From b95d77db3f58c300c5e0a9c11862a4ba529ce82b Mon Sep 17 00:00:00 2001 From: Martin Johansson Date: Fri, 3 May 2013 23:18:34 +0200 Subject: [PATCH] Configure switch added for enabling PolarSSL HAVEGE random number generator. Default to /dev/urandom. Drop support for PolarSSL versions prior to 1.0.0 --- configure.ac | 5 +++++ src/crypt.c | 3 +-- src/ssl.c | 37 +++++++++++++++++++++++++++++++++++-- src/ssl.h | 35 +++++++++++++---------------------- 4 files changed, 54 insertions(+), 26 deletions(-) diff --git a/configure.ac b/configure.ac index d7f5f76..f48f11d 100644 --- a/configure.ac +++ b/configure.ac @@ -37,6 +37,7 @@ AM_INIT_AUTOMAKE # Configure options. AC_ARG_WITH([ssl], [AC_HELP_STRING([--with-ssl=@<:@LIB@:>@], [SSL library (openssl|polarssl) @<:@default=polarssl@:>@])], [], [with_ssl=polarssl]) AC_ARG_ENABLE(polarssl-test-cert, [ --enable-polarssl-test-cert Link to PolarSSL test certificate and key @<:@default=no@:>@], [enable_polarssl_test_cert=yes]) +AC_ARG_ENABLE(polarssl-havege, [ --enable-polarssl-havege Link to PolarSSL HAVEGE random generator key @<:@default=no@:>@ Deafult: /dev/urandom], [enable_polarssl_havege=yes]) # Checks for programs. AC_PROG_CC @@ -54,6 +55,10 @@ AS_IF([test "x$with_ssl" = xpolarssl], [ AC_CHECK_LIB([polarssl], [test_srv_crt], [], [AC_MSG_ERROR([could not find test_srv_crt])]) AC_DEFINE([USE_POLARSSL_TESTCERT], [], [Use PolarSSL test certificate]) ]) + AS_IF([test "x$enable_polarssl_havege" = xyes], [ + AC_CHECK_LIB([polarssl], [havege_init], [], [AC_MSG_ERROR([could not find havege_init])]) + AC_DEFINE([USE_POLARSSL_HAVEGE], [], [Use PolarSSL HAVEGE random generator]) + ]) ]) AS_IF([test "x$with_ssl" = xopenssl], [ AC_CHECK_HEADERS([openssl/ssl.h], [], [AC_MSG_ERROR([could not find openssl/ssl.h])]) diff --git a/src/crypt.c b/src/crypt.c index f3e74d8..eb6b07b 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -43,8 +43,7 @@ #include "crypt.h" #include "ssl.h" -#ifdef USE_POLARSSL -#include +#ifdef USE_POLARSSL_HAVEGE extern havege_state hs; #endif diff --git a/src/ssl.c b/src/ssl.c index e413db6..9c5236e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -30,6 +30,7 @@ */ #include #include +#include #include "conf.h" #include "log.h" @@ -67,7 +68,11 @@ static x509_cert certificate; static rsa_context key; bool_t builtInTestCertificate; -havege_state hs; /* exported to crypt.c */ +#ifdef USE_POLARSSL_HAVEGE +havege_state hs; +#else +int urandom_fd; +#endif /* DH prime */ char *my_dhm_P = @@ -145,6 +150,20 @@ static void initKey() Log_fatal("Could not read RSA key file %s", keyfile); } +#ifndef USE_POLARSSL_HAVEGE +int urandom_bytes(void *ctx, unsigned char *dest, size_t len) +{ + int cur; + + while (len) { + cur = read(urandom_fd, dest, len); + if (cur < 0) + continue; + len -= cur; + } +} +#endif + #define DEBUG_LEVEL 0 static void pssl_debug(void *ctx, int level, const char *str) { @@ -168,7 +187,16 @@ void SSLi_init(void) #else initKey(); #endif + + /* Initialize random number generator */ +#ifdef USE_POLARSSL_HAVEGE havege_init(&hs); +#else + urandom_fd = open("/dev/urandom", O_RDONLY); + if (urandom_fd < 0) + Log_fatal("Cannot open /dev/urandom"); + Log_info("Using random number generator /dev/urandom"); +#endif #ifdef POLARSSL_VERSION_MAJOR version_get_string(verstring); @@ -219,8 +247,13 @@ SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready) ssl_set_endpoint(ssl, SSL_IS_SERVER); ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL); - + +#ifdef USE_POLARSSL_HAVEGE ssl_set_rng(ssl, HAVEGE_RAND, &hs); +#else + ssl_set_rng(ssl, urandom_bytes, NULL); +#endif + ssl_set_dbg(ssl, pssl_debug, NULL); ssl_set_bio(ssl, net_recv, fd, net_send, fd); diff --git a/src/ssl.h b/src/ssl.h index d155f7f..aa0fe93 100644 --- a/src/ssl.h +++ b/src/ssl.h @@ -40,38 +40,29 @@ #include #include -#ifndef POLARSSL_VERSION_MAJOR - #define POLARSSL_API_V0 -#else -#if (POLARSSL_VERSION_MAJOR == 0) - #define POLARSSL_API_V0 - #define HAVEGE_RAND (havege_rand) - #define RAND_bytes(_dst_, _size_) do { \ - int i; \ - for (i = 0; i < _size_; i++) { \ - _dst_[i] = havege_rand(&hs); \ - } \ - } while (0) -#else - #define POLARSSL_API_V1 +#define POLARSSL_API_V1 +#ifdef USE_POLARSSL_HAVEGE #if (POLARSSL_VERSION_MINOR >= 1) #define HAVEGE_RAND (havege_random) #define RAND_bytes(_dst_, _size_) do { \ havege_random(&hs, _dst_, _size_); \ - } while (0) + } while (0) #else #define HAVEGE_RAND (havege_rand) #define RAND_bytes(_dst_, _size_) do { \ - int i; \ - for (i = 0; i < _size_; i++) { \ - _dst_[i] = havege_rand(&hs); \ - } \ + int i; \ + for (i = 0; i < _size_; i++) { \ + _dst_[i] = havege_rand(&hs); \ + } \ } while (0) #endif - #if (POLARSSL_VERSION_MINOR >= 2) - #define POLARSSL_API_V1_2 - #endif +#else +#define RAND_bytes(_dst_, _size_) do { urandom_bytes(NULL, _dst_, _size_); } while (0) +int urandom_bytes(void *ctx, unsigned char *dest, size_t len); #endif + +#if (POLARSSL_VERSION_MINOR >= 2) + #define POLARSSL_API_V1_2 #endif #else /* OpenSSL */ -- 2.30.2