diff options
author | nelsonb%netscape.com <devnull@localhost> | 2001-11-14 23:53:57 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2001-11-14 23:53:57 +0000 |
commit | 4e12dd0bdedb7b9db028a29aeeb06e6028121ffe (patch) | |
tree | 69af16450790f7c09970a3713fed2f265ab548d7 | |
parent | 0b0839f49e1931f9c610719d0a11bbdd76a26150 (diff) | |
download | nss-hg-4e12dd0bdedb7b9db028a29aeeb06e6028121ffe.tar.gz |
Use /dev/urandom to seed NSS's PRNG, when possible. Bug 96626.
-rw-r--r-- | security/nss/lib/freebl/blapi.h | 2 | ||||
-rw-r--r-- | security/nss/lib/freebl/blapi_bsf.c | 2 | ||||
-rw-r--r-- | security/nss/lib/freebl/loader.c | 2 | ||||
-rw-r--r-- | security/nss/lib/freebl/loader.h | 2 | ||||
-rw-r--r-- | security/nss/lib/freebl/prng_fips1861.c | 5 | ||||
-rw-r--r-- | security/nss/lib/util/mac_rand.c | 2 | ||||
-rw-r--r-- | security/nss/lib/util/os2_rand.c | 8 | ||||
-rw-r--r-- | security/nss/lib/util/secrng.h | 2 | ||||
-rw-r--r-- | security/nss/lib/util/unix_rand.c | 44 | ||||
-rw-r--r-- | security/nss/lib/util/win_rand.c | 8 |
10 files changed, 49 insertions, 28 deletions
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h index e6782390d..4449dc66f 100644 --- a/security/nss/lib/freebl/blapi.h +++ b/security/nss/lib/freebl/blapi.h @@ -725,7 +725,7 @@ extern SECStatus RNG_RNGInit(void); ** Update the global random number generator with more seeding ** material */ -extern SECStatus RNG_RandomUpdate(void *data, size_t bytes); +extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes); /* ** Generate some random bytes, using the global random number generator diff --git a/security/nss/lib/freebl/blapi_bsf.c b/security/nss/lib/freebl/blapi_bsf.c index 28e6fc705..aada7bde6 100644 --- a/security/nss/lib/freebl/blapi_bsf.c +++ b/security/nss/lib/freebl/blapi_bsf.c @@ -2044,7 +2044,7 @@ RNG_RNGInit(void) } SECStatus -RNG_RandomUpdate(void *data, size_t bytes) +RNG_RandomUpdate(const void *data, size_t bytes) { int status; if (data == NULL || bytes <= 0) { diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c index 333d4748f..7a48d165f 100644 --- a/security/nss/lib/freebl/loader.c +++ b/security/nss/lib/freebl/loader.c @@ -866,7 +866,7 @@ RNG_RNGInit(void) } SECStatus -RNG_RandomUpdate(void *data, size_t bytes) +RNG_RandomUpdate(const void *data, size_t bytes) { if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) return SECFailure; diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h index 0d62b5708..fae273482 100644 --- a/security/nss/lib/freebl/loader.h +++ b/security/nss/lib/freebl/loader.h @@ -235,7 +235,7 @@ struct FREEBLVectorStr { SECStatus (* p_RNG_RNGInit)(void); - SECStatus (* p_RNG_RandomUpdate)(void *data, size_t bytes); + SECStatus (* p_RNG_RandomUpdate)(const void *data, size_t bytes); SECStatus (* p_RNG_GenerateGlobalRandomBytes)(void *dest, size_t len); diff --git a/security/nss/lib/freebl/prng_fips1861.c b/security/nss/lib/freebl/prng_fips1861.c index c11fdff22..2359913fd 100644 --- a/security/nss/lib/freebl/prng_fips1861.c +++ b/security/nss/lib/freebl/prng_fips1861.c @@ -271,7 +271,8 @@ RNG_RNGInit(void) ** material */ SECStatus -prng_RandomUpdate(RNGContext *rng, void *data, size_t bytes, unsigned char *q) +prng_RandomUpdate(RNGContext *rng, + const void *data, size_t bytes, unsigned char *q) { SECStatus rv = SECSuccess; unsigned char inputhash[BSIZE]; @@ -343,7 +344,7 @@ prng_RandomUpdate(RNGContext *rng, void *data, size_t bytes, unsigned char *q) ** material. Not DSA, so no q. */ SECStatus -RNG_RandomUpdate(void *data, size_t bytes) +RNG_RandomUpdate(const void *data, size_t bytes) { return prng_RandomUpdate(globalrng, data, bytes, NULL); } diff --git a/security/nss/lib/util/mac_rand.c b/security/nss/lib/util/mac_rand.c index 6198f3407..8578dfa08 100644 --- a/security/nss/lib/util/mac_rand.c +++ b/security/nss/lib/util/mac_rand.c @@ -79,7 +79,7 @@ size_t RNG_GetNoise(void *buf, size_t maxbytes) return CopyLowBits(buf, maxbytes, µTickCount, sizeof(microTickCount)); } -void RNG_FileForRNG(char *filename) +void RNG_FileForRNG(const char *filename) { unsigned char buffer[BUFSIZ]; size_t bytes; diff --git a/security/nss/lib/util/os2_rand.c b/security/nss/lib/util/os2_rand.c index b1dbba805..7eede8883 100644 --- a/security/nss/lib/util/os2_rand.c +++ b/security/nss/lib/util/os2_rand.c @@ -107,7 +107,7 @@ size_t RNG_GetNoise(void *buf, size_t maxbuf) } static BOOL -EnumSystemFiles(void (*func)(char *)) +EnumSystemFiles(void (*func)(const char *)) { APIRET rc; ULONG sysInfo = 0; @@ -158,13 +158,13 @@ EnumSystemFiles(void (*func)(char *)) static int dwNumFiles, dwReadEvery; static void -CountFiles(char *file) +CountFiles(const char *file) { dwNumFiles++; } static void -ReadFiles(char *file) +ReadFiles(const char *file) { if ((dwNumFiles % dwReadEvery) == 0) RNG_FileForRNG(file); @@ -293,7 +293,7 @@ void RNG_SystemInfoForRNG(void) RNG_RandomUpdate(buffer, nBytes); } -void RNG_FileForRNG(char *filename) +void RNG_FileForRNG(const char *filename) { struct stat stat_buf; unsigned char buffer[1024]; diff --git a/security/nss/lib/util/secrng.h b/security/nss/lib/util/secrng.h index c4c8686ef..cddc7b000 100644 --- a/security/nss/lib/util/secrng.h +++ b/security/nss/lib/util/secrng.h @@ -75,7 +75,7 @@ extern void RNG_SystemInfoForRNG(void); ** Use the contents (and stat) of a file to help seed the ** global random number generator. */ -extern void RNG_FileForRNG(char *filename); +extern void RNG_FileForRNG(const char *filename); SEC_END_PROTOS diff --git a/security/nss/lib/util/unix_rand.c b/security/nss/lib/util/unix_rand.c index 12b08aea3..512964154 100644 --- a/security/nss/lib/util/unix_rand.c +++ b/security/nss/lib/util/unix_rand.c @@ -43,6 +43,7 @@ #include <assert.h> #include "secrng.h" +size_t RNG_FileUpdate(const char *fileName, size_t limit); /* * When copying data to the buffer we want the least signicant bytes @@ -726,10 +727,10 @@ void RNG_SystemInfoForRNG(void) FILE *fp; char buf[BUFSIZ]; size_t bytes; - extern char **environ; - char **cp; + extern const char * const * const environ; + const char * const *cp; char *randfile; - char *files[] = { + static const char * const files[] = { "/etc/passwd", "/etc/utmp", "/tmp", @@ -788,6 +789,9 @@ for the small amount of entropy it provides. } GiveSystemInfo(); + /* grab some data from system's PRNG before any other files. */ + RNG_FileUpdate("/dev/urandom", 1024); + /* If the user points us to a random file, pass it through the rng */ randfile = getenv("NSRANDFILE"); if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) { @@ -859,26 +863,36 @@ void RNG_SystemInfoForRNG(void) } #endif -void RNG_FileForRNG(char *fileName) +#define TOTAL_FILE_LIMIT 1000000 /* one million */ + +size_t RNG_FileUpdate(const char *fileName, size_t limit) { - struct stat stat_buf; + FILE * file; + size_t bytes; + size_t fileBytes = 0; + struct stat stat_buf; unsigned char buffer[BUFSIZ]; - size_t bytes; - FILE *file; static size_t totalFileBytes = 0; if (stat((char *)fileName, &stat_buf) < 0) - return; + return fileBytes; RNG_RandomUpdate(&stat_buf, sizeof(stat_buf)); file = fopen((char *)fileName, "r"); if (file != NULL) { - for (;;) { - bytes = fread(buffer, 1, sizeof(buffer), file); - if (bytes == 0) break; + while (limit > fileBytes) { + bytes = PR_MIN(sizeof buffer, limit - fileBytes); + bytes = fread(buffer, 1, bytes, file); + if (bytes == 0) + break; RNG_RandomUpdate(buffer, bytes); + fileBytes += bytes; totalFileBytes += bytes; - if (totalFileBytes > 1024*1024) break; + /* after TOTAL_FILE_LIMIT has been reached, only read in first + ** buffer of data from each subsequent file. + */ + if (totalFileBytes > TOTAL_FILE_LIMIT) + break; } fclose(file); } @@ -888,4 +902,10 @@ void RNG_FileForRNG(char *fileName) */ bytes = RNG_GetNoise(buffer, sizeof(buffer)); RNG_RandomUpdate(buffer, bytes); + return fileBytes; +} + +void RNG_FileForRNG(const char *fileName) +{ + RNG_FileUpdate(fileName, TOTAL_FILE_LIMIT); } diff --git a/security/nss/lib/util/win_rand.c b/security/nss/lib/util/win_rand.c index de2e06ea7..dc16b19b7 100644 --- a/security/nss/lib/util/win_rand.c +++ b/security/nss/lib/util/win_rand.c @@ -161,7 +161,7 @@ size_t RNG_GetNoise(void *buf, size_t maxbuf) } static BOOL -EnumSystemFiles(void (*func)(char *)) +EnumSystemFiles(void (*func)(const char *)) { int iStatus; char szSysDir[_MAX_PATH]; @@ -212,13 +212,13 @@ EnumSystemFiles(void (*func)(char *)) static DWORD dwNumFiles, dwReadEvery; static void -CountFiles(char *file) +CountFiles(const char *file) { dwNumFiles++; } static void -ReadFiles(char *file) +ReadFiles(const char *file) { if ((dwNumFiles % dwReadEvery) == 0) RNG_FileForRNG(file); @@ -372,7 +372,7 @@ void RNG_SystemInfoForRNG(void) RNG_RandomUpdate(buffer, nBytes); } -void RNG_FileForRNG(char *filename) +void RNG_FileForRNG(const char *filename) { FILE* file; int nBytes; |