[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 80/208: openssl: improve fallback seed of PRNG with
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 80/208: openssl: improve fallback seed of PRNG with a time based hash |
Date: |
Wed, 09 Aug 2017 17:34:37 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to annotated tag gnurl-7.55.0
in repository gnurl.
commit 192877058e3c50181f3cdc349c17c13b6f9465b9
Author: dmitrykos <address@hidden>
AuthorDate: Tue Jun 27 20:56:12 2017 +0300
openssl: improve fallback seed of PRNG with a time based hash
Fixes #1620
---
lib/vtls/openssl.c | 43 ++++++++++++++++++++++++++-----------------
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 11419f488..a77e4330e 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -236,7 +236,6 @@ static CURLcode Curl_ossl_seed(struct Curl_easy *data)
/* we have the "SSL is seeded" boolean static to prevent multiple
time-consuming seedings in vain */
static bool ssl_seeded = FALSE;
- int nread=0;
char fname[256];
if(ssl_seeded)
@@ -256,12 +255,12 @@ static CURLcode Curl_ossl_seed(struct Curl_easy *data)
#endif
{
/* let the option override the define */
- nread += RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
- data->set.str[STRING_SSL_RANDOM_FILE]:
- RANDOM_FILE),
- RAND_LOAD_LENGTH);
+ RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
+ data->set.str[STRING_SSL_RANDOM_FILE]:
+ RANDOM_FILE),
+ RAND_LOAD_LENGTH);
if(rand_enough())
- return nread;
+ return CURLE_OK;
}
#if defined(HAVE_RAND_EGD)
@@ -279,21 +278,30 @@ static CURLcode Curl_ossl_seed(struct Curl_easy *data)
int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
if(-1 != ret) {
- nread += ret;
if(rand_enough())
- return nread;
+ return CURLE_OK;
}
}
#endif
- /* If we get here, it means we need to seed the PRNG using a "silly"
- approach! */
+ /* fallback to a custom seeding of the PRNG using a hash based on a current
+ time */
do {
unsigned char randb[64];
- int len = sizeof(randb);
- if(!RAND_bytes(randb, len))
- break;
- RAND_add(randb, len, (len >> 1));
+ size_t len = sizeof(randb);
+ size_t i, i_max;
+ for(i = 0, i_max = len / sizeof(struct timeval); i < i_max; ++i) {
+ struct timeval tv = curlx_tvnow();
+ Curl_wait_ms(1);
+ tv.tv_sec *= i + 1;
+ tv.tv_usec *= i + 2;
+ tv.tv_sec ^= ((curlx_tvnow().tv_sec + curlx_tvnow().tv_usec) *
+ (i + 3)) << 8;
+ tv.tv_usec ^= ((curlx_tvnow().tv_sec + curlx_tvnow().tv_usec) *
+ (i + 4)) << 16;
+ memcpy(&randb[i * sizeof(struct timeval)], &tv, sizeof(struct timeval));
+ }
+ RAND_add(randb, (int)len, (double)len/2);
} while(!rand_enough());
/* generates a default path for the random seed file */
@@ -301,13 +309,14 @@ static CURLcode Curl_ossl_seed(struct Curl_easy *data)
RAND_file_name(fname, sizeof(fname));
if(fname[0]) {
/* we got a file name to try */
- nread += RAND_load_file(fname, RAND_LOAD_LENGTH);
+ RAND_load_file(fname, RAND_LOAD_LENGTH);
if(rand_enough())
- return nread;
+ return CURLE_OK;
}
infof(data, "libcurl is now using a weak random seed!\n");
- return CURLE_SSL_CONNECT_ERROR; /* confusing error code */
+ return (rand_enough() ? CURLE_OK :
+ CURLE_SSL_CONNECT_ERROR /* confusing error code */);
}
#ifndef SSL_FILETYPE_ENGINE
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 101/208: travis: install nghttp2 on linux builds, (continued)
- [GNUnet-SVN] [gnurl] 101/208: travis: install nghttp2 on linux builds, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 112/208: runtests: support "threaded-resolver" as a feature, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 123/208: travis: add SMB, DICT, TELNET torture to coverage test, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 106/208: TODO: 1.10 auto-detect proxy, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 117/208: memdebug: don't setbuf() if the file open failed, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 81/208: handler: refactor connection checking, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 130/208: tool_getparam: fix potentially uninitialized err, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 78/208: curl_strequal.3: fix typo in SYNOPSIS, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 89/208: unit1399: fix integer overflow, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 77/208: RELEASE-NOTES: synced with ce2c3ebda, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 80/208: openssl: improve fallback seed of PRNG with a time based hash,
gnunet <=
- [GNUnet-SVN] [gnurl] 52/208: if2ip: fix compiler warning in ISO C90 mode, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 76/208: curl --socks5-{basic, gssapi}: control socks5 auth, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 82/208: http2: handle PING frames, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 57/208: lib1521: fix missing-variable-declarations clang warnings, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 88/208: cmake: Added compatibility options for older Windows versions, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 100/208: smb: fix build for djgpp/MSDOS, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 105/208: TODO: HTTP proxy CONNECT is non-blocking now, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 91/208: url: make the original string get used on subsequent transfers, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 119/208: travis: do more tests in the coverage run, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 122/208: cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC, gnunet, 2017/08/09