[Date Prev][Date Next] [Chronological] [Thread] [Top]

seeding PRNG (ITS#619)



--- server/slapd/config.c       Fri Jul  7 11:20:52 2000
+++ server/slapd/config.c.PRNG  Fri Jul  7 11:21:27 2000
@@ -771,6 +771,12 @@
                                                      cargv[1] );
                        if ( rc )
                                return rc;
+               } else if ( !strcasecmp( cargv[0], "TLSRandomFile" ) ) {
+                       rc = ldap_pvt_tls_set_option( NULL,
+
LDAP_OPT_X_TLS_RANDOM_FILE,
+                                                     cargv[1] );
+                       if ( rc )
+                               return rc;

 #endif

--- libraries/libldap/init.c    Fri Jul  7 11:10:21 2000
+++ libraries/libldap/init.c.PRNG       Fri Jul  7 11:15:45 2000
@@ -73,6 +73,7 @@
        {0, ATTR_TLS,           "TLS_CACERT",   NULL,
LDAP_OPT_X_TLS_CACERTFILE},
        {0, ATTR_TLS,           "TLS_CACERTDIR",NULL,
LDAP_OPT_X_TLS_CACERTDIR},
        {0, ATTR_TLS,           "TLS_REQCERT",  NULL,
LDAP_OPT_X_TLS_REQUIRE_CERT},
+       {0, ATTR_TLS,       "TLS_RANDFILE", NULL,
LDAP_OPT_X_TLS_RANDOM_FILE},
 #ifdef HAVE_CYRUS_SASL
        {0, ATTR_INT,           "SASL_MINSSF",  NULL,
                offsetof(struct ldapoptions, ldo_sasl_minssf)},
@@ -402,8 +403,10 @@

        ldap_int_utils_init();

+#if 0
 #ifdef HAVE_TLS
        ldap_pvt_tls_init();
+#endif
 #endif

 #ifdef HAVE_CYRUS_SASL
--- include/ldap.h      Fri Jul  7 11:04:17 2000
+++ include/ldap.h.PRNG Fri Jul  7 11:03:51 2000
@@ -122,6 +122,7 @@
 #define LDAP_OPT_X_TLS                 0x6007
 #define LDAP_OPT_X_TLS_PROTOCOL                0x6008
 #define LDAP_OPT_X_TLS_CIPHER_SUITE    0x6009
+#define LDAP_OPT_X_TLS_RANDOM_FILE     0x600a

 #define LDAP_OPT_X_TLS_NEVER           0
 #define LDAP_OPT_X_TLS_HARD            1
--- libraries/libldap/tls.c     Fri Jul  7 11:10:15 2000
+++ libraries/libldap/tls.c.PRNG        Fri Jul  7 11:12:47 2000
@@ -29,6 +29,7 @@
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 #elif defined( HAVE_SSL_H )
 #include <ssl.h>
 #endif
@@ -40,6 +41,7 @@
 static char *tls_opt_cacertdir = NULL;
 static int  tls_opt_require_cert = 0;
 static char *tls_opt_ciphersuite = NULL;
+static char *tls_opt_randfile = NULL;

 #define HAS_TLS( sb )  ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \
                                (void *)&ldap_pvt_sockbuf_io_tls )
@@ -100,6 +102,8 @@
 {
        static int tls_initialized = 0;

+       tls_seed_PRNG(tls_opt_randfile);
+
        if ( tls_initialized )
                return 0;
        tls_initialized = 1;
@@ -673,6 +677,7 @@
        case LDAP_OPT_X_TLS_CACERTDIR:
        case LDAP_OPT_X_TLS_CERTFILE:
        case LDAP_OPT_X_TLS_KEYFILE:
+       case LDAP_OPT_X_TLS_RANDOM_FILE:
                return ldap_pvt_tls_set_option( NULL, option, (void *) arg
);
        case LDAP_OPT_X_TLS_REQUIRE_CERT:
                i = ( ( strcasecmp( arg, "on" ) == 0 ) ||
@@ -731,6 +736,9 @@
        case LDAP_OPT_X_TLS_REQUIRE_CERT:
                *(int *)arg = tls_opt_require_cert;
                break;
+       case LDAP_OPT_X_TLS_RANDOM_FILE:
+               *(char **)arg = tls_opt_randfile;
+               break;
        default:
                return -1;
        }
@@ -794,6 +802,10 @@
                if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite );
                tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) :
NULL;
                break;
+       case LDAP_OPT_X_TLS_RANDOM_FILE:
+               if (tls_opt_randfile ) free (tls_opt_randfile );
+               tls_opt_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+               break;
        default:
                return -1;
        }
@@ -803,6 +815,8 @@
 int
 ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 {
+       /* Make sure tls is initialized, including PRNG properly seeded. */
+       ldap_pvt_tls_init();
        /*
         * Fortunately, the lib uses blocking io...
         */
@@ -924,6 +938,50 @@
                return NULL;
        }
        return tmp_rsa;
+}
+
+static int
+tls_seed_PRNG(const char *randfile)
+{
+       char buffer[1024];
+    static int seeded = 0;
+    static int egdsocket = 0;
+
+      if (seeded)
+              return 1;
+
+      if (randfile == NULL)
+      {
+              /* The seed file is $RANDFILE if defined, otherwise
$HOME/.rnd.
+               * If $HOME is not set or buffer too small to hold the
pathname,
+                * an error occurs.    - From RAND_file_name() man page.
+                * The fact is that when $HOME is NULL, .rnd is used.
+                */
+               randfile = RAND_file_name(buffer, sizeof( buffer ));
+       }
+       else if (RAND_egd(randfile) > 0)
+       {
+               /* EGD socket */
+               egdsocket = 1;
+               return 1;
+       }
+
+       if (randfile == NULL)
+       {
+               Debug( LDAP_DEBUG_ANY, "TLS: Use configuration file or
$RANDFILE to define seed file.",0,0,0);
+               return 0;
+       }
+
+       RAND_load_file(randfile, -1);
+
+       if (RAND_status() == 0)
+       {
+                               Debug( LDAP_DEBUG_ANY, "TLS: PRNG has not
been seeded with enough data.",0,0,0);
+                               return 0;
+      }
+
+      seeded = 1;
+      return 1;
 }

 #if 0