jeltz
/
hostap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
vlan_per_psk_v2
vlan_per_psk
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'vlan_per_psk'
${ noResults }
hostap/src/crypto/random.c

479 lines
12 KiB
C
Raw Permalink Normal View History Unescape Escape

Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
/*
* Random number generator
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
* Copyright (c) 2010-2011, Jouni Malinen <j@w1.fi>
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
*
Remove the GPL notification from files contributed by Jouni Malinen Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
12 years ago
* This software may be distributed under the terms of the BSD license.
* See README for more details.
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
*
* This random number generator is used to provide additional entropy to the
* one provided by the operating system (os_get_random()) for session key
* generation. The os_get_random() output is expected to be secure and the
* implementation here is expected to provide only limited protection against
* cases where os_get_random() cannot provide strong randomness. This
* implementation shall not be assumed to be secure as the sole source of
* randomness. The random_get_bytes() function mixes in randomness from
* os_get_random() and as such, calls to os_get_random() can be replaced with
* calls to random_get_bytes() without reducing security.
*
* The design here follows partially the design used in the Linux
* drivers/char/random.c, but the implementation here is simpler and not as
* strong. This is a compromise to reduce duplicated CPU effort and to avoid
* extra code/memory size. As pointed out above, os_get_random() needs to be
* guaranteed to be secure for any of the security assumptions to hold.
*/
#include "utils/includes.h"
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
#ifdef __linux__
#include <fcntl.h>
crypto: Add option to use getrandom() According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
7 years ago
#ifdef CONFIG_GETRANDOM
#include <sys/random.h>
#endif /* CONFIG_GETRANDOM */
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
#endif /* __linux__ */
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
#include "utils/common.h"
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
#include "utils/eloop.h"
FIPS: Mix in OpenSSL RAND_bytes() into random_get_bytes() Make sure that the OpenSSL DRBG gets used when generating random numbers in FIPS mode. Signed-hostap: Jouni Malinen <j@w1.fi>
12 years ago
#include "crypto/crypto.h"
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
#include "sha1.h"
#include "random.h"
#define POOL_WORDS 32
#define POOL_WORDS_MASK (POOL_WORDS - 1)
#define POOL_TAP1 26
#define POOL_TAP2 20
#define POOL_TAP3 14
#define POOL_TAP4 7
#define POOL_TAP5 1
#define EXTRACT_LEN 16
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
#define MIN_READY_MARK 2
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
static u32 pool[POOL_WORDS];
static unsigned int input_rotate = 0;
static unsigned int pool_pos = 0;
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
static u8 dummy_key[20];
Removed unused variable from non-Linux builds
14 years ago
#ifdef __linux__
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
static size_t dummy_key_avail = 0;
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
static int random_fd = -1;
Removed unused variable from non-Linux builds
14 years ago
#endif /* __linux__ */
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
static unsigned int own_pool_ready = 0;
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
#define RANDOM_ENTROPY_SIZE 20
static char *random_entropy_file = NULL;
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
#define MIN_COLLECT_ENTROPY 1000
static unsigned int entropy = 0;
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
static unsigned int total_collected = 0;
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
static void random_write_entropy(void);
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
static u32 __ROL32(u32 x, u32 y)
{
crypto: Fix undefined behavior in random number generator ubsan reported: ../src/crypto/random.c:69:30: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' Explicitly check for the ROL32(x, 0) case which is supposed to be a no-op. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
7 years ago
if (y == 0)
return x;
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
return (x << (y & 31)) | (x >> (32 - (y & 31)));
}
static void random_mix_pool(const void *buf, size_t len)
{
static const u32 twist[8] = {
0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278
};
const u8 *pos = buf;
u32 w;
wpa_hexdump_key(MSG_EXCESSIVE, "random_mix_pool", buf, len);
while (len--) {
w = __ROL32(*pos++, input_rotate & 31);
input_rotate += pool_pos ? 7 : 14;
pool_pos = (pool_pos - 1) & POOL_WORDS_MASK;
w ^= pool[pool_pos];
w ^= pool[(pool_pos + POOL_TAP1) & POOL_WORDS_MASK];
w ^= pool[(pool_pos + POOL_TAP2) & POOL_WORDS_MASK];
w ^= pool[(pool_pos + POOL_TAP3) & POOL_WORDS_MASK];
w ^= pool[(pool_pos + POOL_TAP4) & POOL_WORDS_MASK];
w ^= pool[(pool_pos + POOL_TAP5) & POOL_WORDS_MASK];
pool[pool_pos] = (w >> 3) ^ twist[w & 7];
}
}
static void random_extract(u8 *out)
{
unsigned int i;
u8 hash[SHA1_MAC_LEN];
u32 *hash_ptr;
u32 buf[POOL_WORDS / 2];
/* First, add hash back to pool to make backtracking more difficult. */
hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) pool,
sizeof(pool), hash);
random_mix_pool(hash, sizeof(hash));
/* Hash half the pool to extra data */
for (i = 0; i < POOL_WORDS / 2; i++)
buf[i] = pool[(pool_pos - i) & POOL_WORDS_MASK];
hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) buf,
sizeof(buf), hash);
/*
* Fold the hash to further reduce any potential output pattern.
