mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
new seeding stuff as mentioned by Albert Chin
This commit is contained in:
parent
9479ac6dda
commit
2ef13230cb
@ -43,3 +43,8 @@
|
|||||||
/* Define this to 'int' if ssize_t is not an available typedefed type */
|
/* Define this to 'int' if ssize_t is not an available typedefed type */
|
||||||
#undef ssize_t
|
#undef ssize_t
|
||||||
|
|
||||||
|
/* Define this as a suitable file to read random data from */
|
||||||
|
#undef RANDOM_FILE
|
||||||
|
|
||||||
|
/* Define this to your Entropy Gathering Daemon socket pathname */
|
||||||
|
#undef EGD_SOCKET
|
||||||
|
33
configure.in
33
configure.in
@ -391,6 +391,36 @@ AC_CHECK_FUNC(gethostname, , AC_CHECK_LIB(ucb, gethostname))
|
|||||||
dnl dl lib?
|
dnl dl lib?
|
||||||
AC_CHECK_FUNC(dlopen, , AC_CHECK_LIB(dl, dlopen))
|
AC_CHECK_FUNC(dlopen, , AC_CHECK_LIB(dl, dlopen))
|
||||||
|
|
||||||
|
dnl **********************************************************************
|
||||||
|
dnl Check for the random seed preferences
|
||||||
|
dnl **********************************************************************
|
||||||
|
|
||||||
|
AC_ARG_WITH(egd-socket,
|
||||||
|
[ --with-egd-socket=FILE Entropy Gathering Daemon socket pathname],
|
||||||
|
[ EGD_SOCKET="$withval" ]
|
||||||
|
)
|
||||||
|
if test -n "$EGD_SOCKET" ; then
|
||||||
|
AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET")
|
||||||
|
fi
|
||||||
|
|
||||||
|
dnl Check for user-specified random device
|
||||||
|
AC_ARG_WITH(random,
|
||||||
|
[ --with-random=FILE read randomness from FILE (default=/dev/urandom)],
|
||||||
|
[ RANDOM_FILE="$withval" ],
|
||||||
|
[
|
||||||
|
dnl Check for random device
|
||||||
|
AC_CHECK_FILE("/dev/urandom",
|
||||||
|
[
|
||||||
|
RANDOM_FILE="/dev/urandom";
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
)
|
||||||
|
if test -n "$RANDOM_FILE" ; then
|
||||||
|
AC_SUBST(RANDOM_FILE)
|
||||||
|
AC_DEFINE_UNQUOTED(RANDOM_FILE, "$RANDOM_FILE")
|
||||||
|
fi
|
||||||
|
|
||||||
dnl **********************************************************************
|
dnl **********************************************************************
|
||||||
dnl Check for the presence of Kerberos4 libraries and headers
|
dnl Check for the presence of Kerberos4 libraries and headers
|
||||||
dnl **********************************************************************
|
dnl **********************************************************************
|
||||||
@ -545,7 +575,8 @@ else
|
|||||||
dnl these can only exist if openssl exists
|
dnl these can only exist if openssl exists
|
||||||
|
|
||||||
AC_CHECK_FUNCS( RAND_status \
|
AC_CHECK_FUNCS( RAND_status \
|
||||||
RAND_screen )
|
RAND_screen \
|
||||||
|
RAND_egd )
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
115
lib/ssluse.c
115
lib/ssluse.c
@ -58,16 +58,92 @@ static int passwd_callback(char *buf, int num, int verify
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* This function is *highly* inspired by (and parts are directly stolen
|
static
|
||||||
* from) source from the SSLeay package written by Eric Young
|
bool seed_enough(struct connectdata *conn, /* unused for now */
|
||||||
* (eay@cryptsoft.com). */
|
int nread)
|
||||||
|
{
|
||||||
|
#ifdef HAVE_RAND_STATUS
|
||||||
|
/* only available in OpenSSL 0.9.5a and later */
|
||||||
|
if(RAND_status())
|
||||||
|
return TRUE;
|
||||||
|
#else
|
||||||
|
if(nread > 500)
|
||||||
|
/* this is a very silly decision to make */
|
||||||
|
return TRUE;
|
||||||
|
#endif
|
||||||
|
return FALSE; /* not enough */
|
||||||
|
}
|
||||||
|
|
||||||
static
|
static
|
||||||
int cert_stuff(struct UrlData *data,
|
int random_the_seed(struct connectdata *conn)
|
||||||
struct connectdata *conn,
|
{
|
||||||
|
char *buf = conn->data->buffer; /* point to the big buffer */
|
||||||
|
int ret;
|
||||||
|
int nread=0;
|
||||||
|
|
||||||
|
/* Q: should we add support for a random file name as a libcurl option?
