[Patches] [ python-Patches-405101 ] Add Random Seeding to OpenSSL
noreply@sourceforge.net
noreply@sourceforge.net
Thu, 09 Aug 2001 09:26:17 -0700
Patches item #405101, was opened at 2001-03-01 02:55
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=305470&aid=405101&group_id=5470
Category: Modules
Group: None
>Status: Closed
>Resolution: Rejected
Priority: 5
Submitted By: Moshe Zadka (moshez)
Assigned to: Guido van Rossum (gvanrossum)
Summary: Add Random Seeding to OpenSSL
Initial Comment:
On systems without /dev/urandom, OpenSSL does not
work unless explicitly seeded. This patch gives
an option to seed it either from EGD, or from the
C rng
----------------------------------------------------------------------
>Comment By: Guido van Rossum (gvanrossum)
Date: 2001-08-09 09:26
Message:
Logged In: YES
user_id=6380
This patch was accepted, and then withdrawn because it
caused too many problems on some platforms. So I'm now
officially rejecting and closing it.
----------------------------------------------------------------------
Comment By: Guido van Rossum (gvanrossum)
Date: 2001-04-15 05:36
Message:
Logged In: YES
user_id=6380
Reopened and grabbed.
----------------------------------------------------------------------
Comment By: Guido van Rossum (gvanrossum)
Date: 2001-04-15 05:36
Message:
Logged In: YES
user_id=6380
But Modules/Setup is no longer used to build the socket module! It's now built by setup.py, which ignores
Modules/Setup AFAICT.
I'm very tempted to undo this patch, as it has too many problems (see the python-dev discussion: it needs
work for pre-0.9.5 versions of openssl, and on some systems it always issues a warning whenever you
import the socket module. That's bad, since few of those imports are intended to use the ssl support.
----------------------------------------------------------------------
Comment By: Moshe Zadka (moshez)
Date: 2001-04-15 04:37
Message:
Logged In: YES
user_id=11645
Whoever builds, in Modules/Setup
After many discussions, I have not found any way to
autodetect a running EGD so setup.py can enable it.
I should probably have documented it somewhere....sorry.
----------------------------------------------------------------------
Comment By: Guido van Rossum (gvanrossum)
Date: 2001-04-14 21:29
Message:
Logged In: YES
user_id=6380
Who defines USE_EGD???
----------------------------------------------------------------------
Comment By: Moshe Zadka (moshez)
Date: 2001-03-18 00:45
Message:
Logged In: YES
user_id=11645
Checked in
----------------------------------------------------------------------
Comment By: A.M. Kuchling (akuchling)
Date: 2001-03-17 08:38
Message:
Logged In: YES
user_id=11375
Looks OK. Go ahead and check it in.
----------------------------------------------------------------------
Comment By: Moshe Zadka (moshez)
Date: 2001-03-01 03:40
Message:
Logged In: YES
user_id=11645
New version of the patch: now warning when using the
insecure srand/rand (version at
http://www.lerner.co.il/~moshez/ssl_seed also updated)
Index: Modules/socketmodule.c
===================================================================
RCS file:
/cvsroot/python/python/dist/src/Modules/socketmodule.c,v
retrieving revision 1.137
diff -c -r1.137 socketmodule.c
*** Modules/socketmodule.c 2001/02/07 20:41:17
1.137
--- Modules/socketmodule.c 2001/03/01 11:37:12
***************
*** 176,181 ****
--- 176,182 ----
#include "openssl/pem.h"
#include "openssl/ssl.h"
#include "openssl/err.h"
+ #include "openssl/rand.h"
#endif /* USE_SSL */
#if defined(MS_WINDOWS) || defined(__BEOS__)
***************
*** 2473,2478 ****
--- 2474,2505 ----
if (PyDict_SetItemString(d, "SSLType",
(PyObject *)&SSL_Type) !=
0)
return;
+ if (RAND_status() == 0) {
+ #ifdef USE_EGD
+ char random_device[MAXPATHLEN+1];
+ if (!RAND_file_name (random_device,
MAXPATHLEN + 1)) {
+ PyErr_SetObject(SSLErrorObject,
+
PyString_FromString("RAND_file_name error"));
+ return;
+ }
+ if (RAND_egd (random_device) == -1) {
+ PyErr_SetObject(SSLErrorObject,
+
PyString_FromString("RAND_egd error"));
+ return;
+ }
+ #else /* USE_EGD not defined */
+ char random_string[32];
+ int i;
+
+ PyErr_Warn(PyExc_RuntimeWarning,
+ "using insecure method to
generate random numbers");
+ srand(time(NULL));
+ for(i=0; i<sizeof(random_string); i++) {
+ random_string[i] = rand();
+ }
+ RAND_seed(random_string,
sizeof(random_string));
+ #endif /* USE_EGD */
+ }
#endif /* USE_SSL */
PyDict_SetItemString(d, "error", PySocket_Error);
PySocketSock_Type.ob_type = &PyType_Type;
----------------------------------------------------------------------
Comment By: Moshe Zadka (moshez)
Date: 2001-03-01 03:01
Message:
Logged In: YES
user_id=11645
Note: the patch survived remarkably well:
The only broken lines are the one that goes:
(PyObject *)&SSL_Type) !=
And the one that goes:
RAND_seed(random_string,
----------------------------------------------------------------------
Comment By: Moshe Zadka (moshez)
Date: 2001-03-01 02:58
Message:
Logged In: YES
user_id=11645
Well, as usual, the attachment did not work.
Available as http://www.lerner.co.il/~moshez/ssl_seed
Also put here for reference purposes:
Index: Modules/socketmodule.c
===================================================================
RCS file:
/cvsroot/python/python/dist/src/Modules/socketmodule.c,v
retrieving revision 1.137
diff -c -r1.137 socketmodule.c
*** Modules/socketmodule.c 2001/02/07 20:41:17
1.137
--- Modules/socketmodule.c 2001/03/01 10:38:45
***************
*** 176,181 ****
--- 176,182 ----
#include "openssl/pem.h"
#include "openssl/ssl.h"
#include "openssl/err.h"
+ #include "openssl/rand.h"
#endif /* USE_SSL */
#if defined(MS_WINDOWS) || defined(__BEOS__)
***************
*** 2473,2478 ****
--- 2474,2503 ----
if (PyDict_SetItemString(d, "SSLType",
(PyObject *)&SSL_Type) !=
0)
return;
+ if (RAND_status() == 0) {
+ #ifdef USE_EGD
+ char random_device[MAXPATHLEN+1];
+ if (!RAND_file_name (random_device,
MAXPATHLEN + 1)) {
+ PyErr_SetObject(SSLErrorObject,
+
PyString_FromString("RAND_file_name error"));
+ return;
+ }
+ if (RAND_egd (random_device) == -1) {
+ PyErr_SetObject(SSLErrorObject,
+
PyString_FromString("RAND_egd error"));
+ return;
+ }
+ #else /* USE_EGD not defined */
+ char random_string[32];
+ int i;
+
+ srand(time(NULL));
+ for(i=0; i<sizeof(random_string); i++) {
+ random_string[i] = rand();
+ }
+ RAND_seed(random_string,
sizeof(random_string));
+ #end+ }
#endif /* USE_SSL */
PyDict_SetItemString(d, "error", PySocket_Error);
PySocketSock_Type.ob_type = &PyType_Type;
if /* USE_EGD */
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=305470&aid=405101&group_id=5470