> >> +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17
> 00:00:00
> >> 2001
> >> +From: Robert Langhammer <rlanghammer at web.de>
> >> +Date: Mon, 13 Nov 2017 21:04:55 +0100
> >> +Subject: [PATCH] fastd_generate_key_from_urandom
> >> +
> >> +---
> >> + net/fastd/patches/001-generate_key_from_urandom.patch | 14
> >> +++++++++++++++
> >> + 1 file changed, 14 insertions(+)
> >> + create mode 100644
> >> +net/fastd/patches/001-generate_key_from_urandom.patch
> >> +
> >> +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch
> >> +b/net/fastd/patches/001-generate_key_from_urandom.patch
> >> +new file mode 100644
> >> +index 00000000..47280e52
> >> +--- /dev/null
> >> ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch
> >> +@@ -0,0 +1,14 @@
> >> ++--- a/src/protocols/ec25519_fhmqvc/util.c
> >> +++++ b/src/protocols/ec25519_fhmqvc/util.c
> >> ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener
> >> ++ ecc_int256_t public_key;
> >> ++
> >> ++ if (!conf.machine_readable)
> >> ++- pr_info("Reading 32 bytes from /dev/random...");
> >> +++ pr_info("Reading 32 bytes from /dev/urandom...");
> >> ++
> >> ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true);
> >> +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false);
> >> ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key);
> >> ++
> >> ++ ecc_25519_work_t work;
> >> +--
> >> +2.11.0
> >> +
> >> diff --git a/buildscript b/buildscript index 2fb1794..b2030ba 100755
> >> --- a/buildscript
> >> +++ b/buildscript
> >> @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede-
> >> project.org/feed/packages.git"
> >> #official openwrt packages
> >> OPENWRT=(openwrt
> >> $PACKAGEURL
> >> - $PACKAGEREV)
> >> + $PACKAGEREV
> >> + fastd/0020-fastd_generate_key_from_urandom.patch)
> >> OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl"
> >>
> >> ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment.
> >> --
> >> 2.11.0
> >>
> >> --
> >> franken-dev mailing list
> >> franken-dev at freifunk.net
> >> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
>
> --
> franken-dev mailing list
> franken-dev at freifunk.net
> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Mehr Informationen über die Mailingliste franken-dev