Created on 2001-03-01 10:55 by moshez, last changed 2001-08-09 16:26 by gvanrossum. This issue is now closed.
| Messages (11) | |||
|---|---|---|---|
| msg35947 - (view) | Author: Moshe Zadka (moshez) | Date: 2001-03-01 10:55 | |
On systems without /dev/urandom, OpenSSL does not work unless explicitly seeded. This patch gives an option to seed it either from EGD, or from the C rng |
|||
| msg35948 - (view) | Author: Moshe Zadka (moshez) | Date: 2001-03-01 10:58 | |
Logged In: YES user_id=11645 Well, as usual, the attachment did not work. Available as http://www.lerner.co.il/~moshez/ssl_seed Also put here for reference purposes: Index: Modules/socketmodule.c =================================================================== RCS file: /cvsroot/python/python/dist/src/Modules/socketmodule.c,v retrieving revision 1.137 diff -c -r1.137 socketmodule.c *** Modules/socketmodule.c 2001/02/07 20:41:17 1.137 --- Modules/socketmodule.c 2001/03/01 10:38:45 *************** *** 176,181 **** --- 176,182 ---- #include "openssl/pem.h" #include "openssl/ssl.h" #include "openssl/err.h" + #include "openssl/rand.h" #endif /* USE_SSL */ #if defined(MS_WINDOWS) || defined(__BEOS__) *************** *** 2473,2478 **** --- 2474,2503 ---- if (PyDict_SetItemString(d, "SSLType", (PyObject *)&SSL_Type) != 0) return; + if (RAND_status() == 0) { + #ifdef USE_EGD + char random_device[MAXPATHLEN+1]; + if (!RAND_file_name (random_device, MAXPATHLEN + 1)) { + PyErr_SetObject(SSLErrorObject, + PyString_FromString("RAND_file_name error")); + return; + } + if (RAND_egd (random_device) == -1) { + PyErr_SetObject(SSLErrorObject, + PyString_FromString("RAND_egd error")); + return; + } + #else /* USE_EGD not defined */ + char random_string[32]; + int i; + + srand(time(NULL)); + for(i=0; i<sizeof(random_string); i++) { + random_string[i] = rand(); + } + RAND_seed(random_string, sizeof(random_string)); + #end+ } #endif /* USE_SSL */ PyDict_SetItemString(d, "error", PySocket_Error); PySocketSock_Type.ob_type = &PyType_Type; if /* USE_EGD */ |
|||
| msg35949 - (view) | Author: Moshe Zadka (moshez) | Date: 2001-03-01 11:01 | |
Logged In: YES user_id=11645 Note: the patch survived remarkably well: The only broken lines are the one that goes: (PyObject *)&SSL_Type) != And the one that goes: RAND_seed(random_string, |
|||
| msg35950 - (view) | Author: Moshe Zadka (moshez) | Date: 2001-03-01 11:40 | |
Logged In: YES user_id=11645 New version of the patch: now warning when using the insecure srand/rand (version at http://www.lerner.co.il/~moshez/ssl_seed also updated) Index: Modules/socketmodule.c =================================================================== RCS file: /cvsroot/python/python/dist/src/Modules/socketmodule.c,v retrieving revision 1.137 diff -c -r1.137 socketmodule.c *** Modules/socketmodule.c 2001/02/07 20:41:17 1.137 --- Modules/socketmodule.c 2001/03/01 11:37:12 *************** *** 176,181 **** --- 176,182 ---- #include "openssl/pem.h" #include "openssl/ssl.h" #include "openssl/err.h" + #include "openssl/rand.h" #endif /* USE_SSL */ #if defined(MS_WINDOWS) || defined(__BEOS__) *************** *** 2473,2478 **** --- 2474,2505 ---- if (PyDict_SetItemString(d, "SSLType", (PyObject *)&SSL_Type) != 0) return; + if (RAND_status() == 0) { + #ifdef USE_EGD + char random_device[MAXPATHLEN+1]; + if (!RAND_file_name (random_device, MAXPATHLEN + 1)) { + PyErr_SetObject(SSLErrorObject, + PyString_FromString("RAND_file_name error")); + return; + } + if (RAND_egd (random_device) == -1) { + PyErr_SetObject(SSLErrorObject, + PyString_FromString("RAND_egd error")); + return; + } + #else /* USE_EGD not defined */ + char random_string[32]; + int i; + + PyErr_Warn(PyExc_RuntimeWarning, + "using insecure method to generate random numbers"); + srand(time(NULL)); + for(i=0; i<sizeof(random_string); i++) { + random_string[i] = rand(); + } + RAND_seed(random_string, sizeof(random_string)); + #endif /* USE_EGD */ + } #endif /* USE_SSL */ PyDict_SetItemString(d, "error", PySocket_Error); PySocketSock_Type.ob_type = &PyType_Type; |
|||
| msg35951 - (view) | Author: A.M. Kuchling (akuchling) *  |
Date: 2001-03-17 16:38 | |
Logged In: YES user_id=11375 Looks OK. Go ahead and check it in. |
|||
| msg35952 - (view) | Author: Moshe Zadka (moshez) | Date: 2001-03-18 08:45 | |
Logged In: YES user_id=11645 Checked in |
|||
| msg35953 - (view) | Author: Guido van Rossum (gvanrossum) * |
Date: 2001-04-15 04:29 | |
Logged In: YES user_id=6380 Who defines USE_EGD??? |
|||
| msg35954 - (view) | Author: Moshe Zadka (moshez) | Date: 2001-04-15 11:37 | |
Logged In: YES user_id=11645 Whoever builds, in Modules/Setup After many discussions, I have not found any way to autodetect a running EGD so setup.py can enable it. I should probably have documented it somewhere....sorry. |
|||
| msg35955 - (view) | Author: Guido van Rossum (gvanrossum) * |
Date: 2001-04-15 12:36 | |
Logged In: YES user_id=6380 But Modules/Setup is no longer used to build the socket module! It's now built by setup.py, which ignores Modules/Setup AFAICT. I'm very tempted to undo this patch, as it has too many problems (see the python-dev discussion: it needs work for pre-0.9.5 versions of openssl, and on some systems it always issues a warning whenever you import the socket module. That's bad, since few of those imports are intended to use the ssl support. |
|||
| msg35956 - (view) | Author: Guido van Rossum (gvanrossum) * |
Date: 2001-04-15 12:36 | |
Logged In: YES user_id=6380 Reopened and grabbed. |
|||
| msg35957 - (view) | Author: Guido van Rossum (gvanrossum) * |
Date: 2001-08-09 16:26 | |
Logged In: YES user_id=6380 This patch was accepted, and then withdrawn because it caused too many problems on some platforms. So I'm now officially rejecting and closing it. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2001-03-01 10:55:00 | moshez | create | |