SSL (patch 6)

Bear Giles bear at coyotesong.com
Sun May 26 18:21:38 UTC 2002 

This patch adds some initialization with random data, to make it
harder for an attacker to predict the output of the OpenSSL PRNG.
This should support reading a file (traditionally called .rand0,
and updating that file as each session terminates), but for now
it just reads some data from /dev/urandom if it exists.  This is
better than nothing, but won't tie up the system like reading from
/dev/random would.

This patch also fixes an earlier oversight - SSL_shutdown() is
followed by SSL_free().

Bear Giles


-- Attached file included as plaintext by Ecartis --
-- Desc: /tmp/inn6

Index: inn/nnrpd/nnrpd.c
diff -c inn/nnrpd/nnrpd.c:1.4 inn/nnrpd/nnrpd.c:1.5
*** inn/nnrpd/nnrpd.c:1.4	Sun May 26 11:50:12 2002
--- inn/nnrpd/nnrpd.c	Sun May 26 12:12:48 2002
***************
*** 1,4 ****
! /*  $Id: nnrpd.c,v 1.4 2002/05/26 17:50:12 bear Exp $
  **
  **  NNTP server for readers (NNRP) for InterNetNews.
  **
--- 1,4 ----
! /*  $Id: nnrpd.c,v 1.5 2002/05/26 18:12:48 bear Exp $
  **
  **  NNTP server for readers (NNRP) for InterNetNews.
  **
***************
*** 206,211 ****
--- 206,212 ----
  #ifdef HAVE_SSL
  	if (tls_conn) {
  	  SSL_shutdown(tls_conn);
+ 	  SSL_free(tls_conn);
  	  tls_conn = NULL;
  	} 
  #endif
Index: inn/nnrpd/tls.c
diff -c inn/nnrpd/tls.c:1.4 inn/nnrpd/tls.c:1.7
*** inn/nnrpd/tls.c:1.4	Sun May 26 12:03:18 2002
--- inn/nnrpd/tls.c	Sun May 26 12:20:11 2002
***************
*** 418,424 ****
  
  static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
  {
! 	struct stat buf;
  
      if (cert_file != NULL) {
  	if (SSL_CTX_use_certificate_file(ctx, cert_file,
--- 418,424 ----
  
  static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
  {
!     struct stat buf;
  
      if (cert_file != NULL) {
  	if (SSL_CTX_use_certificate_file(ctx, cert_file,
***************
*** 482,487 ****
--- 482,488 ----
      char   *CAfile;
      char   *s_cert_file;
      char   *s_key_file;
+     struct stat buf;
  
      if (tls_serverengine)
        return (0);				/* already running */
***************
*** 532,540 ****
  	Printf("TLS engine: cannot load cert/key data\n");
        return (-1);
      }
  /*  SSL_CTX_set_tmp_rsa_callback(CTX, tmp_rsa_cb); */
      SSL_CTX_set_tmp_dh_callback(CTX, tmp_dh_cb);
! 	SSL_CTX_set_options(CTX, SSL_OP_SINGLE_DH_USE);
  
      verify_depth = verifydepth;
      if (askcert!=0)
--- 533,548 ----
  	Printf("TLS engine: cannot load cert/key data\n");
        return (-1);
      }
+ 
+     /* load some randomization data from /dev/urandom, if it exists */
+     /* FIXME: should also check for ".rand" file, update it on exit */
+     if (stat("/dev/urandom", &buf) == 0) {
+       RAND_load_file("/dev/urandom", 16 * 1024);
+     }
+ 
  /*  SSL_CTX_set_tmp_rsa_callback(CTX, tmp_rsa_cb); */
      SSL_CTX_set_tmp_dh_callback(CTX, tmp_dh_cb);
!     SSL_CTX_set_options(CTX, SSL_OP_SINGLE_DH_USE);
  
      verify_depth = verifydepth;
      if (askcert!=0)

More information about the inn-patches mailing list