Message ID | 20171114001450.7762-1-rlanghammer@web.de |
---|---|
State | Accepted |
Headers | show |
diff --git a/build_patches/openwrt/fastd/0020-fastd_generate_key_from_urandom.patch b/build_patches/openwrt/fastd/0020-fastd_generate_key_from_urandom.patch new file mode 100644 index 0000000..252af39 --- /dev/null +++ b/build_patches/openwrt/fastd/0020-fastd_generate_key_from_urandom.patch @@ -0,0 +1,33 @@ +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00 2001 +From: Robert Langhammer <rlanghammer@web.de> +Date: Mon, 13 Nov 2017 21:04:55 +0100 +Subject: [PATCH] fastd_generate_key_from_urandom + +--- + net/fastd/patches/001-generate_key_from_urandom.patch | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + create mode 100644 net/fastd/patches/001-generate_key_from_urandom.patch + +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch b/net/fastd/patches/001-generate_key_from_urandom.patch +new file mode 100644 +index 00000000..47280e52 +--- /dev/null ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch +@@ -0,0 +1,14 @@ ++--- a/src/protocols/ec25519_fhmqvc/util.c +++++ b/src/protocols/ec25519_fhmqvc/util.c ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener ++ ecc_int256_t public_key; ++ ++ if (!conf.machine_readable) ++- pr_info("Reading 32 bytes from /dev/random..."); +++ pr_info("Reading 32 bytes from /dev/urandom..."); ++ ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); ++ ++ ecc_25519_work_t work; +-- +2.11.0 + diff --git a/buildscript b/buildscript index 2fb1794..b2030ba 100755 --- a/buildscript +++ b/buildscript @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede-project.org/feed/packages.git" #official openwrt packages OPENWRT=(openwrt $PACKAGEURL - $PACKAGEREV) + $PACKAGEREV + fastd/0020-fastd_generate_key_from_urandom.patch) OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment.
Wir hatten doch mal einen Patch mit einem neu gebauten random-Tool: https://github.com/FreifunkFranken/firmware/commit/daa613722ca8b74dde508088a baeb73b7ebad41f Interferiert das irgendwie? Grüße Adrian > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of Robert Langhammer > Sent: Dienstag, 14. November 2017 01:15 > To: franken-dev@freifunk.net > Subject: [PATCH] fastd: generate the key from urandom > > We do not use encrypted tunnels, so we can use urandom generating the > keys to prevent blocking due to low entropy. > > Signed-off-by: Robert Langhammer <rlanghammer@web.de> > --- > .../0020-fastd_generate_key_from_urandom.patch | 33 > ++++++++++++++++++++++ > buildscript | 3 +- > 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 > build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > > diff --git a/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > new file mode 100644 > index 0000000..252af39 > --- /dev/null > +++ b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.p > +++ atch > @@ -0,0 +1,33 @@ > +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00 > 2001 > +From: Robert Langhammer <rlanghammer@web.de> > +Date: Mon, 13 Nov 2017 21:04:55 +0100 > +Subject: [PATCH] fastd_generate_key_from_urandom > + > +--- > + net/fastd/patches/001-generate_key_from_urandom.patch | 14 > +++++++++++++++ > + 1 file changed, 14 insertions(+) > + create mode 100644 > +net/fastd/patches/001-generate_key_from_urandom.patch > + > +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch > +b/net/fastd/patches/001-generate_key_from_urandom.patch > +new file mode 100644 > +index 00000000..47280e52 > +--- /dev/null > ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch > +@@ -0,0 +1,14 @@ > ++--- a/src/protocols/ec25519_fhmqvc/util.c > +++++ b/src/protocols/ec25519_fhmqvc/util.c > ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener > ++ ecc_int256_t public_key; > ++ > ++ if (!conf.machine_readable) > ++- pr_info("Reading 32 bytes from /dev/random..."); > +++ pr_info("Reading 32 bytes from /dev/urandom..."); > ++ > ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); > +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); > ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); > ++ > ++ ecc_25519_work_t work; > +-- > +2.11.0 > + > diff --git a/buildscript b/buildscript > index 2fb1794..b2030ba 100755 > --- a/buildscript > +++ b/buildscript > @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede- > project.org/feed/packages.git" > #official openwrt packages > OPENWRT=(openwrt > $PACKAGEURL > - $PACKAGEREV) > + $PACKAGEREV > + fastd/0020-fastd_generate_key_from_urandom.patch) > OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" > > ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment. > -- > 2.11.0 > > -- > franken-dev mailing list > franken-dev@freifunk.net > http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Ich sehe da keine Verbindung. Das Tool liest auch aus urandom: f = fopen("/dev/urandom", "r"); aber sonst nix. Ich biege hier nur von /dev/random nach /dev/urandom um. Aus urandom sprudelt halt nich so viel Entropie, was aber egal ist, da wir nichts verschluesseln. Eigentlich hat mich nur die Warterei nach dem flashen von Uplinkroutern genervt. Ist also kein Systemrelevanter Patch, aber angenehm beim Testen wenn man immer wieder mal neu flasht. Robert Am 14.11.2017 um 11:59 schrieb Adrian Schmutzler: > Wir hatten doch mal einen Patch mit einem neu gebauten random-Tool: > > https://github.com/FreifunkFranken/firmware/commit/daa613722ca8b74dde508088a > baeb73b7ebad41f > > Interferiert das irgendwie? > > Grüße > > Adrian > >> -----Original Message----- >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf >> Of Robert Langhammer >> Sent: Dienstag, 14. November 2017 01:15 >> To: franken-dev@freifunk.net >> Subject: [PATCH] fastd: generate the key from urandom >> >> We do not use encrypted tunnels, so we can use urandom generating the >> keys to prevent blocking due to low entropy. >> >> Signed-off-by: Robert Langhammer <rlanghammer@web.de> >> --- >> .../0020-fastd_generate_key_from_urandom.patch | 33 >> ++++++++++++++++++++++ >> buildscript | 3 +- >> 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 >> build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.patch >> >> diff --git a/build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.patch >> b/build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.patch >> new file mode 100644 >> index 0000000..252af39 >> --- /dev/null >> +++ b/build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.p >> +++ atch >> @@ -0,0 +1,33 @@ >> +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00 >> 2001 >> +From: Robert Langhammer <rlanghammer@web.de> >> +Date: Mon, 13 Nov 2017 21:04:55 +0100 >> +Subject: [PATCH] fastd_generate_key_from_urandom >> + >> +--- >> + net/fastd/patches/001-generate_key_from_urandom.patch | 14 >> +++++++++++++++ >> + 1 file changed, 14 insertions(+) >> + create mode 100644 >> +net/fastd/patches/001-generate_key_from_urandom.patch >> + >> +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch >> +b/net/fastd/patches/001-generate_key_from_urandom.patch >> +new file mode 100644 >> +index 00000000..47280e52 >> +--- /dev/null >> ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch >> +@@ -0,0 +1,14 @@ >> ++--- a/src/protocols/ec25519_fhmqvc/util.c >> +++++ b/src/protocols/ec25519_fhmqvc/util.c >> ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener >> ++ ecc_int256_t public_key; >> ++ >> ++ if (!conf.machine_readable) >> ++- pr_info("Reading 32 bytes from /dev/random..."); >> +++ pr_info("Reading 32 bytes from /dev/urandom..."); >> ++ >> ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); >> +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); >> ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); >> ++ >> ++ ecc_25519_work_t work; >> +-- >> +2.11.0 >> + >> diff --git a/buildscript b/buildscript >> index 2fb1794..b2030ba 100755 >> --- a/buildscript >> +++ b/buildscript >> @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede- >> project.org/feed/packages.git" >> #official openwrt packages >> OPENWRT=(openwrt >> $PACKAGEURL >> - $PACKAGEREV) >> + $PACKAGEREV >> + fastd/0020-fastd_generate_key_from_urandom.patch) >> OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" >> >> ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment. >> -- >> 2.11.0 >> >> -- >> franken-dev mailing list >> franken-dev@freifunk.net >> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Hab gerade mal getestet, fastd aufgebaut nach 2 min uptime. Für genaueres müsste man ne Testreihe machen. Für ein reviewed-by weiß ich zu wenig darüber, wo das random was im System macht. Tested-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> Grüße Adrian > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of Robert Langhammer > Sent: Dienstag, 14. November 2017 01:15 > To: franken-dev@freifunk.net > Subject: [PATCH] fastd: generate the key from urandom > > We do not use encrypted tunnels, so we can use urandom generating the > keys to prevent blocking due to low entropy. > > Signed-off-by: Robert Langhammer <rlanghammer@web.de> > --- > .../0020-fastd_generate_key_from_urandom.patch | 33 > ++++++++++++++++++++++ > buildscript | 3 +- > 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 > build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > > diff --git a/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > new file mode 100644 > index 0000000..252af39 > --- /dev/null > +++ b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.p > +++ atch > @@ -0,0 +1,33 @@ > +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00 > 2001 > +From: Robert Langhammer <rlanghammer@web.de> > +Date: Mon, 13 Nov 2017 21:04:55 +0100 > +Subject: [PATCH] fastd_generate_key_from_urandom > + > +--- > + net/fastd/patches/001-generate_key_from_urandom.patch | 14 > +++++++++++++++ > + 1 file changed, 14 insertions(+) > + create mode 100644 > +net/fastd/patches/001-generate_key_from_urandom.patch > + > +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch > +b/net/fastd/patches/001-generate_key_from_urandom.patch > +new file mode 100644 > +index 00000000..47280e52 > +--- /dev/null > ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch > +@@ -0,0 +1,14 @@ > ++--- a/src/protocols/ec25519_fhmqvc/util.c > +++++ b/src/protocols/ec25519_fhmqvc/util.c > ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener > ++ ecc_int256_t public_key; > ++ > ++ if (!conf.machine_readable) > ++- pr_info("Reading 32 bytes from /dev/random..."); > +++ pr_info("Reading 32 bytes from /dev/urandom..."); > ++ > ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); > +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); > ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); > ++ > ++ ecc_25519_work_t work; > +-- > +2.11.0 > + > diff --git a/buildscript b/buildscript > index 2fb1794..b2030ba 100755 > --- a/buildscript > +++ b/buildscript > @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede- > project.org/feed/packages.git" > #official openwrt packages > OPENWRT=(openwrt > $PACKAGEURL > - $PACKAGEREV) > + $PACKAGEREV > + fastd/0020-fastd_generate_key_from_urandom.patch) > OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" > > ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment. > -- > 2.11.0 > > -- > franken-dev mailing list > franken-dev@freifunk.net > http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Gefällt mir.