* Though, compromise this to reduce CPU use for the most common output
* length (32) and return 16 bytes from instead of only half.
*/
hash_ptr = (u32 *) hash;
hash_ptr[0] ^= hash_ptr[4];
os_memcpy(out, hash, EXTRACT_LEN);
}
void random_add_randomness(const void *buf, size_t len)
{
struct os_time t;
static unsigned int count = 0;
count++;
if (entropy > MIN_COLLECT_ENTROPY && (count & 0x3ff) != 0) {
/*
* No need to add more entropy at this point, so save CPU and
* skip the update.
*/
return;
}
Make random_add_randomness() debug print less verbose Mark the debug print excessive and print it only in case the entropy collection is used since this function can get called pretty frequently. Signed-hostap: Jouni Malinen <j@w1.fi>
12 years ago
wpa_printf(MSG_EXCESSIVE, "Add randomness: count=%u entropy=%u",
count, entropy);
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
os_get_time(&t);
wpa_hexdump_key(MSG_EXCESSIVE, "random pool",
(const u8 *) pool, sizeof(pool));
random_mix_pool(&t, sizeof(t));
random_mix_pool(buf, len);
wpa_hexdump_key(MSG_EXCESSIVE, "random pool",
(const u8 *) pool, sizeof(pool));
entropy++;
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
total_collected++;
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
}
int random_get_bytes(void *buf, size_t len)
{
int ret;
u8 *bytes = buf;
size_t left;
wpa_printf(MSG_MSGDUMP, "Get randomness: len=%u entropy=%u",
(unsigned int) len, entropy);
/* Start with assumed strong randomness from OS */
ret = os_get_random(buf, len);
wpa_hexdump_key(MSG_EXCESSIVE, "random from os_get_random",
buf, len);
/* Mix in additional entropy extracted from the internal pool */
left = len;
while (left) {
size_t siz, i;
u8 tmp[EXTRACT_LEN];
random_extract(tmp);
wpa_hexdump_key(MSG_EXCESSIVE, "random from internal pool",
tmp, sizeof(tmp));
siz = left > EXTRACT_LEN ? EXTRACT_LEN : left;
for (i = 0; i < siz; i++)
*bytes++ ^= tmp[i];
left -= siz;
}
FIPS: Mix in OpenSSL RAND_bytes() into random_get_bytes() Make sure that the OpenSSL DRBG gets used when generating random numbers in FIPS mode. Signed-hostap: Jouni Malinen <j@w1.fi>
12 years ago
#ifdef CONFIG_FIPS
/* Mix in additional entropy from the crypto module */
random: Fix random_get_bytes() with CONFIG_FIPS=y The bytes pointer was not reset back to the beginning of the buffer when mixing in additional entropy from the crypto module. This resulted in writing beyond the return buffer and not getting the required mixing of the extra entropy for the actual return buffer. Signed-off-by: Jouni Malinen <j@w1.fi>
9 years ago
bytes = buf;
FIPS: Mix in OpenSSL RAND_bytes() into random_get_bytes() Make sure that the OpenSSL DRBG gets used when generating random numbers in FIPS mode. Signed-hostap: Jouni Malinen <j@w1.fi>
12 years ago
left = len;
while (left) {
size_t siz, i;
u8 tmp[EXTRACT_LEN];
if (crypto_get_random(tmp, sizeof(tmp)) < 0) {
wpa_printf(MSG_ERROR, "random: No entropy available "
"for generating strong random bytes");
return -1;
}
wpa_hexdump_key(MSG_EXCESSIVE, "random from crypto module",
tmp, sizeof(tmp));
siz = left > EXTRACT_LEN ? EXTRACT_LEN : left;
for (i = 0; i < siz; i++)
*bytes++ ^= tmp[i];
left -= siz;
}
#endif /* CONFIG_FIPS */
Maintain internal entropy pool for augmenting random number generation By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
14 years ago
wpa_hexdump_key(MSG_EXCESSIVE, "mixed random", buf, len);
if (entropy < len)
entropy = 0;
else
entropy -= len;
return ret;
}
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
int random_pool_ready(void)
{
#ifdef __linux__
int fd;
ssize_t res;
/*
* Make sure that there is reasonable entropy available before allowing
* some key derivation operations to proceed.
*/
if (dummy_key_avail == sizeof(dummy_key))
return 1; /* Already initialized - good to continue */
/*
crypto: Add option to use getrandom() According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
7 years ago
* Try to fetch some more data from the kernel high quality RNG.
* There may not be enough data available at this point,
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
* so use non-blocking read to avoid blocking the application
* completely.
*/
crypto: Add option to use getrandom() According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
7 years ago
#ifdef CONFIG_GETRANDOM
res = getrandom(dummy_key + dummy_key_avail,
sizeof(dummy_key) - dummy_key_avail, GRND_NONBLOCK);
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
if (res < 0) {
crypto: Add option to use getrandom() According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
7 years ago
if (errno == ENOSYS) {
wpa_printf(MSG_DEBUG,
"random: getrandom() not supported, falling back to /dev/random");
} else {
wpa_printf(MSG_INFO,
"random: no data from getrandom(): %s",
strerror(errno));
res = 0;
}
}
#else /* CONFIG_GETRANDOM */
res = -1;
#endif /* CONFIG_GETRANDOM */
if (res < 0) {
fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
if (fd < 0) {
wpa_printf(MSG_ERROR,
"random: Cannot open /dev/random: %s",
strerror(errno));
return -1;
}
res = read(fd, dummy_key + dummy_key_avail,
sizeof(dummy_key) - dummy_key_avail);
if (res < 0) {
wpa_printf(MSG_ERROR,
"random: Cannot read from /dev/random: %s",
strerror(errno));
res = 0;
}
close(fd);
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
}
crypto: Add option to use getrandom() According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
7 years ago
wpa_printf(MSG_DEBUG, "random: Got %u/%u random bytes", (unsigned) res,
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
(unsigned) (sizeof(dummy_key) - dummy_key_avail));
dummy_key_avail += res;
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
if (dummy_key_avail == sizeof(dummy_key)) {
if (own_pool_ready < MIN_READY_MARK)
own_pool_ready = MIN_READY_MARK;
random_write_entropy();
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
return 1;
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
}
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
wpa_printf(MSG_INFO, "random: Only %u/%u bytes of strong "
crypto: Add option to use getrandom() According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
7 years ago
"random data available",
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
(unsigned) dummy_key_avail, (unsigned) sizeof(dummy_key));
if (own_pool_ready >= MIN_READY_MARK ||
total_collected + 10 * own_pool_ready > MIN_COLLECT_ENTROPY) {
wpa_printf(MSG_INFO, "random: Allow operation to proceed "
"based on internal entropy");
return 1;
}
wpa_printf(MSG_INFO, "random: Not enough entropy pool available for "
"secure operations");
return 0;
#else /* __linux__ */
/* TODO: could do similar checks on non-Linux platforms */
return 1;
#endif /* __linux__ */
}
void random_mark_pool_ready(void)
{
own_pool_ready++;
wpa_printf(MSG_DEBUG, "random: Mark internal entropy pool to be "
"ready (count=%u/%u)", own_pool_ready, MIN_READY_MARK);
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
random_write_entropy();
hostapd: Verify availability of random data when using WPA/WPA2 On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
14 years ago
}
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
#ifdef __linux__
static void random_close_fd(void)
{
if (random_fd >= 0) {
eloop_unregister_read_sock(random_fd);
close(random_fd);
random_fd = -1;
}
}
static void random_read_fd(int sock, void *eloop_ctx, void *sock_ctx)
{
ssize_t res;
if (dummy_key_avail == sizeof(dummy_key)) {
random_close_fd();
return;
}
res = read(sock, dummy_key + dummy_key_avail,
sizeof(dummy_key) - dummy_key_avail);
if (res < 0) {
wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: "
"%s", strerror(errno));
return;
}
wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from /dev/random",
(unsigned) res,
(unsigned) (sizeof(dummy_key) - dummy_key_avail));
dummy_key_avail += res;
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
if (dummy_key_avail == sizeof(dummy_key)) {
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
random_close_fd();
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
if (own_pool_ready < MIN_READY_MARK)
own_pool_ready = MIN_READY_MARK;
random_write_entropy();
}
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
}
#endif /* __linux__ */
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
static void random_read_entropy(void)
{
char *buf;
size_t len;
if (!random_entropy_file)
return;
buf = os_readfile(random_entropy_file, &len);
if (buf == NULL)
return; /* entropy file not yet available */
if (len != 1 + RANDOM_ENTROPY_SIZE) {
wpa_printf(MSG_DEBUG, "random: Invalid entropy file %s",
random_entropy_file);
os_free(buf);
return;
}
own_pool_ready = (u8) buf[0];
random_add_randomness(buf + 1, RANDOM_ENTROPY_SIZE);
os_free(buf);
wpa_printf(MSG_DEBUG, "random: Added entropy from %s "
"(own_pool_ready=%u)",
random_entropy_file, own_pool_ready);
}
static void random_write_entropy(void)
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
{
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
char buf[RANDOM_ENTROPY_SIZE];
FILE *f;
u8 opr;
random: Check fwrite return value to avoid warnings Some compilers complain about fwrite calls if the return value is not checked, so check the value even if it does not really make much of a difference in this particular case.
