From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 20 Nov 2019 10:28:53 +0000 (+0100)
Subject: - Fix Weak Entropy Used For Nettle,
X-Git-Tag: release-1.9.6rc1~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8809c672ac24b83f70f35eae60cf498d1eb1332;p=thirdparty%2Funbound.git

- Fix Weak Entropy Used For Nettle,
  reported by X41 D-Sec.
---

diff --git a/daemon/daemon.c b/daemon/daemon.c
index 65c1900d6..a407800b5 100644
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -429,9 +429,7 @@ daemon_create_workers(struct daemon* daemon)
 	int* shufport;
 	log_assert(daemon && daemon->cfg);
 	if(!daemon->rand) {
-		unsigned int seed = (unsigned int)time(NULL) ^ 
-			(unsigned int)getpid() ^ 0x438;
-		daemon->rand = ub_initstate(seed, NULL);
+		daemon->rand = ub_initstate(NULL);
 		if(!daemon->rand)
 			fatal_exit("could not init random generator");
 		hash_set_raninit((uint32_t)ub_random(daemon->rand));
diff --git a/daemon/worker.c b/daemon/worker.c
index 2d592e552..f4cfe0035 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1681,11 +1681,7 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
 		return NULL;
 	}
 	/* create random state here to avoid locking trouble in RAND_bytes */
-	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
-		(((unsigned int)worker->thread_num)<<17);
-		/* shift thread_num so it does not match out pid bits */
-	if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
-		explicit_bzero(&seed, sizeof(seed));
+	if(!(worker->rndstate = ub_initstate(daemon->rand))) {
 		log_err("could not init random numbers.");
 		tube_delete(worker->cmd);
 		free(worker->ports);
diff --git a/doc/Changelog b/doc/Changelog
index aa2c5df1c..cd1321578 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -6,6 +6,8 @@
 	- Fix Shared Memory World Writeable,
 	  reported by X41 D-Sec.
 	- Adjust unbound-control to make stats_shm a read only operation.
+	- Fix Weak Entropy Used For Nettle,
+	  reported by X41 D-Sec.
 
 19 November 2019: Wouter
 	- Fix CVE-2019-18934, shell execution in ipsecmod.
diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
index f86f56835..cbeaa05d5 100644
--- a/libunbound/libunbound.c
+++ b/libunbound/libunbound.c
@@ -86,7 +86,6 @@ int ctx_logfile_overridden = 0;
 static struct ub_ctx* ub_ctx_create_nopipe(void)
 {
 	struct ub_ctx* ctx;
-	unsigned int seed;
 #ifdef USE_WINSOCK
 	int r;
 	WSADATA wsa_data;
@@ -111,15 +110,12 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
 		return NULL;
 	}
 	alloc_init(&ctx->superalloc, NULL, 0);
-	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid();
-	if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) {
-		explicit_bzero(&seed, sizeof(seed));
+	if(!(ctx->seed_rnd = ub_initstate(NULL))) {
 		ub_randfree(ctx->seed_rnd);
 		free(ctx);
 		errno = ENOMEM;
 		return NULL;
 	}
-	explicit_bzero(&seed, sizeof(seed));
 	lock_basic_init(&ctx->qqpipe_lock);
 	lock_basic_init(&ctx->rrpipe_lock);
 	lock_basic_init(&ctx->cfglock);
diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index 01621927e..6686a164f 100644
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -122,7 +122,6 @@ libworker_delete_event(struct libworker* w)
 static struct libworker*
 libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 {
-	unsigned int seed;
 	struct libworker* w = (struct libworker*)calloc(1, sizeof(*w));
 	struct config_file* cfg = ctx->env->cfg;
 	int* ports;
@@ -177,17 +176,13 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 	}
 	w->env->worker = (struct worker*)w;
 	w->env->probe_timer = NULL;
-	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
-		(((unsigned int)w->thread_num)<<17);
-	seed ^= (unsigned int)w->env->alloc->next_id;
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_lock(&ctx->cfglock);
 	}
-	if(!(w->env->rnd = ub_initstate(seed, ctx->seed_rnd))) {
+	if(!(w->env->rnd = ub_initstate(ctx->seed_rnd))) {
 		if(!w->is_bg || w->is_bg_thread) {
 			lock_basic_unlock(&ctx->cfglock);
 		}
-		explicit_bzero(&seed, sizeof(seed));
 		libworker_delete(w);
 		return NULL;
 	}
@@ -207,7 +202,6 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 			hash_set_raninit((uint32_t)ub_random(w->env->rnd));
 		}
 	}
-	explicit_bzero(&seed, sizeof(seed));
 
