summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/nss/lib/freebl/blapi.h2
-rw-r--r--security/nss/lib/freebl/blapi_bsf.c3
-rw-r--r--security/nss/lib/freebl/blapit.h7
-rw-r--r--security/nss/lib/freebl/loader.c2
-rw-r--r--security/nss/lib/freebl/loader.h2
-rw-r--r--security/nss/lib/freebl/mac_rand.c2
-rw-r--r--security/nss/lib/freebl/os2_rand.c8
-rw-r--r--security/nss/lib/freebl/prng_fips1861.c5
-rw-r--r--security/nss/lib/freebl/secmpi.h3
-rw-r--r--security/nss/lib/freebl/unix_rand.c44
-rw-r--r--security/nss/lib/freebl/win_rand.c8
-rw-r--r--security/nss/lib/util/secrng.h2
12 files changed, 55 insertions, 33 deletions
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h
index e6782390d..4449dc66f 100644
--- a/security/nss/lib/freebl/blapi.h
+++ b/security/nss/lib/freebl/blapi.h
@@ -725,7 +725,7 @@ extern SECStatus RNG_RNGInit(void);
** Update the global random number generator with more seeding
** material
*/
-extern SECStatus RNG_RandomUpdate(void *data, size_t bytes);
+extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes);
/*
** Generate some random bytes, using the global random number generator
diff --git a/security/nss/lib/freebl/blapi_bsf.c b/security/nss/lib/freebl/blapi_bsf.c
index 28e6fc705..d5f0d6716 100644
--- a/security/nss/lib/freebl/blapi_bsf.c
+++ b/security/nss/lib/freebl/blapi_bsf.c
@@ -89,7 +89,6 @@
#define MAX_RC5_KEY_BYTES 255
#define MAX_RC5_ROUNDS 255
#define RC5_VERSION_NUMBER 0x10
-#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
#define SECITEMFROMITEM(arena, to, from) \
tmp.data = from.data; tmp.len = from.len; to.type = siBuffer; \
@@ -2044,7 +2043,7 @@ RNG_RNGInit(void)
}
SECStatus
-RNG_RandomUpdate(void *data, size_t bytes)
+RNG_RandomUpdate(const void *data, size_t bytes)
{
int status;
if (data == NULL || bytes <= 0) {
diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
index ee5d51f45..0e1b2b0e2 100644
--- a/security/nss/lib/freebl/blapit.h
+++ b/security/nss/lib/freebl/blapit.h
@@ -71,6 +71,8 @@
#define MD5_LENGTH 16 /* Bytes */
#define SHA1_LENGTH 20 /* Bytes */
+#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
+
/*
* The FIPS 186 algorithm for generating primes P and Q allows only 9
* distinct values for the length of P, and only one value for the
@@ -94,12 +96,15 @@
* The FIPS-186 compliant PQG generator takes j as an input parameter.
*/
+#define DSA_Q_BITS 160
+#define DSA_MAX_P_BITS 1024
+#define DSA_MIN_P_BITS 512
/*
* function takes desired number of bits in P,
* returns index (0..8) or -1 if number of bits is invalid.
