| From 5e4ad317400fcdf5c7f09094d6c2a941a1d38f72 Mon Sep 17 00:00:00 2001 |
| From: Paul Stewart <pstew@chromium.org> |
| Date: Mon, 22 Apr 2013 17:41:55 -0700 |
| Subject: [PATCH 2/3] CHROMIUM: hostapd: Provide compile option for weak random |
| numbers |
| |
| Provide a configuration option for allowing the use of /dev/urandom |
| instead of /dev/random for the random number generator source. |
| This source performs more quickly at the expense of security but |
| can be useful in some limited scenarios like a testbed for WPA |
| authentication where the the client should not be denied access |
| just because the random number pool is too small. |
| |
| BUG=chromium:218911 |
| TEST=Compile with and without use-flag; strings the executable |
| |
| Originally-Reviewed-on: https://gerrit.chromium.org/gerrit/48906 |
| Originally-Tested-by: Paul Stewart <pstew@chromium.org> |
| --- |
| hostapd/Makefile | 4 ++++ |
| hostapd/defconfig | 8 ++++++++ |
| src/crypto/random.c | 49 +++++++++++++++++++++++++++++-------------------- |
| 3 files changed, 41 insertions(+), 20 deletions(-) |
| |
| diff --git a/hostapd/Makefile b/hostapd/Makefile |
| index 5fd6481..dd417e4 100644 |
| --- a/hostapd/Makefile |
| +++ b/hostapd/Makefile |
| @@ -863,6 +863,10 @@ LIBS += -lsqlite3 |
| LIBS_h += -lsqlite3 |
| endif |
| |
| +ifdef CONFIG_WEAK_URANDOM_LOW_SECURITY |
| +CFLAGS += -DCONFIG_WEAK_URANDOM_LOW_SECURITY |
| +endif |
| + |
| ALL=hostapd hostapd_cli |
| |
| all: verify_config $(ALL) |
| diff --git a/hostapd/defconfig b/hostapd/defconfig |
| index e329a11..6996322 100644 |
| --- a/hostapd/defconfig |
| +++ b/hostapd/defconfig |
| @@ -320,3 +320,11 @@ CONFIG_IPV6=y |
| # http://wireless.kernel.org/en/users/Documentation/acs |
| # |
| #CONFIG_ACS=y |
| + |
| +# Use weak random number generation from /dev/urandom instead of /dev/random, |
| +# which is the default. This can be used to speed up the acquisition of a |
| +# random pool in os_get_random(), especially after boot. This is useful, |
| +# for example when doing an initial WPA associaton in testing configurations |
| +# where security is not actually necessary. Never use this if you want your |
| +# network to be secure! |
| +#CONFIG_WEAK_URANDOM_LOW_SECURITY=n |
| diff --git a/src/crypto/random.c b/src/crypto/random.c |
| index 053740e..beead08 100644 |
| --- a/src/crypto/random.c |
| +++ b/src/crypto/random.c |
| @@ -43,6 +43,12 @@ |
| #define EXTRACT_LEN 16 |
| #define MIN_READY_MARK 2 |
| |
| +#ifdef CONFIG_WEAK_URANDOM_LOW_SECURITY |
| +#define RANDOM_DEVICE "/dev/urandom" |
| +#else |
| +#define RANDOM_DEVICE "/dev/random" |
| +#endif |
| + |
| static u32 pool[POOL_WORDS]; |
| static unsigned int input_rotate = 0; |
| static unsigned int pool_pos = 0; |
| @@ -230,13 +236,13 @@ int random_pool_ready(void) |
| * so use non-blocking read to avoid blocking the application |
| * completely. |
| */ |
| - fd = open("/dev/random", O_RDONLY | O_NONBLOCK); |
| + fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK); |
| if (fd < 0) { |
| #ifndef CONFIG_NO_STDOUT_DEBUG |
| int error = errno; |
| - perror("open(/dev/random)"); |
| - wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s", |