 	if(eb)
 		w->base = comm_base_create_event(eb);
diff --git a/testcode/unitmain.c b/testcode/unitmain.c
index e28be8c83..4b9a39cf8 100644
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@@ -538,10 +538,8 @@ rnd_test(void)
 	struct ub_randstate* r;
 	int num = 1000, i;
 	long int a[1000];
-	unsigned int seed = (unsigned)time(NULL);
 	unit_show_feature("ub_random");
-	printf("ub_random seed is %u\n", seed);
-	unit_assert( (r = ub_initstate(seed, NULL)) );
+	unit_assert( (r = ub_initstate(NULL)) );
 	for(i=0; i<num; i++) {
 		a[i] = ub_random(r);
 		unit_assert(a[i] >= 0);
diff --git a/util/random.c b/util/random.c
index 8332960b4..1bdad6894 100644
--- a/util/random.c
+++ b/util/random.c
@@ -86,8 +86,7 @@ ub_systemseed(unsigned int ATTR_UNUSED(seed))
 }
 
 struct ub_randstate* 
-ub_initstate(unsigned int ATTR_UNUSED(seed),
-	struct ub_randstate* ATTR_UNUSED(from))
+ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
 {
 	struct ub_randstate* s = (struct ub_randstate*)malloc(1);
 	if(!s) {
@@ -123,8 +122,7 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
 {
 }
 
-struct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed), 
-	struct ub_randstate* ATTR_UNUSED(from))
+struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
 {
 	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
 	if(!s) {
@@ -166,8 +164,7 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
 	log_err("Re-seeding not supported, generator untouched");
 }
 
-struct ub_randstate* ub_initstate(unsigned int seed,
-	struct ub_randstate* ATTR_UNUSED(from))
+struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
 {
 	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
 	uint8_t buf[YARROW256_SEED_FILE_SIZE];
@@ -183,15 +180,10 @@ struct ub_randstate* ub_initstate(unsigned int seed,
 		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
 		s->seeded = yarrow256_is_seeded(&s->ctx);
 	} else {
-		/* Stretch the uint32 input seed and feed it to Yarrow */
-		uint32_t v = seed;
-		size_t i;
-		for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
-			memmove(buf+i*sizeof(seed), &v, sizeof(seed));
-			v = v*seed + (uint32_t)i;
-		}
-		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
-		s->seeded = yarrow256_is_seeded(&s->ctx);
+		log_err("nettle random(yarrow) cannot initialize, "
+			"getentropy failed: %s", strerror(errno));
+		free(s);
+		return NULL;
 	}
 
 	return s;
diff --git a/util/random.h b/util/random.h
index a05a994a3..e75157d38 100644
--- a/util/random.h
+++ b/util/random.h
@@ -57,15 +57,12 @@ void ub_systemseed(unsigned int seed);
 
 /**
  * Initialize a random generator state for use 
- * @param seed: seed value to create state contents.
- *	(ignored for arc4random).
  * @param from: if not NULL, the seed is taken from this random structure.
  * 	can be used to seed random states via a parent-random-state that
  * 	is itself seeded with entropy.
  * @return new state or NULL alloc failure.
  */
-struct ub_randstate* ub_initstate(unsigned int seed, 
-	struct ub_randstate* from);
+struct ub_randstate* ub_initstate(struct ub_randstate* from);
 
 /**
  * Generate next random number from the state passed along.