[Date Prev][Date Next] [Chronological] [Thread] [Top]

slurpd not seeding PRNG before initializing TLS. (ITS#1745)



Full_Name: Darin Broady
Version: 2.0.23-stable-20020215
OS: Irix 6.5.10, 6.5.15 & Solaris 8
URL: 
Submission from: (NULL) (192.146.101.11)


NOTE:
-----
Both Irix(6.5.10, 6.5.15) & Solaris(8) do not come installed with a
/dev/urandom
nor a /dev/random device.  So, we are using the PRNGD from
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html, and
setting
the TLSRandFile variable in slapd.conf to point to the socket.


The base installation of OpenLDAP-2.0.23-stable-20020215 allows SLURPD to use
TLS to communicate with its replicas.  However, it does not seed the PRNG
properly before calling ldap_pvt_tls_init() & ldap_pvt_tls_init_def_ctx().  The
PRNG must be seeded before calling either of these two functions.  This can be
done by setting a randomization file for OpenSSL-0.9.6c to use to seed its
internal
PRNG.  The following patches fix this for slurpd:


main.c.diff:
--------------
--- openldap-2.0.23/servers/slurpd/main.c       Fri Jan  4 15:38:36 2002
+++ openldap-2.0.23-irix-n32/servers/slurpd/main.c      Thu Apr 11 10:34:32
2002
@@ -48,12 +48,6 @@
     /* initialize thread package */
     ldap_pvt_thread_initialize();
 
-#ifdef HAVE_TLS
-       if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
-               fprintf( stderr, "TLS Initialization failed.\n" );
-               exit( EXIT_FAILURE);
-       }
-#endif
 
     /* 
      * Create and initialize globals.  init_globals() also initializes
@@ -80,6 +74,13 @@
                sglob->slapd_configfile );
        exit( EXIT_FAILURE );
     }
+
+#ifdef HAVE_TLS
+       if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
+               fprintf( stderr, "TLS Initialization failed.\n" );
+               exit( EXIT_FAILURE);
+       }
+#endif
 
     /* 
      * Make sure our directory exists




config.c.diff
-----------------
--- openldap-2.0.23/servers/slurpd/config.c     Fri Jan  4 15:38:36 2002
+++ openldap-2.0.23-irix-n32/servers/slurpd/config.c    Thu Apr 11 11:16:38
2002
@@ -113,6 +113,17 @@
            add_replica( cargv, cargc );
            
            /* include another config file */
+       } else if ( strcasecmp( cargv[0], "TLSRandFile" ) == 0 ) {
+           int err = LDAP_SUCCESS;
+
+           /*
+            *  Make sure that if the TLSRandFile is set, we tell the libldap
code
+            *  about it so that TLSv1/SSLv3 will work.
+            */
+           err = ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
cargv[1] );
+           if (err != LDAP_SUCCESS) {
+               fprintf( stderr, "Error: tls_randfile not set properly.  %s.\n",
ldap_err2string(err) );
+           }
        } else if ( strcasecmp( cargv[0], "include" ) == 0 ) {
            char *savefname;
            int savelineno;





Copyright Notification for both patches above
---------------------------------------------
     Copyright 2002, Darin Broady, All rights reserved.
     This software is not subject to any license of Lexmark International, Inc.

     This is free software; you can redistribute and use it
     under the same terms as OpenLDAP itself.