Bisher nicht getestet, aber
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Fabian
Hab heute folgendes im Logread gefunden: Sat Oct 28 18:32:57 2017 user.warn kernel: [ 10.016531] urandom-seed: Seed file not found (/etc/urandom.seed) Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.066231] procd: - early - Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.070117] procd: - watchdog - Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.625076] procd: - watchdog - Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.628601] procd: - ubus - Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.681969] random: ubusd: uninitialized urandom read (4 bytes read, 17 bits of entropy available) Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.691858] random: ubusd: uninitialized urandom read (4 bytes read, 17 bits of entropy available) Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.701242] random: ubusd: uninitialized urandom read (4 bytes read, 17 bits of entropy available) Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.710979] random: ubusd: uninitialized urandom read (4 bytes read, 17 bits of entropy available) Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.720351] random: ubusd: uninitialized urandom read (4 bytes read, 17 bits of entropy available) Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.729896] random: ubusd: uninitialized urandom read (4 bytes read, 17 bits of entropy available) Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.739428] random: ubusd: uninitialized urandom read (4 bytes read, 17 bits of entropy available) Ist das so geplant? Grüße Adrian > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of Robert Langhammer > Sent: Dienstag, 14. November 2017 01:15 > To: franken-dev@freifunk.net > Subject: [PATCH] fastd: generate the key from urandom > > We do not use encrypted tunnels, so we can use urandom generating the > keys to prevent blocking due to low entropy. > > Signed-off-by: Robert Langhammer <rlanghammer@web.de> > --- > .../0020-fastd_generate_key_from_urandom.patch | 33 > ++++++++++++++++++++++ > buildscript | 3 +- > 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 > build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > > diff --git a/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > new file mode 100644 > index 0000000..252af39 > --- /dev/null > +++ b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.p > +++ atch > @@ -0,0 +1,33 @@ > +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00 > 2001 > +From: Robert Langhammer <rlanghammer@web.de> > +Date: Mon, 13 Nov 2017 21:04:55 +0100 > +Subject: [PATCH] fastd_generate_key_from_urandom > + > +--- > + net/fastd/patches/001-generate_key_from_urandom.patch | 14 > +++++++++++++++ > + 1 file changed, 14 insertions(+) > + create mode 100644 > +net/fastd/patches/001-generate_key_from_urandom.patch > + > +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch > +b/net/fastd/patches/001-generate_key_from_urandom.patch > +new file mode 100644 > +index 00000000..47280e52 > +--- /dev/null > ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch > +@@ -0,0 +1,14 @@ > ++--- a/src/protocols/ec25519_fhmqvc/util.c > +++++ b/src/protocols/ec25519_fhmqvc/util.c > ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener > ++ ecc_int256_t public_key; > ++ > ++ if (!conf.machine_readable) > ++- pr_info("Reading 32 bytes from /dev/random..."); > +++ pr_info("Reading 32 bytes from /dev/urandom..."); > ++ > ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); > +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); > ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); > ++ > ++ ecc_25519_work_t work; > +-- > +2.11.0 > + > diff --git a/buildscript b/buildscript > index 2fb1794..b2030ba 100755 > --- a/buildscript > +++ b/buildscript > @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede- > project.org/feed/packages.git" > #official openwrt packages > OPENWRT=(openwrt > $PACKAGEURL > - $PACKAGEREV) > + $PACKAGEREV > + fastd/0020-fastd_generate_key_from_urandom.patch) > OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" > > ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment. > -- > 2.11.0 > > -- > franken-dev mailing list > franken-dev@freifunk.net > http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Hallo