github-repos/wget
1
0
Fork 0
mirror of https://github.com/mirror/wget.git synced 2025-03-27 12:30:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

OpenSSL: Better seeding of PRNG

Browse Source 
* src/openssl.c (init_prng): keep gathering entropy even though we
                              already have enough
   (ssl_connect_with_timeout_callback): reseed PRNG again just before
                                        the handshake

Reported-by: Jeffrey Walton <noloader@gmail.com>
This commit is contained in:
Ander Juarist 2018-04-28 20:07:46 +02:00 committed by Tim Rühsen
parent 744671aac6
commit b9c4cadd84
1 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/openssl.c
View File

@ -67,10 +67,6 @@ init_prng (void)
char namebuf[256]; char namebuf[256];
const char *random_file; const char *random_file;
if (RAND_status ())
/* The PRNG has been seeded; no further action is necessary. */
return;
/* Seed from a file specified by the user. This will be the file /* Seed from a file specified by the user. This will be the file
specified with --random-file, $RANDFILE, if set, or ~/.rnd, if it specified with --random-file, $RANDFILE, if set, or ~/.rnd, if it
exists. */ exists. */
@ -88,18 +84,12 @@ init_prng (void)
curl) from random file. */ curl) from random file. */
RAND_load_file (random_file, 16384); RAND_load_file (random_file, 16384);
if (RAND_status ())
return;
#ifdef HAVE_RAND_EGD #ifdef HAVE_RAND_EGD
/* Get random data from EGD if opt.egd_file was used. */ /* Get random data from EGD if opt.egd_file was used. */
if (opt.egd_file && *opt.egd_file) if (opt.egd_file && *opt.egd_file)
RAND_egd (opt.egd_file); RAND_egd (opt.egd_file);
#endif #endif
if (RAND_status ())
return;
#ifdef WINDOWS #ifdef WINDOWS
/* Under Windows, we can try to seed the PRNG using screen content. /* Under Windows, we can try to seed the PRNG using screen content.
This may or may not work, depending on whether we'll calling Wget This may or may not work, depending on whether we'll calling Wget
@ -638,6 +628,15 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session)
goto error; goto error;
SSL_set_connect_state (conn); SSL_set_connect_state (conn);
/* Re-seed the PRNG before the SSL handshake */
init_prng ();
if (RAND_status () != 1)
{
logprintf(LOG_NOTQUIET,
_("WARNING: Could not seed PRNG. Consider using --random-file.\n"));
goto error;
}
scwt_ctx.ssl = conn; scwt_ctx.ssl = conn;
if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback, if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback,
&scwt_ctx)) { &scwt_ctx)) {