[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: slurpd not seeding PRNG before initializing TLS. (ITS#1745)
This is a duplicate of ITS#1613 which was fixed last night in the HEAD.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> dbroady@lexmark.com
> Sent: Thursday, April 11, 2002 8:33 AM
> To: openldap-its@OpenLDAP.org
> Subject: slurpd not seeding PRNG before initializing TLS. (ITS#1745)
>
>
> Full_Name: Darin Broady
> Version: 2.0.23-stable-20020215
> OS: Irix 6.5.10, 6.5.15 & Solaris 8
> URL:
> Submission from: (NULL) (192.146.101.11)
>
>
> NOTE:
> -----
> Both Irix(6.5.10, 6.5.15) & Solaris(8) do not come installed with a
> /dev/urandom
> nor a /dev/random device. So, we are using the PRNGD from
> http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html, and
> setting
> the TLSRandFile variable in slapd.conf to point to the socket.
>
>
> The base installation of OpenLDAP-2.0.23-stable-20020215 allows
> SLURPD to use
> TLS to communicate with its replicas. However, it does not seed the PRNG
> properly before calling ldap_pvt_tls_init() &
> ldap_pvt_tls_init_def_ctx(). The
> PRNG must be seeded before calling either of these two functions.
> This can be
> done by setting a randomization file for OpenSSL-0.9.6c to use to seed its
> internal
> PRNG. The following patches fix this for slurpd:
>
>
> main.c.diff:
> --------------
> --- openldap-2.0.23/servers/slurpd/main.c Fri Jan 4 15:38:36 2002
> +++ openldap-2.0.23-irix-n32/servers/slurpd/main.c Thu Apr
> 11 10:34:32
> 2002
> @@ -48,12 +48,6 @@
> /* initialize thread package */
> ldap_pvt_thread_initialize();
>
> -#ifdef HAVE_TLS
> - if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
> - fprintf( stderr, "TLS Initialization failed.\n" );
> - exit( EXIT_FAILURE);
> - }
> -#endif
>
> /*
> * Create and initialize globals. init_globals() also initializes
> @@ -80,6 +74,13 @@
> sglob->slapd_configfile );
> exit( EXIT_FAILURE );
> }
> +
> +#ifdef HAVE_TLS
> + if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
> + fprintf( stderr, "TLS Initialization failed.\n" );
> + exit( EXIT_FAILURE);
> + }
> +#endif
>
> /*
> * Make sure our directory exists
>
>
>
>
> config.c.diff
> -----------------
> --- openldap-2.0.23/servers/slurpd/config.c Fri Jan 4 15:38:36 2002
> +++ openldap-2.0.23-irix-n32/servers/slurpd/config.c Thu Apr
> 11 11:16:38
> 2002
> @@ -113,6 +113,17 @@
> add_replica( cargv, cargc );
>
> /* include another config file */
> + } else if ( strcasecmp( cargv[0], "TLSRandFile" ) == 0 ) {
> + int err = LDAP_SUCCESS;
> +
> + /*
> + * Make sure that if the TLSRandFile is set, we tell
> the libldap
> code
> + * about it so that TLSv1/SSLv3 will work.
> + */
> + err = ldap_pvt_tls_set_option( NULL,
> LDAP_OPT_X_TLS_RANDOM_FILE,
> cargv[1] );
> + if (err != LDAP_SUCCESS) {
> + fprintf( stderr, "Error: tls_randfile not set
> properly. %s.\n",
> ldap_err2string(err) );
> + }
> } else if ( strcasecmp( cargv[0], "include" ) == 0 ) {
> char *savefname;
> int savelineno;
>
>
>
>
>
> Copyright Notification for both patches above
> ---------------------------------------------
> Copyright 2002, Darin Broady, All rights reserved.
> This software is not subject to any license of Lexmark
> International, Inc.
>
> This is free software; you can redistribute and use it
> under the same terms as OpenLDAP itself.