nat: Use RAND_bytes instead of /dev/urandom

We don't need to consume all the entropy of the kernel but can
use libcrypto (OpenSSL) to generate random data. It is not clear
if we need to call RAND_load_file but I think we can assume that
our Unices have a /dev/urandom.

This takes less CPU time, provides good enough entropy (in theory)
and leaves some in the kernel entropy pool.

4 files changed, 8 insertions, 24 deletions

diff --git a/openbsc/configure.ac b/openbsc/configure.ac
index fb6feb9b9..0af573af3 100644
--- a/openbsc/configure.ac
+++ b/openbsc/configure.ac
@@ -35,6 +35,7 @@ AC_ARG_ENABLE([nat], [AS_HELP_STRING([--enable-nat], [Build the BSC NAT. Require
     [osmo_ac_build_nat="$enableval"],[osmo_ac_build_nat="no"])
 if test "$osmo_ac_build_nat" = "yes" ; then
         PKG_CHECK_MODULES(LIBOSMOSCCP, libosmo-sccp >= 0.0.2)
+        PKG_CHECK_MODULES(LIBCRYPTO, libcrypto)
 fi
 AM_CONDITIONAL(BUILD_NAT, test "x$osmo_ac_build_nat" = "xyes")
 AC_SUBST(osmo_ac_build_nat)
diff --git a/openbsc/include/openbsc/bsc_nat.h b/openbsc/include/openbsc/bsc_nat.h
index 72773a981..3090eb045 100644
--- a/openbsc/include/openbsc/bsc_nat.h
+++ b/openbsc/include/openbsc/bsc_nat.h
@@ -307,9 +307,6 @@ struct bsc_nat {
 
 	/* control interface */
 	struct ctrl_handle *ctrl;
-
-	/* for random values */
-	int random_fd;
 };
 
 struct bsc_nat_ussd_con {
diff --git a/openbsc/src/osmo-bsc_nat/Makefile.am b/openbsc/src/osmo-bsc_nat/Makefile.am
index d96a3911f..4a6f74dea 100644
--- a/openbsc/src/osmo-bsc_nat/Makefile.am
+++ b/openbsc/src/osmo-bsc_nat/Makefile.am
@@ -1,5 +1,5 @@
 AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include -I$(top_builddir)
-AM_CFLAGS=-Wall $(LIBOSMOCORE_CFLAGS) $(LIBOSMOGSM_CFLAGS) $(LIBOSMOVTY_CFLAGS) $(LIBOSMOCTRL_CFLAGS) $(LIBOSMOSCCP_CFLAGS) $(LIBOSMOABIS_CFLAGS) $(LIBOSMONETIF_CFLAGS) $(COVERAGE_CFLAGS)
+AM_CFLAGS=-Wall $(LIBOSMOCORE_CFLAGS) $(LIBOSMOGSM_CFLAGS) $(LIBOSMOVTY_CFLAGS) $(LIBOSMOCTRL_CFLAGS) $(LIBOSMOSCCP_CFLAGS) $(LIBOSMOABIS_CFLAGS) $(LIBOSMONETIF_CFLAGS) $(LIBCRYPTO_CFLAGS) $(COVERAGE_CFLAGS)
 AM_LDFLAGS = $(COVERAGE_LDFLAGS)
 
 bin_PROGRAMS = osmo-bsc_nat
@@ -16,4 +16,4 @@ osmo_bsc_nat_LDADD = \
 		$(top_builddir)/src/libfilter/libfilter.a \
 		-lrt $(LIBOSMOSCCP_LIBS) $(LIBOSMOCORE_LIBS) \
 		$(LIBOSMOGSM_LIBS) $(LIBOSMOVTY_LIBS) $(LIBOSMOCTRL_LIBS) \
-		$(LIBOSMOABIS_LIBS) $(LIBOSMONETIF_LIBS)
+		$(LIBOSMOABIS_LIBS) $(LIBOSMONETIF_LIBS) $(LIBCRYPTO_LIBS)
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c
index 581193e5a..1fc262df5 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c
@@ -69,6 +69,8 @@
 
 #include <osmocom/abis/ipa.h>
 
+#include <openssl/rand.h>
+
 #include "../../bscconfig.h"
 
 #define SCCP_CLOSE_TIME 20
@@ -204,8 +206,7 @@ static void send_id_req(struct bsc_nat *nat, struct bsc_connection *bsc)
 		0x01, IPAC_IDTAG_SERNR,
 	};
 
-	int toread, rounds;
-	uint8_t *mrand, *randoff;
+	uint8_t *mrand;
 	uint8_t id_req[sizeof(s_id_req) + (2+16)];
 	uint8_t *buf = &id_req[sizeof(s_id_req)];
 
@@ -216,19 +217,10 @@ static void send_id_req(struct bsc_nat *nat, struct bsc_connection *bsc)
 	buf = v_put(buf, 0x11);
 	buf = v_put(buf, 0x23);
 	mrand = bsc->last_rand;
-	randoff = mrand;
-	memset(randoff, 0, 16);
-
-	for (toread = 16, rounds = 0; rounds < 5 && toread > 0; ++rounds) {
-		int rc = read(nat->random_fd, randoff, toread);
-		if (rc <= 0)
-			goto failed_random;
-		toread -= rc;
-		randoff += rc;
-	}
 
-	if (toread != 0)
+	if (RAND_bytes(mrand, 16) != 1)
 		goto failed_random;
+
 	memcpy(buf, mrand, 16);
 	buf += 16;
 
@@ -1628,12 +1620,6 @@ int main(int argc, char **argv)
 	/* We need to add mode-set for amr codecs */
 	nat->sdp_ensure_amr_mode_set = 1;
 
-	nat->random_fd = open("/dev/random", O_RDONLY);
-	if (nat->random_fd < 0) {
-		fprintf(stderr, "Failed to open /dev/urandom.\n");
-		return -5;
-	}
-
 	vty_info.copyright = openbsc_copyright;
 	vty_init(&vty_info);
 	logging_vty_add_cmds(&log_info);