*/
-#define PQG_PBITS_TO_INDEX(bits) ((((bits)-512) % 64) ? -1 : ((bits)-512)/64)
+#define PQG_PBITS_TO_INDEX(bits) ((((bits)-512) % 64) ? -1 : (int)((bits)-512)/64)
/*
* function takes index (0-8)
diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c
index 333d4748f..7a48d165f 100644
--- a/security/nss/lib/freebl/loader.c
+++ b/security/nss/lib/freebl/loader.c
@@ -866,7 +866,7 @@ RNG_RNGInit(void)
}
SECStatus
-RNG_RandomUpdate(void *data, size_t bytes)
+RNG_RandomUpdate(const void *data, size_t bytes)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h
index 0d62b5708..fae273482 100644
--- a/security/nss/lib/freebl/loader.h
+++ b/security/nss/lib/freebl/loader.h
@@ -235,7 +235,7 @@ struct FREEBLVectorStr {
SECStatus (* p_RNG_RNGInit)(void);
- SECStatus (* p_RNG_RandomUpdate)(void *data, size_t bytes);
+ SECStatus (* p_RNG_RandomUpdate)(const void *data, size_t bytes);
SECStatus (* p_RNG_GenerateGlobalRandomBytes)(void *dest, size_t len);
diff --git a/security/nss/lib/freebl/mac_rand.c b/security/nss/lib/freebl/mac_rand.c
index 6198f3407..8578dfa08 100644
--- a/security/nss/lib/freebl/mac_rand.c
+++ b/security/nss/lib/freebl/mac_rand.c
@@ -79,7 +79,7 @@ size_t RNG_GetNoise(void *buf, size_t maxbytes)
return CopyLowBits(buf, maxbytes, &microTickCount, sizeof(microTickCount));
}
-void RNG_FileForRNG(char *filename)
+void RNG_FileForRNG(const char *filename)
{
unsigned char buffer[BUFSIZ];
size_t bytes;
diff --git a/security/nss/lib/freebl/os2_rand.c b/security/nss/lib/freebl/os2_rand.c
index b1dbba805..7eede8883 100644
--- a/security/nss/lib/freebl/os2_rand.c
+++ b/security/nss/lib/freebl/os2_rand.c
@@ -107,7 +107,7 @@ size_t RNG_GetNoise(void *buf, size_t maxbuf)
}
static BOOL
-EnumSystemFiles(void (*func)(char *))
+EnumSystemFiles(void (*func)(const char *))
{
APIRET rc;
ULONG sysInfo = 0;
@@ -158,13 +158,13 @@ EnumSystemFiles(void (*func)(char *))
static int dwNumFiles, dwReadEvery;
static void
-CountFiles(char *file)
+CountFiles(const char *file)
{
dwNumFiles++;
}
static void
-ReadFiles(char *file)
+ReadFiles(const char *file)
{
if ((dwNumFiles % dwReadEvery) == 0)
RNG_FileForRNG(file);
@@ -293,7 +293,7 @@ void RNG_SystemInfoForRNG(void)
RNG_RandomUpdate(buffer, nBytes);
}
-void RNG_FileForRNG(char *filename)
+void RNG_FileForRNG(const char *filename)
{
struct stat stat_buf;
unsigned char buffer[1024];
diff --git a/security/nss/lib/freebl/prng_fips1861.c b/security/nss/lib/freebl/prng_fips1861.c
index c11fdff22..bf0199926 100644
--- a/security/nss/lib/freebl/prng_fips1861.c
+++ b/security/nss/lib/freebl/prng_fips1861.c
@@ -271,7 +271,8 @@ RNG_RNGInit(void)
** material
*/
SECStatus
-prng_RandomUpdate(RNGContext *rng, void *data, size_t bytes, unsigned char *q)
+prng_RandomUpdate(RNGContext *rng, const void *data, size_t bytes,
+ unsigned char *q)
{
SECStatus rv = SECSuccess;
unsigned char inputhash[BSIZE];
@@ -343,7 +344,7 @@ prng_RandomUpdate(RNGContext *rng, void *data, size_t bytes, unsigned char *q)
** material. Not DSA, so no q.
*/
SECStatus
-RNG_RandomUpdate(void *data, size_t bytes)
+RNG_RandomUpdate(const void *data, size_t bytes)
{
return prng_RandomUpdate(globalrng, data, bytes, NULL);
}
diff --git a/security/nss/lib/freebl/secmpi.h b/security/nss/lib/freebl/secmpi.h
index 2be9bd8be..cddcbb03d 100644
--- a/security/nss/lib/freebl/secmpi.h
+++ b/security/nss/lib/freebl/secmpi.h
@@ -33,9 +33,6 @@
#include "mpi.h"
- /* XXX to be replaced by define in blapit.h */
-#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
-
#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
diff --git a/security/nss/lib/freebl/unix_rand.c b/security/nss/lib/freebl/unix_rand.c
index 12b08aea3..512964154 100644
--- a/security/nss/lib/freebl/unix_rand.c
+++ b/security/nss/lib/freebl/unix_rand.c
@@ -43,6 +43,7 @@
#include <assert.h>
#include "secrng.h"
+size_t RNG_FileUpdate(const char *fileName, size_t limit);
/*
* When copying data to the buffer we want the least signicant bytes
@@ -726,10 +727,10 @@ void RNG_SystemInfoForRNG(void)
FILE *fp;
char buf[BUFSIZ];
size_t bytes;
- extern char **environ;
- char **cp;
+ extern const char * const * const environ;
+ const char * const *cp;
char *randfile;
- char *files[] = {
+ static const char * const files[] = {
"/etc/passwd",
"/etc/utmp",
"/tmp",
@@ -788,6 +789,9 @@ for the small amount of entropy it provides.
