--- gvpe/src/gvpe.C	2011/02/15 13:31:23	1.19
+++ gvpe/src/gvpe.C	2013/07/16 16:44:36	1.25
@@ -2,7 +2,7 @@
     gvpe.C -- the main file for gvpe
     Copyright (C) 1998-2002 Ivo Timmermans <ivo@o2w.nl>
                   2000-2002 Guus Sliepen <guus@sliepen.eu.org>
-                  2003-2011 Marc Lehmann <gvpe@schmorp.de>
+                  2003-2013 Marc Lehmann <gvpe@schmorp.de>
  
     This file is part of GVPE.
 
@@ -42,6 +42,7 @@
 #include <getopt.h>
 #include <signal.h>
 #include <sys/types.h>
+#include <sys/stat.h>
 #include <unistd.h>
 #include <signal.h>
 #include <termios.h>
@@ -61,6 +62,7 @@
 #include "util.h"
 #include "vpn.h"
 #include "ev_cpp.h"
+#include "hkdf.h"
 
 static loglevel llevel = L_NONE;
 
@@ -208,11 +210,65 @@
   act.sa_handler = sigterm_handler; sigaction (SIGTERM, &act, NULL);
 }
 
+static int rand_fd;
+
+// antique C++ requires external linkage :/
+void
+reseed_rng (ev::timer &w, int revents)
+{
+  char buf [SEED_SIZE];
+  int n = read (rand_fd, buf, sizeof (buf));
+
+  if (n > 0)
+    RAND_seed (buf, n);
+}
+
+static void
+setup_rng (void)
+{
+  if (!*conf.seed_dev)
+    return;
+
+#ifndef O_BINARY
+#  define O_BINARY 0
+#endif
+#ifndef O_NONBLOCK
+#  define O_NONBLOCK 0
+#endif
+
+  rand_fd = open (conf.seed_dev, O_RDONLY | O_NONBLOCK | O_BINARY);
+
+  if (rand_fd < 0)
+    {
+      slog (L_ERR, _("unable to open seed device '%s': %s, exiting."), conf.seed_dev, strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  static ev::timer reseed_timer;
+
+  if (conf.reseed)
+    {
+      reseed_timer.set<reseed_rng> ();
+      reseed_timer.set (conf.reseed, conf.reseed);
+      reseed_timer.start (EV_DEFAULT);
+    }
+
+  reseed_rng (reseed_timer, 0);
+}
+
 int
 main (int argc, char **argv, char **envp)
 {
   ERR_load_crypto_strings (); // we have the RAM
 
+  require (EVP_MD_size           (MAC_DIGEST  ()) == HASH_SIZE  (MAC_DIGEST ));
+  require (EVP_MD_size           (AUTH_DIGEST ()) == HASH_SIZE  (AUTH_DIGEST));
+  require (EVP_CIPHER_key_length (CIPHER      ()) == KEY_SIZE   (CIPHER     ));
+  require (EVP_CIPHER_block_size (CIPHER      ()) == BLOCK_SIZE (CIPHER     ));
+
+  curve25519_verify ();
+  hkdf::verify ();
+
   set_loglevel (L_INFO);
   set_identity (argv[0]);
   log_to (LOGTO_SYSLOG | LOGTO_STDERR);
@@ -232,7 +288,7 @@
               VERSION, __DATE__, __TIME__, PROTOCOL_MAJOR, PROTOCOL_MINOR);
       printf (_("Built with kernel interface %s/%s.\n"), IFTYPE, IFSUBTYPE);
       printf (_
-              ("Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de> and others.\n"
+              ("Copyright (C) 2003-2011 Marc Lehmann <gvpe@schmorp.de> and others.\n"
                "See the AUTHORS file for a complete list.\n\n"
                "GVPE comes with ABSOLUTELY NO WARRANTY.  This is free software,\n"
                "and you are welcome to redistribute it under certain conditions;\n"
@@ -272,7 +328,7 @@
 
   set_loglevel (llevel != L_NONE ? llevel : conf.llevel);
 
-  RAND_load_file ("/dev/urandom", 1024);
+  setup_rng ();
 
   if (!THISNODE)
     {
@@ -287,12 +343,13 @@
   setup_signals ();
 
   if (!network.setup ())
-    {
-      ev_loop (EV_DEFAULT_ 0);
-      cleanup_and_exit (EXIT_FAILURE);
-    }
+    if (network.drop_privileges ())
+      {
+        ev_run (EV_DEFAULT_ 0);
+        cleanup_and_exit (EXIT_FAILURE);
+      }
 
-  slog (L_ERR, _("unrecoverable error while setting up network, exiting."));
+  slog (L_CRIT, _("unrecoverable error while setting up network, exiting."));
   cleanup_and_exit (EXIT_FAILURE);
 }