Adrian, das hat nix mit dem Patch zu tun. Wenn der Router das erste mal startet, wird die Datei /etc/urandom.seed angelegt. /etc/init.d/urandom_seed -> /sbin/urandom_seed Jetzt sollte die Datei da sein und die Meldung weg. Da hab ich eine Jahre lange Diskussion bei LEDE/OpenWrt gefunden, da die Datei nur einmal beim ersten Boot geschrieben wird. Dadurch wird urandom jedes mal aus dem gleichen seed gross gezogen. Ist aus Sicht der Entropie nicht optimal. Man nimmt das aber in Kauf, da man sonst jedes mal im Flash rumkritzeln wuerde. Robert Am 22.12.2017 um 13:14 schrieb Adrian Schmutzler: > Hab heute folgendes im Logread gefunden: > > Sat Oct 28 18:32:57 2017 user.warn kernel: [ 10.016531] urandom-seed: Seed > file not found (/etc/urandom.seed) > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.066231] procd: - early - > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.070117] procd: - watchdog > - > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.625076] procd: - watchdog > - > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.628601] procd: - ubus - > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.681969] random: ubusd: > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.691858] random: ubusd: > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.701242] random: ubusd: > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.710979] random: ubusd: > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.720351] random: ubusd: > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.729896] random: ubusd: > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.739428] random: ubusd: > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > > Ist das so geplant? > > Grüße > > Adrian > >> -----Original Message----- >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf >> Of Robert Langhammer >> Sent: Dienstag, 14. November 2017 01:15 >> To: franken-dev@freifunk.net >> Subject: [PATCH] fastd: generate the key from urandom >> >> We do not use encrypted tunnels, so we can use urandom generating the >> keys to prevent blocking due to low entropy. >> >> Signed-off-by: Robert Langhammer <rlanghammer@web.de> >> --- >> .../0020-fastd_generate_key_from_urandom.patch | 33 >> ++++++++++++++++++++++ >> buildscript | 3 +- >> 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 >> build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.patch >> >> diff --git a/build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.patch >> b/build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.patch >> new file mode 100644 >> index 0000000..252af39 >> --- /dev/null >> +++ b/build_patches/openwrt/fastd/0020- >> fastd_generate_key_from_urandom.p >> +++ atch >> @@ -0,0 +1,33 @@ >> +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00 >> 2001 >> +From: Robert Langhammer <rlanghammer@web.de> >> +Date: Mon, 13 Nov 2017 21:04:55 +0100 >> +Subject: [PATCH] fastd_generate_key_from_urandom >> + >> +--- >> + net/fastd/patches/001-generate_key_from_urandom.patch | 14 >> +++++++++++++++ >> + 1 file changed, 14 insertions(+) >> + create mode 100644 >> +net/fastd/patches/001-generate_key_from_urandom.patch >> + >> +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch >> +b/net/fastd/patches/001-generate_key_from_urandom.patch >> +new file mode 100644 >> +index 00000000..47280e52 >> +--- /dev/null >> ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch >> +@@ -0,0 +1,14 @@ >> ++--- a/src/protocols/ec25519_fhmqvc/util.c >> +++++ b/src/protocols/ec25519_fhmqvc/util.c >> ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener >> ++ ecc_int256_t public_key; >> ++ >> ++ if (!conf.machine_readable) >> ++- pr_info("Reading 32 bytes from /dev/random..."); >> +++ pr_info("Reading 32 bytes from /dev/urandom..."); >> ++ >> ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); >> +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); >> ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); >> ++ >> ++ ecc_25519_work_t work; >> +-- >> +2.11.0 >> + >> diff --git a/buildscript b/buildscript >> index 2fb1794..b2030ba 100755 >> --- a/buildscript >> +++ b/buildscript >> @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede- >> project.org/feed/packages.git" >> #official openwrt packages >> OPENWRT=(openwrt >> $PACKAGEURL >> - $PACKAGEREV) >> + $PACKAGEREV >> + fastd/0020-fastd_generate_key_from_urandom.patch) >> OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" >> >> ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment. >> -- >> 2.11.0 >> >> -- >> franken-dev mailing list >> franken-dev@freifunk.net >> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Hallo Robert, ja, passt zu meinem Log. Damit erledigt. Grüße Adrian > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of robert > Sent: Freitag, 22. Dezember 2017 13:44 > To: franken-dev@freifunk.net > Subject: Re: [PATCH] fastd: generate the key from urandom > > Hallo Adrian, > > das hat nix mit dem Patch zu tun. > > Wenn der Router das erste mal startet, wird die Datei /etc/urandom.seed > angelegt. > > /etc/init.d/urandom_seed -> /sbin/urandom_seed > > Jetzt sollte die Datei da sein und die Meldung weg. > > Da hab ich eine Jahre lange Diskussion bei LEDE/OpenWrt gefunden, da die > Datei nur einmal beim ersten Boot geschrieben wird. Dadurch wird urandom > jedes mal aus dem gleichen seed gross gezogen. Ist aus Sicht der Entropie > nicht optimal. Man nimmt das aber in Kauf, da man sonst jedes mal im Flash > rumkritzeln wuerde. > > Robert > > > Am 22.12.2017 um 13:14 schrieb Adrian Schmutzler: > > Hab heute folgendes im Logread gefunden: > > > > Sat Oct 28 18:32:57 2017 user.warn kernel: [ 10.016531] urandom-seed: > Seed > > file not found (/etc/urandom.seed) > > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.066231] procd: - early - > > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.070117] procd: - watchdog > > - > > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.625076] procd: - watchdog > > - > > Sat Oct 28 18:32:57 2017 user.info kernel: [ 10.628601] procd: - ubus - > > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.681969] random: ubusd: > > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.691858] random: ubusd: > > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.701242] random: ubusd: > > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.710979] random: ubusd: > > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.720351] random: ubusd: > > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.729896] random: ubusd: > > uninitialized urandom read (4 bytes read, 17 bits of entropy available) > > Sat Oct 28 18:32:57 2017 kern.notice kernel: [ 10.739428] random: ubusd: > > uninitialized urandom read (4 bytes read, 17 bits of entropy > > available) > > > > Ist das so geplant? > > > > Grüße > > > > Adrian > > > >> -----Original Message----- > >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On > Behalf > >> Of Robert Langhammer > >> Sent: Dienstag, 14. November 2017 01:15 > >> To: franken-dev@freifunk.net > >> Subject: [PATCH] fastd: generate the key from urandom > >> > >> We do not use encrypted tunnels, so we can use urandom generating the > >> keys to prevent blocking due to low entropy. > >> > >> Signed-off-by: Robert Langhammer <rlanghammer@web.de> > >> --- > >> .../0020-fastd_generate_key_from_urandom.patch | 33 > >> ++++++++++++++++++++++ > >> buildscript | 3 +- > >> 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 > >> build_patches/openwrt/fastd/0020- > >> fastd_generate_key_from_urandom.patch > >> > >> diff --git a/build_patches/openwrt/fastd/0020- > >> fastd_generate_key_from_urandom.patch > >> b/build_patches/openwrt/fastd/0020- > >> fastd_generate_key_from_urandom.patch > >> new file mode 100644 > >> index 0000000..252af39 > >> --- /dev/null > >> +++ b/build_patches/openwrt/fastd/0020- > >> fastd_generate_key_from_urandom.p > >> +++ atch > >> @@ -0,0 +1,33 @@ > >> +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 > 00:00:00 > >> 2001 > >> +From: Robert Langhammer <rlanghammer@web.de> > >> +Date: Mon, 13 Nov 2017 21:04:55 +0100 > >> +Subject: [PATCH] fastd_generate_key_from_urandom > >> + > >> +--- > >> + net/fastd/patches/001-generate_key_from_urandom.patch | 14 > >> +++++++++++++++ > >> + 1 file changed, 14 insertions(+) > >> + create mode 100644 > >> +net/fastd/patches/001-generate_key_from_urandom.patch > >> + > >> +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch > >> +b/net/fastd/patches/001-generate_key_from_urandom.patch > >> +new file mode 100644 > >> +index 00000000..47280e52 > >> +--- /dev/null > >> ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch > >> +@@ -0,0 +1,14 @@ > >> ++--- a/src/protocols/ec25519_fhmqvc/util.c > >> +++++ b/src/protocols/ec25519_fhmqvc/util.c > >> ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener > >> ++ ecc_int256_t public_key; > >> ++ > >> ++ if (!conf.machine_readable) > >> ++- pr_info("Reading 32 bytes from /dev/random..."); > >> +++ pr_info("Reading 32 bytes from /dev/urandom..."); > >> ++ > >> ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); > >> +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); > >> ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); > >> ++ > >> ++ ecc_25519_work_t work; > >> +-- > >> +2.11.0 > >> + > >> diff --git a/buildscript b/buildscript index 2fb1794..b2030ba 100755 > >> --- a/buildscript > >> +++ b/buildscript > >> @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede- > >> project.org/feed/packages.git" > >> #official openwrt packages > >> OPENWRT=(openwrt > >> $PACKAGEURL > >> - $PACKAGEREV) > >> + $PACKAGEREV > >> + fastd/0020-fastd_generate_key_from_urandom.patch) > >> OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" > >> > >> ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment. > >> -- > >> 2.11.0 > >> > >> -- > >> franken-dev mailing list > >> franken-dev@freifunk.net > >> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net > > -- > franken-dev mailing list > franken-dev@freifunk.net > http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Hi Und applied. Tim Am Dienstag, den 14.11.2017, 01:14 +0100 schrieb Robert Langhammer: > We do not use encrypted tunnels, so we can use urandom generating the > keys to prevent blocking due to low entropy. > > Signed-off-by: Robert Langhammer <rlanghammer@web.de> > --- > .../0020-fastd_generate_key_from_urandom.patch | 33 > ++++++++++++++++++++++ > buildscript | 3 +- > 2 files changed, 35 insertions(+), 1 deletion(-) > create mode 100644 build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > > diff --git a/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > new file mode 100644 > index 0000000..252af39 > --- /dev/null > +++ b/build_patches/openwrt/fastd/0020- > fastd_generate_key_from_urandom.patch > @@ -0,0 +1,33 @@ > +From 4a451ac5b17b1a7e8ce3d094067df7e21e61927d Mon Sep 17 00:00:00 > 2001 > +From: Robert Langhammer <rlanghammer@web.de> > +Date: Mon, 13 Nov 2017 21:04:55 +0100 > +Subject: [PATCH] fastd_generate_key_from_urandom > + > +--- > + net/fastd/patches/001-generate_key_from_urandom.patch | 14 > ++++++++++++++ > + 1 file changed, 14 insertions(+) > + create mode 100644 net/fastd/patches/001- > generate_key_from_urandom.patch > + > +diff --git a/net/fastd/patches/001-generate_key_from_urandom.patch > b/net/fastd/patches/001-generate_key_from_urandom.patch > +new file mode 100644 > +index 00000000..47280e52 > +--- /dev/null > ++++ b/net/fastd/patches/001-generate_key_from_urandom.patch > +@@ -0,0 +1,14 @@ > ++--- a/src/protocols/ec25519_fhmqvc/util.c > +++++ b/src/protocols/ec25519_fhmqvc/util.c > ++@@ -47,9 +47,9 @@ void fastd_protocol_ec25519_fhmqvc_gener > ++ ecc_int256_t public_key; > ++ > ++ if (!conf.machine_readable) > ++- pr_info("Reading 32 bytes from /dev/random..."); > +++ pr_info("Reading 32 bytes from /dev/urandom..."); > ++ > ++- fastd_random_bytes(secret_key.p, SECRETKEYBYTES, true); > +++ fastd_random_bytes(secret_key.p, SECRETKEYBYTES, false); > ++ ecc_25519_gf_sanitize_secret(&secret_key, &secret_key); > ++ > ++ ecc_25519_work_t work; > +-- > +2.11.0 > + > diff --git a/buildscript b/buildscript > index 2fb1794..b2030ba 100755 > --- a/buildscript > +++ b/buildscript > @@ -23,7 +23,8 @@ PACKAGEURL="https://git.lede-project.org/feed/packa > ges.git" > #official openwrt packages > OPENWRT=(openwrt > $PACKAGEURL > - $PACKAGEREV) > + $PACKAGEREV > + fastd/0020-fastd_generate_key_from_urandom.patch) > OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl" > > ## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment. > -- > 2.11.0 >
We do not use encrypted tunnels, so we can use urandom generating the keys to prevent blocking due to low entropy. Signed-off-by: Robert Langhammer <rlanghammer@web.de> --- .../0020-fastd_generate_key_from_urandom.patch | 33 ++++++++++++++++++++++ buildscript | 3 +- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 build_patches/openwrt/fastd/0020-fastd_generate_key_from_urandom.patch