From patchwork Sat Jan 28 18:41:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1733333 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=AGkwpB9g; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256 header.s=MBO0001 header.b=0yFQ3jLv; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4P43JT6JjGz23hg for ; Sun, 29 Jan 2023 05:44:25 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=x7/8vDc8uSLvo0OxMtj2zirvyL6mha91wRweusM77Bg=; b=AGkwpB9gzxFwUi hozxhqFOVN+ERV6nLcKkYdIzd4l0NXFb9rSw8d7JYdl3FqeKo5QZekqGdXiGDH7lR90MabRT6AgRB jBu+hwpGoW2BKxI7wkrO7aTKFgORatMRsL1ot0s9eZDDivtscSYPIYaXVPKDEeaM61ekG+6+c/Dxa MsFyQl1oAispIfRk3QUZR7ySANR3q/vLa9BHaXB1blbetrZof1VdXaUVeYeuD9dPP3Bj2EFDp9hxY q4dW2ffHy4Gabom5vsWykw/MlXokysMLF08gzIFEyAQcOFAFPDvyAD+WxxZ+VSLBQeUhoT6Teuf70 QsPJLaIy5BQetszJ4plQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pLq8y-000XLB-SI; Sat, 28 Jan 2023 18:41:41 +0000 Received: from mout-p-101.mailbox.org ([80.241.56.151]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pLq8v-000XKK-9O for openwrt-devel@lists.openwrt.org; Sat, 28 Jan 2023 18:41:38 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4P43F51TJ4z9sZl; Sat, 28 Jan 2023 19:41:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1674931289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=KqLfcW0JAfCYpTWJYBUS22dPo1ixF2+0CJ82HZ79eEg=; b=0yFQ3jLvbH4fAvgNJK8ejRipWlidK1XK0DF6DNTF3uNB4Ya+/7TOUGzhUoK2RgiN97vdB0 uLG469mrO8EgI7oVnF2SbalHqlH2BAM1n+/zuVR9pSr8C9e28vu6hK6x+rP9S+L1ijO6LQ snKQFUFf5ubxULZgAcC8XEOV59zDCJJP+G6YZQBbycaYZTX+njX9e/jaSiwUa+QKnPrNUo kz0BoZpf8lLUWw3Av6kqlT+oimg40QM5T30Ry3toeq8VB4I5Zr4w6PK3kU78xKdGtUUZQj db6CmHmB6AEXkQuCsKhJuMBk0RxyP10V7jpwTl6LrEiYzgq3KHNFPwsrfPcZ6Q== From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Cc: Hauke Mehrtens Subject: [PATCH ustream-ssl] ustream-mbedtls: Use getrandom() instead of /dev/urandom Date: Sat, 28 Jan 2023 19:41:13 +0100 Message-Id: <20230128184113.3502926-1-hauke@hauke-m.de> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4P43F51TJ4z9sZl X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230128_104137_548851_6273441D X-CRM114-Status: GOOD ( 10.18 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Instead of keeping a file descriptor open just use the getrandom syscall to get random data. This is supported by the musl, glibc and Linux for some time now. This also improves the error handling in case this function returns not as many bytes as expected. Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.151 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Instead of keeping a file descriptor open just use the getrandom syscall to get random data. This is supported by the musl, glibc and Linux for some time now. This also improves the error handling in case this function returns not as many bytes as expected. Signed-off-by: Hauke Mehrtens Acked-by: Rosen Penev --- ustream-mbedtls.c | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index e79e37b..51ba2fa 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -17,6 +17,7 @@ */ #include +#include #include #include #include @@ -25,8 +26,6 @@ #include "ustream-ssl.h" #include "ustream-internal.h" -static int urandom_fd = -1; - static int s_ustream_read(void *ctx, unsigned char *buf, size_t len) { struct ustream *s = ctx; @@ -66,21 +65,12 @@ __hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct ustr mbedtls_ssl_set_bio(ssl, conn, s_ustream_write, s_ustream_read, NULL); } -static bool urandom_init(void) -{ - if (urandom_fd > -1) - return true; - - urandom_fd = open("/dev/urandom", O_RDONLY); - if (urandom_fd < 0) - return false; - - return true; -} - static int _urandom(void *ctx, unsigned char *out, size_t len) { - if (read(urandom_fd, out, len) < 0) + ssize_t ret; + + ret = getrandom(out, len, 0); + if (ret < 0 || (size_t)ret != len) return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; return 0; @@ -134,9 +124,6 @@ __ustream_ssl_context_new(bool server) mbedtls_ssl_config *conf; int ep; - if (!urandom_init()) - return NULL; - ctx = calloc(1, sizeof(*ctx)); if (!ctx) return NULL;