}
GiveSystemInfo();
+ /* grab some data from system's PRNG before any other files. */
+ RNG_FileUpdate("/dev/urandom", 1024);
+
/* If the user points us to a random file, pass it through the rng */
randfile = getenv("NSRANDFILE");
if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
@@ -859,26 +863,36 @@ void RNG_SystemInfoForRNG(void)
}
#endif
-void RNG_FileForRNG(char *fileName)
+#define TOTAL_FILE_LIMIT 1000000 /* one million */
+
+size_t RNG_FileUpdate(const char *fileName, size_t limit)
{
- struct stat stat_buf;
+ FILE * file;
+ size_t bytes;
+ size_t fileBytes = 0;
+ struct stat stat_buf;
unsigned char buffer[BUFSIZ];
- size_t bytes;
- FILE *file;
static size_t totalFileBytes = 0;
if (stat((char *)fileName, &stat_buf) < 0)
- return;
+ return fileBytes;
RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
file = fopen((char *)fileName, "r");
if (file != NULL) {
- for (;;) {
- bytes = fread(buffer, 1, sizeof(buffer), file);
- if (bytes == 0) break;
+ while (limit > fileBytes) {
+ bytes = PR_MIN(sizeof buffer, limit - fileBytes);
+ bytes = fread(buffer, 1, bytes, file);
+ if (bytes == 0)
+ break;
RNG_RandomUpdate(buffer, bytes);
+ fileBytes += bytes;
totalFileBytes += bytes;
- if (totalFileBytes > 1024*1024) break;
+ /* after TOTAL_FILE_LIMIT has been reached, only read in first
+ ** buffer of data from each subsequent file.
+ */
+ if (totalFileBytes > TOTAL_FILE_LIMIT)
+ break;
}
fclose(file);
}
@@ -888,4 +902,10 @@ void RNG_FileForRNG(char *fileName)
*/
bytes = RNG_GetNoise(buffer, sizeof(buffer));
RNG_RandomUpdate(buffer, bytes);
+ return fileBytes;
+}
+
+void RNG_FileForRNG(const char *fileName)
+{
+ RNG_FileUpdate(fileName, TOTAL_FILE_LIMIT);
}
diff --git a/security/nss/lib/freebl/win_rand.c b/security/nss/lib/freebl/win_rand.c
index de2e06ea7..dc16b19b7 100644
--- a/security/nss/lib/freebl/win_rand.c
+++ b/security/nss/lib/freebl/win_rand.c
@@ -161,7 +161,7 @@ size_t RNG_GetNoise(void *buf, size_t maxbuf)
}
static BOOL
-EnumSystemFiles(void (*func)(char *))
+EnumSystemFiles(void (*func)(const char *))
{
int iStatus;
char szSysDir[_MAX_PATH];
@@ -212,13 +212,13 @@ EnumSystemFiles(void (*func)(char *))
static DWORD dwNumFiles, dwReadEvery;
static void
-CountFiles(char *file)
+CountFiles(const char *file)
{
dwNumFiles++;
}
static void
-ReadFiles(char *file)
+ReadFiles(const char *file)
{
if ((dwNumFiles % dwReadEvery) == 0)
RNG_FileForRNG(file);
@@ -372,7 +372,7 @@ void RNG_SystemInfoForRNG(void)
RNG_RandomUpdate(buffer, nBytes);
}
-void RNG_FileForRNG(char *filename)
+void RNG_FileForRNG(const char *filename)
{
FILE* file;
int nBytes;
diff --git a/security/nss/lib/util/secrng.h b/security/nss/lib/util/secrng.h
index c4c8686ef..cddc7b000 100644
--- a/security/nss/lib/util/secrng.h
+++ b/security/nss/lib/util/secrng.h
@@ -75,7 +75,7 @@ extern void RNG_SystemInfoForRNG(void);
** Use the contents (and stat) of a file to help seed the
** global random number generator.
*/
-extern void RNG_FileForRNG(char *filename);
+extern void RNG_FileForRNG(const char *filename);
SEC_END_PROTOS