Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<Patch List> <Patch Directory>
Patch info for prng_bri

Patch info for prng_bri

CreatorBrian Hatch
Patch to Version3.8
Typesecurity
Patchprng_bri.patch
StatusIncorporated into stunnel-3.8p1 and later
Description

(Full Text)

A patch to properly seed OpenSSL's PRNG

Author Comments



Logic behind the patch:

After each stage the PRNG is queried to see if it has
sufficient random info.  If so, it stops seeding randomness
and gets on with the connections.  (note this is only available
on openssl 0.9.5a on.  With older versions it assumes not enough
entropy has been aquired and continues boldly on)

So, the logic:

0) try /dev/urandom
1) if on windows, use RAND_screen (supported all the way back
	to SSLeay)
2) if not on windows
	If openssl 0.9.5a or greater, add EGD support as follows:
		If '-E socketname' specified, attempt to communicate
		  to EGD attached to that socket.
		If stunnel was compiled with '--with-egd-socket=FILE'
		  then try that one next.
3) For all OS versions, grab random data from the following file(s)
	The file named with the '-R randfile' flag
	The filename in the environment variable $RANDFILE, or
		failing that $HOME/.rnd
	The filename specified with '--with-random' when stunnel was
		configured


Again, if sufficient entropy is available at any point along the way
it stops gathering entropy, thus it doesn't needlessly deplete the
entropy pool.

So as you can see it tries pretty much every damned way you could wish
(or expect with OpenSSL/SSLeay) to get random data.

Flags:
	-B bytes	how many bytes to read from actual files
	-R randfile	file with random data to read
	-E socket	EGD socket

Configure flags:
	--with-random	extended to add this filename to the list of files searched
	--with-egd-sock	egd socket to use (assumed this is made available to
			everyone by root, etc)

This patch is backward compatible with SSLeay (and uses standard $RANDFILE
and $HOME/.rnd files, convienient if you've already set these for the
openssl command anyway) and includes the EGD support only if the ssl library
of choice supports it, so it's still appropriate for folks with older versions
of openssl and before.


Files modified:  stunnel.c ssl.c stunnel.8.in common.h configure.in

Tested on solaris 2.7, linux, freebsd.


How to patch your version:  unpack the original stunnel-3.8.tar.gz
file into a directory, cd to that dir, and run 'patch <patchfile'
where 'patchfile' is the file name to which you've saved the
attachment.

This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk.

The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.