[or-cvs] Add half our entropy from RAND_poll in OpenSSL. These know...
Nick Mathewson
nickm at seul.org
Fri Oct 7 19:03:11 UTC 2005
Update of /home/or/cvsroot/tor/src/common
In directory moria:/tmp/cvs-serv24327/src/common
Modified Files:
crypto.c
Log Message:
Add half our entropy from RAND_poll in OpenSSL. These know how to use egd (if present) openbsd weirdness (if present), vms/os2 weirdness (if we ever port there), and more in the future.
Index: crypto.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/common/crypto.c,v
retrieving revision 1.164
retrieving revision 1.165
diff -u -d -r1.164 -r1.165
--- crypto.c 6 Oct 2005 22:22:22 -0000 1.164
+++ crypto.c 7 Oct 2005 19:03:09 -0000 1.165
@@ -1575,42 +1575,63 @@
/* random numbers */
+/* This is how much entropy OpenSSL likes to add right now, so maybe it will
+ * work for us too. */
+#define ADD_ENTROPY 32
+
+/* Use RAND_poll if openssl is 0.9.6 release or later. (The "f" means
+ "release".) */
+#define USE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
+
/** Seed OpenSSL's random number generator with bytes from the
* operating system. Return 0 on success, -1 on failure.
*/
int
crypto_seed_rng(void)
{
- char buf[64];
+ char buf[ADD_ENTROPY];
+ int rand_poll_status;
+
+ /* local variables */
#ifdef MS_WINDOWS
static int provider_set = 0;
static HCRYPTPROV provider;
+#else
+ static const char *filenames[] = {
+ "/dev/srandom", "/dev/urandom", "/dev/random", NULL
+ };
+ int fd;
+ int i, n;
+#endif
+#if USE_RAND_POLL
+ /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
+ * entropy than we do. We'll try calling that, *and* calling our own entropy
+ * functions. If one succeeds, we'll accept the RNG as seeded. */
+ rand_poll_status = RAND_poll();
+ if (rand_poll_status == 0)
+ log_fn(LOG_WARN, "RAND_poll() failed.");
+#else
+ rand_poll_status = 0;
+#endif
+
+#ifdef MS_WINDOWS
if (!provider_set) {
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
if (GetLastError() != NTE_BAD_KEYSET) {
log_fn(LOG_ERR,"Can't get CryptoAPI provider [1]");
- return -1;
+ return rand_poll_status ? 0 : -1;
}
}
provider_set = 1;
}
if (!CryptGenRandom(provider, sizeof(buf), buf)) {
log_fn(LOG_ERR,"Can't get entropy from CryptoAPI.");
- return -1;
+ return rand_poll_status ? 0 : -1;
}
RAND_seed(buf, sizeof(buf));
- /* And add the current screen state to the entropy pool for
- * good measure. */
- RAND_screen();
return 0;
#else
- static const char *filenames[] = {
- "/dev/srandom", "/dev/urandom", "/dev/random", NULL
- };
- int fd;
- int i, n;
-
for (i = 0; filenames[i]; ++i) {
fd = open(filenames[i], O_RDONLY, 0);
if (fd<0) continue;
@@ -1626,7 +1647,7 @@
}
log_fn(LOG_WARN, "Cannot seed RNG -- no entropy source found.");
- return -1;
+ return rand_poll_status ? 0 : -1;
#endif
}
More information about the tor-commits
mailing list