619 – seeding PRNG

Issue 619 - seeding PRNG

Summary: seeding PRNG

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2000-07-07 18:39 UTC by Cheng, Ted C
Modified:	2014-08-01 21:05 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Cheng, Ted C 2000-07-07 18:39:18 UTC

--- server/slapd/config.c       Fri Jul  7 11:20:52 2000
+++ server/slapd/config.c.PRNG  Fri Jul  7 11:21:27 2000
@@ -771,6 +771,12 @@
                                                      cargv[1] );
                        if ( rc )
                                return rc;
+               } else if ( !strcasecmp( cargv[0], "TLSRandomFile" ) ) {
+                       rc = ldap_pvt_tls_set_option( NULL,
+
LDAP_OPT_X_TLS_RANDOM_FILE,
+                                                     cargv[1] );
+                       if ( rc )
+                               return rc;

 #endif

--- libraries/libldap/init.c    Fri Jul  7 11:10:21 2000
+++ libraries/libldap/init.c.PRNG       Fri Jul  7 11:15:45 2000
@@ -73,6 +73,7 @@
        {0, ATTR_TLS,           "TLS_CACERT",   NULL,
LDAP_OPT_X_TLS_CACERTFILE},
        {0, ATTR_TLS,           "TLS_CACERTDIR",NULL,
LDAP_OPT_X_TLS_CACERTDIR},
        {0, ATTR_TLS,           "TLS_REQCERT",  NULL,
LDAP_OPT_X_TLS_REQUIRE_CERT},
+       {0, ATTR_TLS,       "TLS_RANDFILE", NULL,
LDAP_OPT_X_TLS_RANDOM_FILE},
 #ifdef HAVE_CYRUS_SASL
        {0, ATTR_INT,           "SASL_MINSSF",  NULL,
                offsetof(struct ldapoptions, ldo_sasl_minssf)},
@@ -402,8 +403,10 @@

        ldap_int_utils_init();

+#if 0
 #ifdef HAVE_TLS
        ldap_pvt_tls_init();
+#endif
 #endif

 #ifdef HAVE_CYRUS_SASL
--- include/ldap.h      Fri Jul  7 11:04:17 2000
+++ include/ldap.h.PRNG Fri Jul  7 11:03:51 2000
@@ -122,6 +122,7 @@
 #define LDAP_OPT_X_TLS                 0x6007
 #define LDAP_OPT_X_TLS_PROTOCOL                0x6008
 #define LDAP_OPT_X_TLS_CIPHER_SUITE    0x6009
+#define LDAP_OPT_X_TLS_RANDOM_FILE     0x600a

 #define LDAP_OPT_X_TLS_NEVER           0
 #define LDAP_OPT_X_TLS_HARD            1
--- libraries/libldap/tls.c     Fri Jul  7 11:10:15 2000
+++ libraries/libldap/tls.c.PRNG        Fri Jul  7 11:12:47 2000
@@ -29,6 +29,7 @@
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 #elif defined( HAVE_SSL_H )
 #include <ssl.h>
 #endif
@@ -40,6 +41,7 @@
 static char *tls_opt_cacertdir = NULL;
 static int  tls_opt_require_cert = 0;
 static char *tls_opt_ciphersuite = NULL;
+static char *tls_opt_randfile = NULL;

 #define HAS_TLS( sb )  ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \
                                (void *)&ldap_pvt_sockbuf_io_tls )
@@ -100,6 +102,8 @@
 {
        static int tls_initialized = 0;

