[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slurpd not seeding PRNG before initializing TLS. (ITS#1745)
Full_Name: Darin Broady
Version: 2.0.23-stable-20020215
OS: Irix 6.5.10, 6.5.15 & Solaris 8
URL:
Submission from: (NULL) (192.146.101.11)
NOTE:
-----
Both Irix(6.5.10, 6.5.15) & Solaris(8) do not come installed with a
/dev/urandom
nor a /dev/random device. So, we are using the PRNGD from
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html, and
setting
the TLSRandFile variable in slapd.conf to point to the socket.
The base installation of OpenLDAP-2.0.23-stable-20020215 allows SLURPD to use
TLS to communicate with its replicas. However, it does not seed the PRNG
properly before calling ldap_pvt_tls_init() & ldap_pvt_tls_init_def_ctx(). The
PRNG must be seeded before calling either of these two functions. This can be
done by setting a randomization file for OpenSSL-0.9.6c to use to seed its
internal
PRNG. The following patches fix this for slurpd:
main.c.diff:
--------------
--- openldap-2.0.23/servers/slurpd/main.c Fri Jan 4 15:38:36 2002
+++ openldap-2.0.23-irix-n32/servers/slurpd/main.c Thu Apr 11 10:34:32
2002
@@ -48,12 +48,6 @@
/* initialize thread package */
ldap_pvt_thread_initialize();
-#ifdef HAVE_TLS
- if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
- fprintf( stderr, "TLS Initialization failed.\n" );
- exit( EXIT_FAILURE);
- }
-#endif
/*
* Create and initialize globals. init_globals() also initializes
@@ -80,6 +74,13 @@
sglob->slapd_configfile );
exit( EXIT_FAILURE );
}
+
+#ifdef HAVE_TLS
+ if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
+ fprintf( stderr, "TLS Initialization failed.\n" );
+ exit( EXIT_FAILURE);
+ }
+#endif
/*
* Make sure our directory exists
config.c.diff
-----------------
--- openldap-2.0.23/servers/slurpd/config.c Fri Jan 4 15:38:36 2002
+++ openldap-2.0.23-irix-n32/servers/slurpd/config.c Thu Apr 11 11:16:38
2002
@@ -113,6 +113,17 @@
add_replica( cargv, cargc );
/* include another config file */
+ } else if ( strcasecmp( cargv[0], "TLSRandFile" ) == 0 ) {
+ int err = LDAP_SUCCESS;
+
+ /*
+ * Make sure that if the TLSRandFile is set, we tell the libldap
code
+ * about it so that TLSv1/SSLv3 will work.
+ */
+ err = ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
cargv[1] );
+ if (err != LDAP_SUCCESS) {
+ fprintf( stderr, "Error: tls_randfile not set properly. %s.\n",
ldap_err2string(err) );
+ }
} else if ( strcasecmp( cargv[0], "include" ) == 0 ) {
char *savefname;
int savelineno;
Copyright Notification for both patches above
---------------------------------------------
Copyright 2002, Darin Broady, All rights reserved.
This software is not subject to any license of Lexmark International, Inc.
This is free software; you can redistribute and use it
under the same terms as OpenLDAP itself.