[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
seeding PRNG (ITS#619)
--- server/slapd/config.c Fri Jul 7 11:20:52 2000
+++ server/slapd/config.c.PRNG Fri Jul 7 11:21:27 2000
@@ -771,6 +771,12 @@
cargv[1] );
if ( rc )
return rc;
+ } else if ( !strcasecmp( cargv[0], "TLSRandomFile" ) ) {
+ rc = ldap_pvt_tls_set_option( NULL,
+
LDAP_OPT_X_TLS_RANDOM_FILE,
+ cargv[1] );
+ if ( rc )
+ return rc;
#endif
--- libraries/libldap/init.c Fri Jul 7 11:10:21 2000
+++ libraries/libldap/init.c.PRNG Fri Jul 7 11:15:45 2000
@@ -73,6 +73,7 @@
{0, ATTR_TLS, "TLS_CACERT", NULL,
LDAP_OPT_X_TLS_CACERTFILE},
{0, ATTR_TLS, "TLS_CACERTDIR",NULL,
LDAP_OPT_X_TLS_CACERTDIR},
{0, ATTR_TLS, "TLS_REQCERT", NULL,
LDAP_OPT_X_TLS_REQUIRE_CERT},
+ {0, ATTR_TLS, "TLS_RANDFILE", NULL,
LDAP_OPT_X_TLS_RANDOM_FILE},
#ifdef HAVE_CYRUS_SASL
{0, ATTR_INT, "SASL_MINSSF", NULL,
offsetof(struct ldapoptions, ldo_sasl_minssf)},
@@ -402,8 +403,10 @@
ldap_int_utils_init();
+#if 0
#ifdef HAVE_TLS
ldap_pvt_tls_init();
+#endif
#endif
#ifdef HAVE_CYRUS_SASL
--- include/ldap.h Fri Jul 7 11:04:17 2000
+++ include/ldap.h.PRNG Fri Jul 7 11:03:51 2000
@@ -122,6 +122,7 @@
#define LDAP_OPT_X_TLS 0x6007
#define LDAP_OPT_X_TLS_PROTOCOL 0x6008
#define LDAP_OPT_X_TLS_CIPHER_SUITE 0x6009
+#define LDAP_OPT_X_TLS_RANDOM_FILE 0x600a
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
--- libraries/libldap/tls.c Fri Jul 7 11:10:15 2000
+++ libraries/libldap/tls.c.PRNG Fri Jul 7 11:12:47 2000
@@ -29,6 +29,7 @@
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
+#include <openssl/rand.h>
#elif defined( HAVE_SSL_H )
#include <ssl.h>
#endif
@@ -40,6 +41,7 @@
static char *tls_opt_cacertdir = NULL;
static int tls_opt_require_cert = 0;
static char *tls_opt_ciphersuite = NULL;
+static char *tls_opt_randfile = NULL;
#define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \
(void *)&ldap_pvt_sockbuf_io_tls )
@@ -100,6 +102,8 @@
{
static int tls_initialized = 0;
+ tls_seed_PRNG(tls_opt_randfile);
+
if ( tls_initialized )
return 0;
tls_initialized = 1;
@@ -673,6 +677,7 @@
case LDAP_OPT_X_TLS_CACERTDIR:
case LDAP_OPT_X_TLS_CERTFILE:
case LDAP_OPT_X_TLS_KEYFILE:
+ case LDAP_OPT_X_TLS_RANDOM_FILE:
return ldap_pvt_tls_set_option( NULL, option, (void *) arg
);
case LDAP_OPT_X_TLS_REQUIRE_CERT:
i = ( ( strcasecmp( arg, "on" ) == 0 ) ||
@@ -731,6 +736,9 @@
case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = tls_opt_require_cert;
break;
+ case LDAP_OPT_X_TLS_RANDOM_FILE:
+ *(char **)arg = tls_opt_randfile;
+ break;
default:
return -1;
}
@@ -794,6 +802,10 @@
if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite );
tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) :
NULL;
break;
+ case LDAP_OPT_X_TLS_RANDOM_FILE:
+ if (tls_opt_randfile ) free (tls_opt_randfile );
+ tls_opt_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ break;
default:
return -1;
}
@@ -803,6 +815,8 @@
int
ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
{
+ /* Make sure tls is initialized, including PRNG properly seeded. */
+ ldap_pvt_tls_init();
/*
* Fortunately, the lib uses blocking io...
*/
@@ -924,6 +938,50 @@
return NULL;
}
return tmp_rsa;
+}
+
+static int
+tls_seed_PRNG(const char *randfile)
+{
+ char buffer[1024];
+ static int seeded = 0;
+ static int egdsocket = 0;
+
+ if (seeded)
+ return 1;
+
+ if (randfile == NULL)
+ {
+ /* The seed file is $RANDFILE if defined, otherwise
$HOME/.rnd.
+ * If $HOME is not set or buffer too small to hold the
pathname,
+ * an error occurs. - From RAND_file_name() man page.
+ * The fact is that when $HOME is NULL, .rnd is used.
+ */
+ randfile = RAND_file_name(buffer, sizeof( buffer ));
+ }
+ else if (RAND_egd(randfile) > 0)
+ {
+ /* EGD socket */
+ egdsocket = 1;
+ return 1;
+ }
+
+ if (randfile == NULL)
+ {
+ Debug( LDAP_DEBUG_ANY, "TLS: Use configuration file or
$RANDFILE to define seed file.",0,0,0);
+ return 0;
+ }
+
+ RAND_load_file(randfile, -1);
+
+ if (RAND_status() == 0)
+ {
+ Debug( LDAP_DEBUG_ANY, "TLS: PRNG has not
been seeded with enough data.",0,0,0);
+ return 0;
+ }
+
+ seeded = 1;
+ return 1;
}
#if 0