[Dovecot] [PATCH] OpenSSL RNG initialization
Hi,
dovecot tries to use OpenSSL's PRNG to generate random numbers if
there is no /dev/urandom found. Unfortunately, it is flawed in its
present
form, since the PRNG is not seeded before RAND_bytes() is called in
src/lib/randgen.c (on systems which have /dev/urandom, OpenSSL
automatically seeds its PRNG from the urandom device).
Here's a patch to address this issue: it tries to seed the PRNG if there
is no /dev/urandom present (which is likely the case if dovecot uses
OpenSSL's RAND API). It can also be fetched from
http://innoidea.com/~vili/dovecot_rng_init.diff
-Vilmos Nebehaj
Index: configure.in
===================================================================
RCS file: /home/cvs/dovecot/configure.in,v
retrieving revision 1.266
diff -u -r1.266 configure.in
--- configure.in 28 Feb 2006 08:36:41 -0000 1.266
+++ configure.in 10 Mar 2006 17:15:01 -0000
@@ -358,7 +358,8 @@
AC_CHECK_FUNCS(fcntl flock lockf inet_aton sigaction getpagesize
madvise \
strcasecmp stricmp vsnprintf vsyslog writev pread \
setrlimit setproctitle seteuid setreuid setegid setresgid \
- strtoull strtouq setpriority quotactl getmntent kqueue kevent)
+ strtoull strtouq setpriority quotactl getmntent kqueue kevent \
+ getrusage)
dnl * I/O loop function
have_ioloop=no
Index: src/lib/lib.h
===================================================================
RCS file: /home/cvs/dovecot/src/lib/lib.h,v
retrieving revision 1.20
diff -u -r1.20 lib.h
--- src/lib/lib.h 25 Sep 2005 10:44:04 -0000 1.20
+++ src/lib/lib.h 10 Mar 2006 17:15:02 -0000
@@ -20,6 +20,13 @@
# include
On Fri, 2006-03-17 at 17:28 +0100, Vilmos Nebehaj wrote:
Hi,
dovecot tries to use OpenSSL's PRNG to generate random numbers if there is no /dev/urandom found. Unfortunately, it is flawed in its
present form, since the PRNG is not seeded before RAND_bytes() is called in src/lib/randgen.c (on systems which have /dev/urandom, OpenSSL automatically seeds its PRNG from the urandom device).Here's a patch to address this issue: it tries to seed the PRNG if there is no /dev/urandom present (which is likely the case if dovecot uses OpenSSL's RAND API). It can also be fetched from
Thanks, committed to CVS. I did a couple of minor changes to make it consistent with Dovecot's coding style.
participants (2)
-
Timo Sirainen
-
Vilmos Nebehaj