nat: Use RAND_bytes instead of /dev/urandom
We don't need to consume all the entropy of the kernel but can use libcrypto (OpenSSL) to generate random data. It is not clear if we need to call RAND_load_file but I think we can assume that our Unices have a /dev/urandom. This takes less CPU time, provides good enough entropy (in theory) and leaves some in the kernel entropy pool.
This commit is contained in:
parent
8ee53ed9ec
commit
9f95ae8885
|
@ -35,6 +35,7 @@ AC_ARG_ENABLE([nat], [AS_HELP_STRING([--enable-nat], [Build the BSC NAT. Require
|
|||
[osmo_ac_build_nat="$enableval"],[osmo_ac_build_nat="no"])
|
||||
if test "$osmo_ac_build_nat" = "yes" ; then
|
||||
PKG_CHECK_MODULES(LIBOSMOSCCP, libosmo-sccp >= 0.0.2)
|
||||
PKG_CHECK_MODULES(LIBCRYPTO, libcrypto)
|
||||
fi
|
||||
AM_CONDITIONAL(BUILD_NAT, test "x$osmo_ac_build_nat" = "xyes")
|
||||
AC_SUBST(osmo_ac_build_nat)
|
||||
|
|
|
@ -307,9 +307,6 @@ struct bsc_nat {
|
|||
|
||||
/* control interface */
|
||||
struct ctrl_handle *ctrl;
|
||||
|
||||
/* for random values */
|
||||
int random_fd;
|
||||
};
|
||||
|
||||
struct bsc_nat_ussd_con {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include -I$(top_builddir)
|
||||
AM_CFLAGS=-Wall $(LIBOSMOCORE_CFLAGS) $(LIBOSMOGSM_CFLAGS) $(LIBOSMOVTY_CFLAGS) $(LIBOSMOCTRL_CFLAGS) $(LIBOSMOSCCP_CFLAGS) $(LIBOSMOABIS_CFLAGS) $(LIBOSMONETIF_CFLAGS) $(COVERAGE_CFLAGS)
|
||||
AM_CFLAGS=-Wall $(LIBOSMOCORE_CFLAGS) $(LIBOSMOGSM_CFLAGS) $(LIBOSMOVTY_CFLAGS) $(LIBOSMOCTRL_CFLAGS) $(LIBOSMOSCCP_CFLAGS) $(LIBOSMOABIS_CFLAGS) $(LIBOSMONETIF_CFLAGS) $(LIBCRYPTO_CFLAGS) $(COVERAGE_CFLAGS)
|
||||
AM_LDFLAGS = $(COVERAGE_LDFLAGS)
|
||||
|
||||
bin_PROGRAMS = osmo-bsc_nat
|
||||
|
@ -16,4 +16,4 @@ osmo_bsc_nat_LDADD = \
|
|||
$(top_builddir)/src/libfilter/libfilter.a \
|
||||
-lrt $(LIBOSMOSCCP_LIBS) $(LIBOSMOCORE_LIBS) \
|
||||
$(LIBOSMOGSM_LIBS) $(LIBOSMOVTY_LIBS) $(LIBOSMOCTRL_LIBS) \
|
||||
$(LIBOSMOABIS_LIBS) $(LIBOSMONETIF_LIBS)
|
||||
$(LIBOSMOABIS_LIBS) $(LIBOSMONETIF_LIBS) $(LIBCRYPTO_LIBS)
|
||||
|
|
|
@ -69,6 +69,8 @@
|
|||
|
||||
#include <osmocom/abis/ipa.h>
|
||||
|
||||
#include <openssl/rand.h>
|
||||
|
||||
#include "../../bscconfig.h"
|
||||
|
||||
#define SCCP_CLOSE_TIME 20
|
||||
|
@ -204,8 +206,7 @@ static void send_id_req(struct bsc_nat *nat, struct bsc_connection *bsc)
|
|||
0x01, IPAC_IDTAG_SERNR,
|
||||
};
|
||||
|
||||
int toread, rounds;
|
||||
uint8_t *mrand, *randoff;
|
||||
uint8_t *mrand;
|
||||
uint8_t id_req[sizeof(s_id_req) + (2+16)];
|
||||
uint8_t *buf = &id_req[sizeof(s_id_req)];
|
||||
|
||||
|
@ -216,19 +217,10 @@ static void send_id_req(struct bsc_nat *nat, struct bsc_connection *bsc)
|
|||
buf = v_put(buf, 0x11);
|
||||
buf = v_put(buf, 0x23);
|
||||
mrand = bsc->last_rand;
|
||||
randoff = mrand;
|
||||
memset(randoff, 0, 16);
|
||||
|
||||
for (toread = 16, rounds = 0; rounds < 5 && toread > 0; ++rounds) {
|
||||
int rc = read(nat->random_fd, randoff, toread);
|
||||
if (rc <= 0)
|
||||
goto failed_random;
|
||||
toread -= rc;
|
||||
randoff += rc;
|
||||
}
|
||||
|
||||
if (toread != 0)
|
||||
if (RAND_bytes(mrand, 16) != 1)
|
||||
goto failed_random;
|
||||
|
||||
memcpy(buf, mrand, 16);
|
||||
buf += 16;
|
||||
|
||||
|
@ -1628,12 +1620,6 @@ int main(int argc, char **argv)
|
|||
/* We need to add mode-set for amr codecs */
|
||||
nat->sdp_ensure_amr_mode_set = 1;
|
||||
|
||||
nat->random_fd = open("/dev/random", O_RDONLY);
|
||||
if (nat->random_fd < 0) {
|
||||
fprintf(stderr, "Failed to open /dev/urandom.\n");
|
||||
return -5;
|
||||
}
|
||||
|
||||
vty_info.copyright = openbsc_copyright;
|
||||
vty_init(&vty_info);
|
||||
logging_vty_add_cmds(&log_info);
|
||||
|
|
Loading…
Reference in New Issue