--- server/slapd/config.c Fri Jul 7 11:20:52 2000 +++ server/slapd/config.c.PRNG Fri Jul 7 11:21:27 2000 @@ -771,6 +771,12 @@ cargv[1] ); if ( rc ) return rc; + } else if ( !strcasecmp( cargv[0], "TLSRandomFile" ) ) { + rc = ldap_pvt_tls_set_option( NULL, + LDAP_OPT_X_TLS_RANDOM_FILE, + cargv[1] ); + if ( rc ) + return rc; #endif --- libraries/libldap/init.c Fri Jul 7 11:10:21 2000 +++ libraries/libldap/init.c.PRNG Fri Jul 7 11:15:45 2000 @@ -73,6 +73,7 @@ {0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE}, {0, ATTR_TLS, "TLS_CACERTDIR",NULL, LDAP_OPT_X_TLS_CACERTDIR}, {0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, + {0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, #ifdef HAVE_CYRUS_SASL {0, ATTR_INT, "SASL_MINSSF", NULL, offsetof(struct ldapoptions, ldo_sasl_minssf)}, @@ -402,8 +403,10 @@ ldap_int_utils_init(); +#if 0 #ifdef HAVE_TLS ldap_pvt_tls_init(); +#endif #endif #ifdef HAVE_CYRUS_SASL --- include/ldap.h Fri Jul 7 11:04:17 2000 +++ include/ldap.h.PRNG Fri Jul 7 11:03:51 2000 @@ -122,6 +122,7 @@ #define LDAP_OPT_X_TLS 0x6007 #define LDAP_OPT_X_TLS_PROTOCOL 0x6008 #define LDAP_OPT_X_TLS_CIPHER_SUITE 0x6009 +#define LDAP_OPT_X_TLS_RANDOM_FILE 0x600a #define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_HARD 1 --- libraries/libldap/tls.c Fri Jul 7 11:10:15 2000 +++ libraries/libldap/tls.c.PRNG Fri Jul 7 11:12:47 2000 @@ -29,6 +29,7 @@ #include <openssl/ssl.h> #include <openssl/x509v3.h> #include <openssl/err.h> +#include <openssl/rand.h> #elif defined( HAVE_SSL_H ) #include <ssl.h> #endif @@ -40,6 +41,7 @@ static char *tls_opt_cacertdir = NULL; static int tls_opt_require_cert = 0; static char *tls_opt_ciphersuite = NULL; +static char *tls_opt_randfile = NULL; #define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \ (void *)&ldap_pvt_sockbuf_io_tls ) @@ -100,6 +102,8 @@ { static int tls_initialized = 0; + tls_seed_PRNG(tls_opt_randfile); + if ( tls_initialized ) return 0; tls_initialized = 1; @@ -673,6 +677,7 @@ case LDAP_OPT_X_TLS_CACERTDIR: case LDAP_OPT_X_TLS_CERTFILE: case LDAP_OPT_X_TLS_KEYFILE: + case LDAP_OPT_X_TLS_RANDOM_FILE: return ldap_pvt_tls_set_option( NULL, option, (void *) arg ); case LDAP_OPT_X_TLS_REQUIRE_CERT: i = ( ( strcasecmp( arg, "on" ) == 0 ) || @@ -731,6 +736,9 @@ case LDAP_OPT_X_TLS_REQUIRE_CERT: *(int *)arg = tls_opt_require_cert; break; + case LDAP_OPT_X_TLS_RANDOM_FILE: + *(char **)arg = tls_opt_randfile; + break; default: return -1; } @@ -794,6 +802,10 @@ if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite ); tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; + case LDAP_OPT_X_TLS_RANDOM_FILE: + if (tls_opt_randfile ) free (tls_opt_randfile ); + tls_opt_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; + break; default: return -1; } @@ -803,6 +815,8 @@ int ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) { + /* Make sure tls is initialized, including PRNG properly seeded. */ + ldap_pvt_tls_init(); /* * Fortunately, the lib uses blocking io... */ @@ -924,6 +938,50 @@ return NULL; } return tmp_rsa; +} + +static int +tls_seed_PRNG(const char *randfile) +{ + char buffer[1024]; + static int seeded = 0; + static int egdsocket = 0; + + if (seeded) + return 1; + + if (randfile == NULL) + { + /* The seed file is $RANDFILE if defined, otherwise $HOME/.rnd. + * If $HOME is not set or buffer too small to hold the pathname, + * an error occurs. - From RAND_file_name() man page. + * The fact is that when $HOME is NULL, .rnd is used. + */ + randfile = RAND_file_name(buffer, sizeof( buffer )); + } + else if (RAND_egd(randfile) > 0) + { + /* EGD socket */ + egdsocket = 1; + return 1; + } + + if (randfile == NULL) + { + Debug( LDAP_DEBUG_ANY, "TLS: Use configuration file or $RANDFILE to define seed file.",0,0,0); + return 0; + } + + RAND_load_file(randfile, -1); + + if (RAND_status() == 0) + { + Debug( LDAP_DEBUG_ANY, "TLS: PRNG has not been seeded with enough data.",0,0,0); + return 0; + } + + seeded = 1; + return 1; } #if 0
The supplied patch cannot be applied as is. It appears you cut and pasted was hosed (likely by cut-and-paste). The best way to generate a patch is using cvs diff. Modify the files (in place, without renaming) and the type: cvs diff -u > patch.txt (from the top level directory) Otherwise, the basic method you used is okay (but new versions should have original names and old versions should have suffixed .old or .orig or whatever). This facilities application of the patch. In fact, it best to test your patch before submitting it by applying to fresh copy of the source. However , regardless of how you generate the patch, make sure it doesn't get munged in transit. The safest approach is for you to FTP into ftp://ftp.openldap.org/incoming/ and then provide the URL in your ITS. Note that you can append information to an ITS by replying the the ITS mail address with the subject it provided back to you (That is, with the "(ITS#619)" appearing in the subject). I await your revised patch. Kurt
Please find the revised patch in the following URL.: ftp://ftp.openldap.org/incoming/ITS619/patch.txt -Ted
changed notes changed state Open to Closed moved from Incoming to Development
integrated