nat: Use RAND_bytes instead of /dev/urandom

We don't need to consume all the entropy of the kernel but can
use libcrypto (OpenSSL) to generate random data. It is not clear
if we need to call RAND_load_file but I think we can assume that
our Unices have a /dev/urandom.

This takes less CPU time, provides good enough entropy (in theory)
and leaves some in the kernel entropy pool.
This commit is contained in:
Holger Hans Peter Freyther 2015-07-01 08:34:16 +02:00
parent 8ee53ed9ec
commit 9f95ae8885
4 changed files with 8 additions and 24 deletions

View File

@ -35,6 +35,7 @@ AC_ARG_ENABLE([nat], [AS_HELP_STRING([--enable-nat], [Build the BSC NAT. Require
[osmo_ac_build_nat="$enableval"],[osmo_ac_build_nat="no"])
if test "$osmo_ac_build_nat" = "yes" ; then
PKG_CHECK_MODULES(LIBOSMOSCCP, libosmo-sccp >= 0.0.2)
PKG_CHECK_MODULES(LIBCRYPTO, libcrypto)
fi
AM_CONDITIONAL(BUILD_NAT, test "x$osmo_ac_build_nat" = "xyes")
AC_SUBST(osmo_ac_build_nat)

View File

@ -307,9 +307,6 @@ struct bsc_nat {
/* control interface */
struct ctrl_handle *ctrl;
/* for random values */
int random_fd;
};
struct bsc_nat_ussd_con {

View File

@ -1,5 +1,5 @@
AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include -I$(top_builddir)
AM_CFLAGS=-Wall $(LIBOSMOCORE_CFLAGS) $(LIBOSMOGSM_CFLAGS) $(LIBOSMOVTY_CFLAGS) $(LIBOSMOCTRL_CFLAGS) $(LIBOSMOSCCP_CFLAGS) $(LIBOSMOABIS_CFLAGS) $(LIBOSMONETIF_CFLAGS) $(COVERAGE_CFLAGS)
AM_CFLAGS=-Wall $(LIBOSMOCORE_CFLAGS) $(LIBOSMOGSM_CFLAGS) $(LIBOSMOVTY_CFLAGS) $(LIBOSMOCTRL_CFLAGS) $(LIBOSMOSCCP_CFLAGS) $(LIBOSMOABIS_CFLAGS) $(LIBOSMONETIF_CFLAGS) $(LIBCRYPTO_CFLAGS) $(COVERAGE_CFLAGS)
AM_LDFLAGS = $(COVERAGE_LDFLAGS)
bin_PROGRAMS = osmo-bsc_nat
@ -16,4 +16,4 @@ osmo_bsc_nat_LDADD = \
$(top_builddir)/src/libfilter/libfilter.a \
-lrt $(LIBOSMOSCCP_LIBS) $(LIBOSMOCORE_LIBS) \
$(LIBOSMOGSM_LIBS) $(LIBOSMOVTY_LIBS) $(LIBOSMOCTRL_LIBS) \
$(LIBOSMOABIS_LIBS) $(LIBOSMONETIF_LIBS)
$(LIBOSMOABIS_LIBS) $(LIBOSMONETIF_LIBS) $(LIBCRYPTO_LIBS)

View File

@ -69,6 +69,8 @@
#include <osmocom/abis/ipa.h>
#include <openssl/rand.h>
#include "../../bscconfig.h"
#define SCCP_CLOSE_TIME 20
@ -204,8 +206,7 @@ static void send_id_req(struct bsc_nat *nat, struct bsc_connection *bsc)
0x01, IPAC_IDTAG_SERNR,
};
int toread, rounds;
uint8_t *mrand, *randoff;
uint8_t *mrand;
uint8_t id_req[sizeof(s_id_req) + (2+16)];
uint8_t *buf = &id_req[sizeof(s_id_req)];
@ -216,19 +217,10 @@ static void send_id_req(struct bsc_nat *nat, struct bsc_connection *bsc)
buf = v_put(buf, 0x11);
buf = v_put(buf, 0x23);
mrand = bsc->last_rand;
randoff = mrand;
memset(randoff, 0, 16);
for (toread = 16, rounds = 0; rounds < 5 && toread > 0; ++rounds) {
int rc = read(nat->random_fd, randoff, toread);
if (rc <= 0)
goto failed_random;
toread -= rc;
randoff += rc;
}
if (toread != 0)
if (RAND_bytes(mrand, 16) != 1)
goto failed_random;
memcpy(buf, mrand, 16);
buf += 16;
@ -1628,12 +1620,6 @@ int main(int argc, char **argv)
/* We need to add mode-set for amr codecs */
nat->sdp_ensure_amr_mode_set = 1;
nat->random_fd = open("/dev/random", O_RDONLY);
if (nat->random_fd < 0) {
fprintf(stderr, "Failed to open /dev/urandom.\n");
return -5;
}
vty_info.copyright = openbsc_copyright;
vty_init(&vty_info);
logging_vty_add_cmds(&log_info);