mirror of
https://github.com/home-assistant/operating-system.git
synced 2025-11-27 03:17:15 +00:00
a0871be6c0
* Update buildroot-patches for 2020.11-rc1 buildroot * Update buildroot to 2020.11-rc1 Signed-off-by: Stefan Agner <stefan@agner.ch> * Don't rely on sfdisk --list-free output The --list-free (-F) argument does not allow machine readable mode. And it seems that the output format changes over time (different spacing, using size postfixes instead of raw blocks). Use sfdisk json output and calculate free partition space ourselfs. This works for 2.35 and 2.36 and is more robust since we rely on output which is meant for scripts to parse. * Migrate defconfigs for Buildroot 2020.11-rc1 In particular, rename BR2_TARGET_UBOOT_BOOT_SCRIPT(_SOURCE) to BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT(_SOURCE). * Rebase/remove systemd patches for systemd 246 * Drop apparmor/libapparmor from buildroot-external * hassos-persists: use /run as directory for lockfiles The U-Boot tools use /var/lock by default which is not created any more by systemd by default (it is under tmpfiles legacy.conf, which we no longer install). * Disable systemd-update-done.service The service is not suited for pure read-only systems. In particular the service needs to be able to write a file in /etc and /var. Remove the service. Note: This is a static service and cannot be removed using systemd-preset. * Disable apparmor.service for now The service loads all default profiles. Some might actually cause problems. E.g. the profile for ping seems not to match our setup for /etc/resolv.conf: [85503.634653] audit: type=1400 audit(1605286002.684:236): apparmor="DENIED" operation="open" profile="ping" name="/run/resolv.conf" pid=27585 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
114 lines
3.8 KiB
Diff
114 lines
3.8 KiB
Diff
From 330e8c8352eb0ed3c178ac6e0102403c0a835492 Mon Sep 17 00:00:00 2001
|
|
From: Jason Miller <jason@milr.com>
|
|
Date: Thu, 5 Jul 2018 20:53:51 -0700
|
|
Subject: [PATCH] Support urandom inside chroot
|
|
|
|
This adds a new default entropy function that uses a /dev/urandom stream
|
|
opened before the chroot. If initializing that fails, it fallsback on
|
|
HAVEGE only if HAVEGE is supported by the mbedTLS.
|
|
|
|
This should remove the hard requirement on HAVEGE
|
|
|
|
resolves #326
|
|
resolves #327
|
|
|
|
[Upstream status: https://github.com/mongrel2/mongrel2/pull/328]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
---
|
|
src/mongrel2.c | 7 -------
|
|
src/server.c | 36 +++++++++++++++++++++++-------------
|
|
2 files changed, 23 insertions(+), 20 deletions(-)
|
|
|
|
diff --git a/src/mongrel2.c b/src/mongrel2.c
|
|
index da632d95..48ece8a5 100644
|
|
--- a/src/mongrel2.c
|
|
+++ b/src/mongrel2.c
|
|
@@ -404,13 +404,6 @@ void taskmain(int argc, char **argv)
|
|
rc = attempt_chroot_drop(srv);
|
|
check(rc == 0, "Major failure in chroot/droppriv, aborting.");
|
|
|
|
- // set up rng after chroot
|
|
- // TODO: once mbedtls is updated, we can move this back into Server_create
|
|
- if(srv->use_ssl) {
|
|
- rc = Server_init_rng(srv);
|
|
- check(rc == 0, "Failed to initialize rng for server %s", bdata(srv->uuid));
|
|
- }
|
|
-
|
|
final_setup();
|
|
|
|
taskcreate(tickertask, NULL, TICKER_TASK_STACK);
|
|
diff --git a/src/server.c b/src/server.c
|
|
index 45761db4..e44e199b 100644
|
|
--- a/src/server.c
|
|
+++ b/src/server.c
|
|
@@ -149,35 +149,45 @@ static int Server_load_ciphers(Server *srv, bstring ssl_ciphers_val)
|
|
return -1;
|
|
}
|
|
|
|
+static int urandom_entropy_func(void *data, unsigned char *output, size_t len)
|
|
+{
|
|
+ FILE* urandom = (FILE *)data;
|
|
+ size_t rc = fread(output, 1, len, urandom);
|
|
+
|
|
+ if (rc != len) return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
int Server_init_rng(Server *srv)
|
|
{
|
|
int rc;
|
|
- unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
|
|
void *ctx = NULL;
|
|
|
|
- mbedtls_entropy_init( &srv->entropy );
|
|
+ FILE *urandom = fopen("/dev/urandom","r");
|
|
|
|
- // test the entropy source
|
|
- rc = mbedtls_entropy_func(&srv->entropy, buf, MBEDTLS_ENTROPY_BLOCK_SIZE);
|
|
-
|
|
- if(rc == 0) {
|
|
+ if(urandom != NULL) {
|
|
ctx = calloc(sizeof(mbedtls_ctr_drbg_context), 1);
|
|
|
|
mbedtls_ctr_drbg_init((mbedtls_ctr_drbg_context *)ctx);
|
|
rc = mbedtls_ctr_drbg_seed((mbedtls_ctr_drbg_context *)ctx,
|
|
- mbedtls_entropy_func, &srv->entropy, NULL, 0);
|
|
+ urandom_entropy_func, urandom, NULL, 0);
|
|
check(rc == 0, "Init rng failed: ctr_drbg_init returned %d\n", rc);
|
|
|
|
srv->rng_func = mbedtls_ctr_drbg_random;
|
|
srv->rng_ctx = ctx;
|
|
} else {
|
|
- log_warn("entropy source unavailable. falling back to havege rng");
|
|
|
|
+#if defined(MBEDTLS_HAVEGE_C)
|
|
+ log_warn("entropy source unavailable. falling back to havege rng");
|
|
ctx = calloc(sizeof(mbedtls_havege_state), 1);
|
|
mbedtls_havege_init((mbedtls_havege_state *)ctx);
|
|
-
|
|
srv->rng_func = mbedtls_havege_random;
|
|
srv->rng_ctx = ctx;
|
|
+#else
|
|
+ log_err("Unable to initialize urandom entropy source, and mbedTLS compiled without HAVEGE");
|
|
+ goto error;
|
|
+#endif
|
|
}
|
|
|
|
return 0;
|
|
@@ -278,10 +288,10 @@ Server *Server_create(bstring uuid, bstring default_host,
|
|
|
|
// TODO: once mbedtls supports opening urandom early and keeping it open,
|
|
// put the rng initialization back here (before chroot)
|
|
- //if(use_ssl) {
|
|
- // rc = Server_init_rng(srv);
|
|
- // check(rc == 0, "Failed to initialize rng for server %s", bdata(uuid));
|
|
- //}
|
|
+ if(use_ssl) {
|
|
+ rc = Server_init_rng(srv);
|
|
+ check(rc == 0, "Failed to initialize rng for server %s", bdata(uuid));
|
|
+ }
|
|
|
|
if(blength(chroot) > 0) {
|
|
srv->chroot = bstrcpy(chroot); check_mem(srv->chroot);
|