|
||||||
|
A: Yes */
|
||||||
|
#if 0
|
||||||
|
/* something like this */
|
||||||
|
nread += RAND_load_file(filename, number_of_bytes);
|
||||||
|
#endif
|
||||||
|
/* generates a default path for the random seed file */
|
||||||
|
buf[0]=0; /* blank it first */
|
||||||
|
RAND_file_name(buf, BUFSIZE);
|
||||||
|
if ( buf[0] ) {
|
||||||
|
/* we got a file name to try */
|
||||||
|
nread += RAND_load_file(buf, 16384);
|
||||||
|
if(seed_enough(conn, nread))
|
||||||
|
return nread;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef RANDOM_FILE
|
||||||
|
nread += RAND_load_file(RANDOM_FILE, 16384);
|
||||||
|
if(seed_enough(conn, nread))
|
||||||
|
return nread;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(HAVE_RAND_EGD) && defined(EGD_SOCKET)
|
||||||
|
/* only available in OpenSSL 0.9.5 and later */
|
||||||
|
/* EGD_SOCKET is set at configure time */
|
||||||
|
ret = RAND_egd(EGD_SOCKET);
|
||||||
|
if(-1 != ret) {
|
||||||
|
nread += ret;
|
||||||
|
if(seed_enough(conn, nread))
|
||||||
|
return nread;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* If we get here, it means we need to seed the PRNG using a "silly"
|
||||||
|
approach! */
|
||||||
|
#ifdef HAVE_RAND_SCREEN
|
||||||
|
/* This one gets a random value by reading the currently shown screen */
|
||||||
|
RAND_screen();
|
||||||
|
nread = 100; /* just a value */
|
||||||
|
#else
|
||||||
|
{
|
||||||
|
int len;
|
||||||
|
char *area = Curl_FormBoundary();
|
||||||
|
if(!area)
|
||||||
|
return 3; /* out of memory */
|
||||||
|
|
||||||
|
len = strlen(area);
|
||||||
|
RAND_seed(area, len);
|
||||||
|
|
||||||
|
free(area); /* now remove the random junk */
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
infof(conn->data, "Your connection is using a weak random seed!\n");
|
||||||
|
return nread;
|
||||||
|
}
|
||||||
|
|
||||||
|
static
|
||||||
|
int cert_stuff(struct connectdata *conn,
|
||||||
char *cert_file,
|
char *cert_file,
|
||||||
char *key_file)
|
char *key_file)
|
||||||
{
|
{
|
||||||
|
struct UrlData *data = conn->data;
|
||||||
if (cert_file != NULL) {
|
if (cert_file != NULL) {
|
||||||
SSL *ssl;
|
SSL *ssl;
|
||||||
X509 *x509;
|
X509 *x509;
|
||||||
@ -123,9 +199,6 @@ int cert_stuff(struct UrlData *data,
|
|||||||
return(1);
|
return(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef USE_SSLEAY
|
|
||||||
static
|
static
|
||||||
int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
|
int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
|
||||||
{
|
{
|
||||||
@ -156,28 +229,8 @@ Curl_SSLConnect(struct connectdata *conn)
|
|||||||
/* Lets get nice error messages */
|
/* Lets get nice error messages */
|
||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
||||||
|
|
||||||
#ifdef HAVE_RAND_STATUS
|
/* Make funny stuff to get random input */
|
||||||
/* RAND_status() was introduced in OpenSSL 0.9.5 */
|
random_the_seed(conn);
|
||||||
if(0 == RAND_status())
|
|
||||||
#endif
|
|
||||||
{
|
|
||||||
/* We need to seed the PRNG properly! */
|
|
||||||
#ifdef HAVE_RAND_SCREEN
|
|
||||||
/* This one gets a random value by reading the currently shown screen */
|
|
||||||
RAND_screen();
|
|
||||||
#else
|
|
||||||
int len;
|
|
||||||
char *area = Curl_FormBoundary();
|
|
||||||
if(!area)
|
|
||||||
return 3; /* out of memory */
|
|
||||||
|
|
||||||
len = strlen(area);
|
|
||||||
|
|
||||||
RAND_seed(area, len);
|
|
||||||
|
|
||||||
free(area); /* now remove the random junk */
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Setup all the global SSL stuff */
|
/* Setup all the global SSL stuff */
|
||||||
SSLeay_add_ssl_algorithms();
|
SSLeay_add_ssl_algorithms();
|
||||||
@ -202,7 +255,7 @@ Curl_SSLConnect(struct connectdata *conn)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(data->cert) {
|
if(data->cert) {
|
||||||
if (!cert_stuff(data, conn, data->cert, data->cert)) {
|
if (!cert_stuff(conn, data->cert, data->cert)) {
|
||||||
failf(data, "couldn't use certificate!\n");
|
failf(data, "couldn't use certificate!\n");
|
||||||
return 2;
|
return 2;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user