+       tls_seed_PRNG(tls_opt_randfile);
+
        if ( tls_initialized )
                return 0;
        tls_initialized = 1;
@@ -673,6 +677,7 @@
        case LDAP_OPT_X_TLS_CACERTDIR:
        case LDAP_OPT_X_TLS_CERTFILE:
        case LDAP_OPT_X_TLS_KEYFILE:
+       case LDAP_OPT_X_TLS_RANDOM_FILE:
                return ldap_pvt_tls_set_option( NULL, option, (void *) arg
);
        case LDAP_OPT_X_TLS_REQUIRE_CERT:
                i = ( ( strcasecmp( arg, "on" ) == 0 ) ||
@@ -731,6 +736,9 @@
        case LDAP_OPT_X_TLS_REQUIRE_CERT:
                *(int *)arg = tls_opt_require_cert;
                break;
+       case LDAP_OPT_X_TLS_RANDOM_FILE:
+               *(char **)arg = tls_opt_randfile;
+               break;
        default:
                return -1;
        }
@@ -794,6 +802,10 @@
                if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite );
                tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) :
NULL;
                break;
+       case LDAP_OPT_X_TLS_RANDOM_FILE:
+               if (tls_opt_randfile ) free (tls_opt_randfile );
+               tls_opt_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+               break;
        default:
                return -1;
        }
@@ -803,6 +815,8 @@
 int
 ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 {
+       /* Make sure tls is initialized, including PRNG properly seeded. */
+       ldap_pvt_tls_init();
        /*
         * Fortunately, the lib uses blocking io...
         */
@@ -924,6 +938,50 @@
                return NULL;
        }
        return tmp_rsa;
+}
+
+static int
+tls_seed_PRNG(const char *randfile)
+{
+       char buffer[1024];
+    static int seeded = 0;
+    static int egdsocket = 0;
+
+      if (seeded)
+              return 1;
+
+      if (randfile == NULL)
+      {
+              /* The seed file is $RANDFILE if defined, otherwise
$HOME/.rnd.
+               * If $HOME is not set or buffer too small to hold the
pathname,
+                * an error occurs.    - From RAND_file_name() man page.
+                * The fact is that when $HOME is NULL, .rnd is used.
+                */
+               randfile = RAND_file_name(buffer, sizeof( buffer ));
+       }
+       else if (RAND_egd(randfile) > 0)
+       {
+               /* EGD socket */
+               egdsocket = 1;
+               return 1;
+       }
+
+       if (randfile == NULL)
+       {
+               Debug( LDAP_DEBUG_ANY, "TLS: Use configuration file or
$RANDFILE to define seed file.",0,0,0);
+               return 0;
+       }
+
+       RAND_load_file(randfile, -1);
+
+       if (RAND_status() == 0)
+       {
+                               Debug( LDAP_DEBUG_ANY, "TLS: PRNG has not
been seeded with enough data.",0,0,0);
+                               return 0;
+      }
+
+      seeded = 1;
+      return 1;
 }

 #if 0

Comment 1 Kurt Zeilenga 2000-07-07 20:40:13 UTC

The supplied patch cannot be applied as is.  It appears you cut and
pasted was hosed (likely by cut-and-paste).

The best way to generate a patch is using cvs diff.  Modify the
files (in place, without renaming) and the type:
   cvs diff -u > patch.txt
   (from the top level directory)

Otherwise, the basic method you used is okay (but new versions
should have original names and old versions should have suffixed
.old or .orig or whatever).  This facilities application of the patch.
In fact, it best to test your patch before submitting it by applying
to fresh copy of the source.

However , regardless of how you generate the patch, make sure
it doesn't get munged in transit.  The safest approach is for you
to FTP into ftp://ftp.openldap.org/incoming/  and then provide the
URL in your ITS.

Note that you can append information to an ITS by replying the
the ITS mail address with the subject it provided back to you
(That is, with the "(ITS#619)" appearing in the subject).

I await your revised patch.

Kurt

Comment 2 Ted C. Cheng 2000-07-08 08:17:56 UTC

Please find the revised patch in the following URL.:

ftp://ftp.openldap.org/incoming/ITS619/patch.txt

-Ted

Comment 3 Kurt Zeilenga 2000-07-12 08:15:02 UTC

changed notes
changed state Open to Closed
moved from Incoming to Development

Comment 4 OpenLDAP project 2014-08-01 21:05:27 UTC

integrated