rec: Initialize OpenSSL before chrooting #4040

Merged
merged 1 commit into from Jul 1, 2016

Projects

None yet

3 participants

@pieterlexis
Member

When chroot()'ing into a 'bare' directory, /dev/random is not available.
This means that OpenSSL cannot gather randomness and all validations
will fail.

Closes #3994

@rgacogne rgacogne and 2 others commented on an outdated diff Jun 24, 2016
pdns/pdns_recursor.cc
@@ -2566,6 +2567,9 @@ int serviceMain(int argc, char*argv[])
showProductVersion();
seedRandom(::arg()["entropy-source"]);
+ openssl_thread_setup();
+ openssl_seed();
@rgacogne
rgacogne Jun 24, 2016 Member

We should call openssl_seed() after fork(), if I'm not mistaken: https://wiki.openssl.org/index.php/Random_fork-safety

@pieterlexis
pieterlexis Jun 24, 2016 Member

I don't believe we need the randomness anyway when only verifying signatures (although something about ecc is nagging in the back of my mind)

@rgacogne
rgacogne Jun 25, 2016 Member

You are right, but I'm worried about what is going to happen when/if one day we use openssl for something else that verifying signatures :-)

@Habbie
Habbie Jun 25, 2016 Member

That nagging on the back of your mind is the stuff deterministic ECDSA fixes. Our core randomness need for openssl is generating keys, which indeed we do not do today in the recursor, but let's get this right from the start :)

@pieterlexis pieterlexis rec: Initialize OpenSSL before chrooting
When chroot()'ing into a 'bare' directory, /dev/random is not available.
This means that OpenSSL cannot gather randomness and all validations
will fail.

Closes #3994
3afde9b
@pieterlexis
Member

could use another quick once-over

@Habbie Habbie merged commit 309df5b into PowerDNS:master Jul 1, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@pieterlexis pieterlexis deleted the pieterlexis:rec-chroot-dnssec branch Jul 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment