mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
- T. Bharath pointed out that we seed SSL on every connect, which is a time-
consuming operation that should only be needed to do once. We patched libcurl to now only seed on the first connect when unseeded. The seeded status is global so it'll now only happen once during a program's life time.
This commit is contained in:
parent
9468c9c796
commit
f114caca90
27
lib/ssluse.c
27
lib/ssluse.c
@ -80,10 +80,8 @@ static int passwd_callback(char *buf, int num, int verify
|
|||||||
}
|
}
|
||||||
|
|
||||||
static
|
static
|
||||||
bool seed_enough(struct connectdata *conn, /* unused for now */
|
bool seed_enough(int nread)
|
||||||
int nread)
|
|
||||||
{
|
{
|
||||||
conn = NULL; /* to prevent compiler warnings */
|
|
||||||
#ifdef HAVE_RAND_STATUS
|
#ifdef HAVE_RAND_STATUS
|
||||||
nread = 0; /* to prevent compiler warnings */
|
nread = 0; /* to prevent compiler warnings */
|
||||||
|
|
||||||
@ -99,11 +97,10 @@ bool seed_enough(struct connectdata *conn, /* unused for now */
|
|||||||
}
|
}
|
||||||
|
|
||||||
static
|
static
|
||||||
int random_the_seed(struct connectdata *conn)
|
int random_the_seed(struct SessionHandle *data)
|
||||||
{
|
{
|
||||||
char *buf = conn->data->state.buffer; /* point to the big buffer */
|
char *buf = data->state.buffer; /* point to the big buffer */
|
||||||
int nread=0;
|
int nread=0;
|
||||||
struct SessionHandle *data=conn->data;
|
|
||||||
|
|
||||||
/* Q: should we add support for a random file name as a libcurl option?
|
/* Q: should we add support for a random file name as a libcurl option?
|
||||||
A: Yes, it is here */
|
A: Yes, it is here */
|
||||||
@ -119,7 +116,7 @@ int random_the_seed(struct connectdata *conn)
|
|||||||
nread += RAND_load_file((data->set.ssl.random_file?
|
nread += RAND_load_file((data->set.ssl.random_file?
|
||||||
data->set.ssl.random_file:RANDOM_FILE),
|
data->set.ssl.random_file:RANDOM_FILE),
|
||||||
16384);
|
16384);
|
||||||
if(seed_enough(conn, nread))
|
if(seed_enough(nread))
|
||||||
return nread;
|
return nread;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -138,7 +135,7 @@ int random_the_seed(struct connectdata *conn)
|
|||||||
int ret = RAND_egd(data->set.ssl.egdsocket?data->set.ssl.egdsocket:EGD_SOCKET);
|
int ret = RAND_egd(data->set.ssl.egdsocket?data->set.ssl.egdsocket:EGD_SOCKET);
|
||||||
if(-1 != ret) {
|
if(-1 != ret) {
|
||||||
nread += ret;
|
nread += ret;
|
||||||
if(seed_enough(conn, nread))
|
if(seed_enough(nread))
|
||||||
return nread;
|
return nread;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -170,11 +167,11 @@ int random_the_seed(struct connectdata *conn)
|
|||||||
if ( buf[0] ) {
|
if ( buf[0] ) {
|
||||||
/* we got a file name to try */
|
/* we got a file name to try */
|
||||||
nread += RAND_load_file(buf, 16384);
|
nread += RAND_load_file(buf, 16384);
|
||||||
if(seed_enough(conn, nread))
|
if(seed_enough(nread))
|
||||||
return nread;
|
return nread;
|
||||||
}
|
}
|
||||||
|
|
||||||
infof(conn->data, "Your connection is using a weak random seed!\n");
|
infof(data, "libcurl is now using a weak random seed!\n");
|
||||||
return nread;
|
return nread;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -363,6 +360,10 @@ int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
|
|||||||
#ifdef USE_SSLEAY
|
#ifdef USE_SSLEAY
|
||||||
/* "global" init done? */
|
/* "global" init done? */
|
||||||
static int init_ssl=0;
|
static int init_ssl=0;
|
||||||
|
|
||||||
|
/* we have the "SSL is seeded" boolean global for the application to
|
||||||
|
prevent multiple time-consuming seedings in vain */
|
||||||
|
static bool ssl_seeded = FALSE;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Global init */
|
/* Global init */
|
||||||
@ -677,8 +678,12 @@ Curl_SSLConnect(struct connectdata *conn)
|
|||||||
/* mark this is being ssl enabled from here on out. */
|
/* mark this is being ssl enabled from here on out. */
|
||||||
conn->ssl.use = TRUE;
|
conn->ssl.use = TRUE;
|
||||||
|
|
||||||
|
if(!ssl_seeded) {
|
||||||
/* Make funny stuff to get random input */
|
/* Make funny stuff to get random input */
|
||||||
random_the_seed(conn);
|
random_the_seed(data);
|
||||||
|
|
||||||
|
ssl_seeded = TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
/* check to see if we've been told to use an explicit SSL/TLS version */
|
/* check to see if we've been told to use an explicit SSL/TLS version */
|
||||||
switch(data->set.ssl.version) {
|
switch(data->set.ssl.version) {
|
||||||
|
Loading…
Reference in New Issue
Block a user