subject:"\[PATCH ustream\-ssl v2\] ustream\-mbedtls\: Use getrandom\(\) instead of \/dev\/urandom"

Re: [PATCH ustream-ssl v2] ustream-mbedtls: Use getrandom() instead of /dev/urandom

2023-02-20 Thread Torsten Duwe

On Sun, 19 Feb 2023 21:11:12 +0100
Hauke Mehrtens  wrote:

> Instead of keeping a file descriptor open just use the getrandom syscall
> to get random data. This is supported by the musl, glibc and Linux for
> some time now.
> 
> This also improves the error handling in case this function returns not
> as many bytes as expected.
> 
> Signed-off-by: Hauke Mehrtens 
Reviewed-by: Torsten Duwe 

> ---
>  ustream-mbedtls.c | 25 ++---
>  1 file changed, 6 insertions(+), 19 deletions(-)
> 
> changes since v1:
> * rename _urandom to _random
> 
> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
> index e79e37b..7fc7874 100644
> --- a/ustream-mbedtls.c
> +++ b/ustream-mbedtls.c
> @@ -17,6 +17,7 @@
>   */
>  
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -25,8 +26,6 @@
>  #include "ustream-ssl.h"
>  #include "ustream-internal.h"
>  
> -static int urandom_fd = -1;
> -
>  static int s_ustream_read(void *ctx, unsigned char *buf, size_t len)
>  {
>   struct ustream *s = ctx;
> @@ -66,21 +65,12 @@ __hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, 
> void *ssl, struct ustr
>   mbedtls_ssl_set_bio(ssl, conn, s_ustream_write, s_ustream_read, NULL);
>  }
>  
> -static bool urandom_init(void)
> +static int _random(void *ctx, unsigned char *out, size_t len)
>  {
> - if (urandom_fd > -1)
> - return true;
> + ssize_t ret;
>  
> - urandom_fd = open("/dev/urandom", O_RDONLY);
> - if (urandom_fd < 0)
> - return false;
> -
> - return true;
> -}
> -
> -static int _urandom(void *ctx, unsigned char *out, size_t len)
> -{
> - if (read(urandom_fd, out, len) < 0)
> + ret = getrandom(out, len, 0);
> + if (ret < 0 || (size_t)ret != len)
>   return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
>  
>   return 0;
> @@ -134,9 +124,6 @@ __ustream_ssl_context_new(bool server)
>   mbedtls_ssl_config *conf;
>   int ep;
>  
> - if (!urandom_init())
> - return NULL;
> -
>   ctx = calloc(1, sizeof(*ctx));
>   if (!ctx)
>   return NULL;
> @@ -159,7 +146,7 @@ __ustream_ssl_context_new(bool server)
>  
>   mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
>   MBEDTLS_SSL_PRESET_DEFAULT);
> - mbedtls_ssl_conf_rng(conf, _urandom, NULL);
> + mbedtls_ssl_conf_rng(conf, _random, NULL);
>  
>   if (server) {
>   mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH ustream-ssl v2] ustream-mbedtls: Use getrandom() instead of /dev/urandom

2023-02-19 Thread Hauke Mehrtens

Instead of keeping a file descriptor open just use the getrandom syscall
to get random data. This is supported by the musl, glibc and Linux for
some time now.

This also improves the error handling in case this function returns not
as many bytes as expected.

Signed-off-by: Hauke Mehrtens 
---
 ustream-mbedtls.c | 25 ++---
 1 file changed, 6 insertions(+), 19 deletions(-)

changes since v1:
* rename _urandom to _random

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index e79e37b..7fc7874 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -17,6 +17,7 @@
  */
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -25,8 +26,6 @@
 #include "ustream-ssl.h"
 #include "ustream-internal.h"
 
-static int urandom_fd = -1;
-
 static int s_ustream_read(void *ctx, unsigned char *buf, size_t len)
 {
struct ustream *s = ctx;
@@ -66,21 +65,12 @@ __hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, 
void *ssl, struct ustr
mbedtls_ssl_set_bio(ssl, conn, s_ustream_write, s_ustream_read, NULL);
 }
 
-static bool urandom_init(void)
+static int _random(void *ctx, unsigned char *out, size_t len)
 {
-   if (urandom_fd > -1)
-   return true;
+   ssize_t ret;
 
-   urandom_fd = open("/dev/urandom", O_RDONLY);
-   if (urandom_fd < 0)
-   return false;
-
-   return true;
-}
-
-static int _urandom(void *ctx, unsigned char *out, size_t len)
-{
-   if (read(urandom_fd, out, len) < 0)
+   ret = getrandom(out, len, 0);
+   if (ret < 0 || (size_t)ret != len)
return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
 
return 0;
@@ -134,9 +124,6 @@ __ustream_ssl_context_new(bool server)
mbedtls_ssl_config *conf;
int ep;
 
-   if (!urandom_init())
-   return NULL;
-
ctx = calloc(1, sizeof(*ctx));
if (!ctx)
return NULL;
@@ -159,7 +146,7 @@ __ustream_ssl_context_new(bool server)
 
mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
-   mbedtls_ssl_conf_rng(conf, _urandom, NULL);
+   mbedtls_ssl_conf_rng(conf, _random, NULL);
 
if (server) {
mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
-- 
2.39.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH ustream-ssl v2] ustream-mbedtls: Use getrandom() instead of /dev/urandom

[PATCH ustream-ssl v2] ustream-mbedtls: Use getrandom() instead of /dev/urandom

2 matches

Site Navigation

Mail list logo

Footer information