13 years ago
int fail = 0;
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
if (!random_entropy_file)
return;
Check random_get_bytes() result before writing entropy file
13 years ago
if (random_get_bytes(buf, RANDOM_ENTROPY_SIZE) < 0)
return;
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
f = fopen(random_entropy_file, "wb");
if (f == NULL) {
random: Improve error messages about writing to entropy file
13 years ago
wpa_printf(MSG_ERROR, "random: Could not open entropy file %s "
"for writing", random_entropy_file);
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
return;
}
opr = own_pool_ready > 0xff ? 0xff : own_pool_ready;
random: Check fwrite return value to avoid warnings Some compilers complain about fwrite calls if the return value is not checked, so check the value even if it does not really make much of a difference in this particular case.
13 years ago
if (fwrite(&opr, 1, 1, f) != 1 ||
fwrite(buf, RANDOM_ENTROPY_SIZE, 1, f) != 1)
fail = 1;
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
fclose(f);
random: Check fwrite return value to avoid warnings Some compilers complain about fwrite calls if the return value is not checked, so check the value even if it does not really make much of a difference in this particular case.
13 years ago
if (fail) {
random: Improve error messages about writing to entropy file
13 years ago
wpa_printf(MSG_ERROR, "random: Could not write entropy data "
"to %s", random_entropy_file);
random: Check fwrite return value to avoid warnings Some compilers complain about fwrite calls if the return value is not checked, so check the value even if it does not really make much of a difference in this particular case.
13 years ago
return;
}
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
wpa_printf(MSG_DEBUG, "random: Updated entropy file %s "
"(own_pool_ready=%u)",
random_entropy_file, own_pool_ready);
}
void random_init(const char *entropy_file)
{
os_free(random_entropy_file);
if (entropy_file)
random_entropy_file = os_strdup(entropy_file);
else
random_entropy_file = NULL;
random_read_entropy();
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
#ifdef __linux__
if (random_fd >= 0)
return;
crypto: Add option to use getrandom() According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
7 years ago
#ifdef CONFIG_GETRANDOM
{
u8 dummy;
if (getrandom(&dummy, 0, GRND_NONBLOCK) == 0 ||
errno != ENOSYS) {
wpa_printf(MSG_DEBUG,
"random: getrandom() support available");
return;
}
}
#endif /* CONFIG_GETRANDOM */
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
random_fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
if (random_fd < 0) {
wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s",
Clean up debug prints to use wpa_printf() This converts most of the remaining perror() and printf() calls from hostapd and wpa_supplicant to use wpa_printf(). Signed-off-by: Jouni Malinen <j@w1.fi>
10 years ago
strerror(errno));
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
return;
}
wpa_printf(MSG_DEBUG, "random: Trying to read entropy from "
"/dev/random");
eloop_register_read_sock(random_fd, random_read_fd, NULL, NULL);
#endif /* __linux__ */
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
random_write_entropy();
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
}
void random_deinit(void)
{
#ifdef __linux__
random_close_fd();
#endif /* __linux__ */
random: Add support for maintaining internal entropy store over restarts This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
13 years ago
random_write_entropy();
os_free(random_entropy_file);
random_entropy_file = NULL;
random: Read /dev/random in the background with eloop read socket This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
13 years ago
}