1
/* Licensed to the Apache Software Foundation (ASF) under one or more
2
* contributor license agreements. See the NOTICE file distributed with
3
* this work for additional information regarding copyright ownership.
4
* The ASF licenses this file to You under the Apache License, Version 2.0
5
* (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
8
* http://www.apache.org/licenses/LICENSE-2.0
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
18
* _ __ ___ ___ __| | ___ ___| | mod_ssl
19
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20
* | | | | | | (_) | (_| | \__ \__ \ |
21
* |_| |_| |_|\___/ \__,_|___|___/___/_|
24
* Random Number Generator Seeding
26
/* ``The generation of random
27
numbers is too important
28
to be left to chance.'' */
30
#include "ssl_private.h"
32
/* _________________________________________________________________
34
** Support for better seeding of SSL library's RNG
35
** _________________________________________________________________
38
static int ssl_rand_choosenum(int, int);
39
static int ssl_rand_feedfp(apr_pool_t *, apr_file_t *, int);
41
int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
44
apr_array_header_t *apRandSeed;
45
ssl_randseed_t *pRandSeeds;
46
ssl_randseed_t *pRandSeed;
47
unsigned char stackdata[256];
55
apRandSeed = mc->aRandSeed;
56
pRandSeeds = (ssl_randseed_t *)apRandSeed->elts;
57
for (i = 0; i < apRandSeed->nelts; i++) {
58
pRandSeed = &pRandSeeds[i];
59
if (pRandSeed->nCtx == nCtx) {
60
nReq += pRandSeed->nBytes;
61
if (pRandSeed->nSrc == SSL_RSSRC_FILE) {
63
* seed in contents of an external file
65
if (apr_file_open(&fp, pRandSeed->cpPath,
66
APR_READ, APR_OS_DEFAULT, p) != APR_SUCCESS)
68
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
71
else if (pRandSeed->nSrc == SSL_RSSRC_EXEC) {
72
const char *cmd = pRandSeed->cpPath;
73
const char **argv = apr_palloc(p, sizeof(char *) * 3);
75
* seed in contents generated by an external program
78
argv[1] = apr_itoa(p, pRandSeed->nBytes);
81
if ((fp = ssl_util_ppopen(s, p, cmd, argv)) == NULL)
83
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
84
ssl_util_ppclose(s, p, fp);
86
#ifdef HAVE_SSL_RAND_EGD
87
else if (pRandSeed->nSrc == SSL_RSSRC_EGD) {
89
* seed in contents provided by the external
90
* Entropy Gathering Daemon (EGD)
92
if ((n = RAND_egd(pRandSeed->cpPath)) == -1)
97
else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
104
* seed in the current time (usually just 4 bytes)
106
my_seed.t = time(NULL);
109
* seed in the current process id (usually just 4 bytes)
111
my_seed.pid = mc->pid;
114
RAND_seed((unsigned char *)&my_seed, l);
118
* seed in some current state of the run-time stack (128 bytes)
120
n = ssl_rand_choosenum(0, sizeof(stackdata)-128-1);
121
RAND_seed(stackdata+n, 128);
127
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
128
"%sSeeding PRNG with %d bytes of entropy", prefix, nDone);
130
if (RAND_status() == 0)
131
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
132
"%sPRNG still contains insufficient entropy!", prefix);
139
static int ssl_rand_feedfp(apr_pool_t *p, apr_file_t *fp, int nReq)
142
unsigned char caBuf[BUFSIZE];
152
nRead = (nTodo < BUFSIZE ? nTodo : BUFSIZE);
154
if (apr_file_read(fp, caBuf, &nBuf) != APR_SUCCESS)
156
RAND_seed(caBuf, nBuf);
167
static int ssl_rand_choosenum(int l, int h)
172
apr_snprintf(buf, sizeof(buf), "%.0f",
173
(((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l)));