diff options
author | Daniel Stenberg <daniel@haxx.se> | 2001-03-06 00:04:58 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2001-03-06 00:04:58 +0000 |
commit | 2ef13230cb81ce54eec5ac86c16a54e76e6d7ad9 (patch) | |
tree | 4e43a009c0a5988d8800383de4eff5c90fe0fb9e /lib/ssluse.c | |
parent | 9479ac6dda4e2da012d397d427831b80358259a2 (diff) | |
download | curl-2ef13230cb81ce54eec5ac86c16a54e76e6d7ad9.tar.gz |
new seeding stuff as mentioned by Albert Chin
Diffstat (limited to 'lib/ssluse.c')
-rw-r--r-- | lib/ssluse.c | 115 |
1 files changed, 84 insertions, 31 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index 789175735..8e43dd565 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -58,16 +58,92 @@ static int passwd_callback(char *buf, int num, int verify return 0; } -/* This function is *highly* inspired by (and parts are directly stolen - * from) source from the SSLeay package written by Eric Young - * (eay@cryptsoft.com). */ +static +bool seed_enough(struct connectdata *conn, /* unused for now */ + int nread) +{ +#ifdef HAVE_RAND_STATUS + /* only available in OpenSSL 0.9.5a and later */ + if(RAND_status()) + return TRUE; +#else + if(nread > 500) + /* this is a very silly decision to make */ + return TRUE; +#endif + return FALSE; /* not enough */ +} + +static +int random_the_seed(struct connectdata *conn) +{ + char *buf = conn->data->buffer; /* point to the big buffer */ + int ret; + int nread=0; + + /* Q: should we add support for a random file name as a libcurl option? + A: Yes */ +#if 0 + /* something like this */ + nread += RAND_load_file(filename, number_of_bytes); +#endif + /* generates a default path for the random seed file */ + buf[0]=0; /* blank it first */ + RAND_file_name(buf, BUFSIZE); + if ( buf[0] ) { + /* we got a file name to try */ + nread += RAND_load_file(buf, 16384); + if(seed_enough(conn, nread)) + return nread; + } + +#ifdef RANDOM_FILE + nread += RAND_load_file(RANDOM_FILE, 16384); + if(seed_enough(conn, nread)) + return nread; +#endif + +#if defined(HAVE_RAND_EGD) && defined(EGD_SOCKET) + /* only available in OpenSSL 0.9.5 and later */ + /* EGD_SOCKET is set at configure time */ + ret = RAND_egd(EGD_SOCKET); + if(-1 != ret) { + nread += ret; + if(seed_enough(conn, nread)) + return nread; + } +#endif + + /* If we get here, it means we need to seed the PRNG using a "silly" + approach! */ +#ifdef HAVE_RAND_SCREEN + /* This one gets a random value by reading the currently shown screen */ + RAND_screen(); + nread = 100; /* just a value */ +#else + { + int len; + char *area = Curl_FormBoundary(); + if(!area) + return 3; /* out of memory */ + + len = strlen(area); + RAND_seed(area, len); + + free(area); /* now remove the random junk */ +#endif + } + + infof(conn->data, "Your connection is using a weak random seed!\n"); + return nread; +} static -int cert_stuff(struct UrlData *data, - struct connectdata *conn, +int cert_stuff(struct connectdata *conn, char *cert_file, char *key_file) { + struct UrlData *data = conn->data; if (cert_file != NULL) { SSL *ssl; X509 *x509; @@ -123,9 +199,6 @@ int cert_stuff(struct UrlData *data, return(1); } -#endif - -#ifdef USE_SSLEAY static int cert_verify_callback(int ok, X509_STORE_CTX *ctx) { @@ -156,28 +229,8 @@ Curl_SSLConnect(struct connectdata *conn) /* Lets get nice error messages */ SSL_load_error_strings(); -#ifdef HAVE_RAND_STATUS - /* RAND_status() was introduced in OpenSSL 0.9.5 */ - if(0 == RAND_status()) -#endif - { - /* We need to seed the PRNG properly! */ -#ifdef HAVE_RAND_SCREEN - /* This one gets a random value by reading the currently shown screen */ - RAND_screen(); -#else - int len; - char *area = Curl_FormBoundary(); - if(!area) - return 3; /* out of memory */ - - len = strlen(area); - - RAND_seed(area, len); - - free(area); /* now remove the random junk */ -#endif - } + /* Make funny stuff to get random input */ + random_the_seed(conn); /* Setup all the global SSL stuff */ SSLeay_add_ssl_algorithms(); @@ -202,7 +255,7 @@ Curl_SSLConnect(struct connectdata *conn) } if(data->cert) { - if (!cert_stuff(data, conn, data->cert, data->cert)) { + if (!cert_stuff(conn, data->cert, data->cert)) { failf(data, "couldn't use certificate!\n"); return 2; } |