From: Holger Hans Peter Freyther holger@moiji-mobile.com
Instead of doing open/read/close all the time, open the FD in the beginning and keep it open. To scare me even more I have seen /dev/urandom actually providing a short read and then blocking but it seems to be the best way to get the random byes we need for authentication.
So one should/could run the cheap random generator on the system (e.g. haveged) or deal with the NAT process to block. --- openbsc/include/openbsc/bsc_nat.h | 3 +++ openbsc/src/osmo-bsc_nat/bsc_nat.c | 9 +++++++++ 2 files changed, 12 insertions(+)
diff --git a/openbsc/include/openbsc/bsc_nat.h b/openbsc/include/openbsc/bsc_nat.h index 6921441..1035937 100644 --- a/openbsc/include/openbsc/bsc_nat.h +++ b/openbsc/include/openbsc/bsc_nat.h @@ -304,6 +304,9 @@ struct bsc_nat {
/* control interface */ struct ctrl_handle *ctrl; + + /* for random values */ + int random_fd; };
struct bsc_nat_ussd_con { diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c index 841262c..82562ba 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c @@ -21,6 +21,8 @@ * */ #include <sys/socket.h> +#include <sys/types.h> +#include <sys/stat.h> #include <netinet/in.h> #include <netinet/tcp.h> #include <arpa/inet.h> @@ -31,6 +33,7 @@ #include <stdlib.h> #include <time.h> #include <unistd.h> +#include <fcntl.h>
#define _GNU_SOURCE #include <getopt.h> @@ -1534,6 +1537,12 @@ int main(int argc, char **argv) /* We need to add mode-set for amr codecs */ nat->sdp_ensure_amr_mode_set = 1;
+ nat->random_fd = open("/dev/random", O_RDONLY); + if (nat->random_fd < 0) { + fprintf(stderr, "Failed to open /dev/urandom.\n"); + return -5; + } + vty_info.copyright = openbsc_copyright; vty_init(&vty_info); logging_vty_add_cmds(&log_info);