| - strerror(error)); |
| + perror("open(" RANDOM_DEVICE ")"); |
| + wpa_printf(MSG_ERROR, "random: Cannot open %s: %s", |
| + RANDOM_DEVICE, strerror(error)); |
| #endif /* CONFIG_NO_STDOUT_DEBUG */ |
| return -1; |
| } |
| @@ -244,13 +250,14 @@ int random_pool_ready(void) |
| res = read(fd, dummy_key + dummy_key_avail, |
| sizeof(dummy_key) - dummy_key_avail); |
| if (res < 0) { |
| - wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: " |
| - "%s", strerror(errno)); |
| + wpa_printf(MSG_ERROR, "random: Cannot read from %s: %s", |
| + RANDOM_DEVICE, strerror(errno)); |
| res = 0; |
| } |
| - wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from " |
| - "/dev/random", (unsigned) res, |
| - (unsigned) (sizeof(dummy_key) - dummy_key_avail)); |
| + wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from %s", |
| + (unsigned) res, |
| + (unsigned) (sizeof(dummy_key) - dummy_key_avail), |
| + RANDOM_DEVICE); |
| dummy_key_avail += res; |
| close(fd); |
| |
| @@ -262,8 +269,9 @@ int random_pool_ready(void) |
| } |
| |
| wpa_printf(MSG_INFO, "random: Only %u/%u bytes of strong " |
| - "random data available from /dev/random", |
| - (unsigned) dummy_key_avail, (unsigned) sizeof(dummy_key)); |
| + "random data available from %s", |
| + (unsigned) dummy_key_avail, (unsigned) sizeof(dummy_key), |
| + RANDOM_DEVICE); |
| |
| if (own_pool_ready >= MIN_READY_MARK || |
| total_collected + 10 * own_pool_ready > MIN_COLLECT_ENTROPY) { |
| @@ -315,14 +323,15 @@ static void random_read_fd(int sock, void *eloop_ctx, void *sock_ctx) |
| res = read(sock, dummy_key + dummy_key_avail, |
| sizeof(dummy_key) - dummy_key_avail); |
| if (res < 0) { |
| - wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: " |
| - "%s", strerror(errno)); |
| + wpa_printf(MSG_ERROR, "random: Cannot read from %s: %s", |
| + RANDOM_DEVICE, strerror(errno)); |
| return; |
| } |
| |
| - wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from /dev/random", |
| + wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from %s", |
| (unsigned) res, |
| - (unsigned) (sizeof(dummy_key) - dummy_key_avail)); |
| + (unsigned) (sizeof(dummy_key) - dummy_key_avail), |
| + RANDOM_DEVICE); |
| dummy_key_avail += res; |
| |
| if (dummy_key_avail == sizeof(dummy_key)) { |
| @@ -415,18 +424,18 @@ void random_init(const char *entropy_file) |
| if (random_fd >= 0) |
| return; |
| |
| - random_fd = open("/dev/random", O_RDONLY | O_NONBLOCK); |
| + random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK); |
| if (random_fd < 0) { |
| #ifndef CONFIG_NO_STDOUT_DEBUG |
| int error = errno; |
| - perror("open(/dev/random)"); |
| - wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s", |
| - strerror(error)); |
| + perror("open(" RANDOM_DEVICE ")"); |
| + wpa_printf(MSG_ERROR, "random: Cannot open %s: %s", |
| + RANDOM_DEVICE, strerror(error)); |
| #endif /* CONFIG_NO_STDOUT_DEBUG */ |
| return; |
| } |
| wpa_printf(MSG_DEBUG, "random: Trying to read entropy from " |
| - "/dev/random"); |
| + RANDOM_DEVICE); |
| |
| eloop_register_read_sock(random_fd, random_read_fd, NULL, NULL); |
| #endif /* __linux__ */ |
| -- |
| 1.9.1.423.g4596e3a |
| |