[prev in list] [next in list] [prev in thread] [next in thread]
List: licq-devel
Subject: [Licq-devel] SSL randomness
From: Taral <taral () taral ! net>
Date: 2000-06-29 2:53:17
[Download RAW message or body]
This patch enables EGD and .rnd files, but I don't recommend it for 0.85
release since I don't think this is the best way to do it. It's here in
case anyone needs it.
--
Taral <taral@taral.net>
["ssl.diff" (TEXT/PLAIN)]
Index: include/licq_socket.h
===================================================================
RCS file: /extra/cvsroot/licq/include/licq_socket.h,v
retrieving revision 1.9
diff -u -p -r1.9 licq_socket.h
--- licq_socket.h 2000/06/29 01:55:40 1.9
+++ licq_socket.h 2000/06/29 02:43:43
@@ -20,6 +20,7 @@
#ifdef USE_OPENSSL
#include <openssl/ssl.h>
extern SSL_CTX *gSSL_CTX;
+extern bool gSSLEnabled, gSSLUseFile;
#else
typedef void SSL;
#endif
@@ -124,7 +125,7 @@ public:
void TransferConnectionFrom(TCPSocket &from);
bool Secure() { return m_pSSL != NULL; }
- bool SSL_Pending();
+ bool Pending();
bool SecureConnect();
bool SecureListen();
Index: src/icqd-tcp.cpp
===================================================================
RCS file: /extra/cvsroot/licq/src/icqd-tcp.cpp,v
retrieving revision 1.10
diff -u -p -r1.10 icqd-tcp.cpp
--- icqd-tcp.cpp 2000/06/29 01:55:41 1.10
+++ icqd-tcp.cpp 2000/06/29 02:43:47
@@ -415,45 +415,52 @@ void CICQDaemon::icqChatRequestAccept(un
CICQEventTag *CICQDaemon::icqOpenSecureChannel(unsigned long nUin)
{
#ifdef USE_OPENSSL
- ICQEvent *result = NULL;
-
- ICQUser *u = gUserManager.FetchUser(nUin, LOCK_W);
- if (u == NULL)
+ if (gSSLEnabled)
{
- gLog.Warn("%sCannot send secure channel request to user not on list (%ld).\n",
- L_WARNxSTR, nUin);
- return NULL;
- }
+ ICQEvent *result = NULL;
- // Check that the user doesn't already have a secure channel
- if (u->Secure())
- {
- gLog.Warn("%s%s (%ld) already has a secure channel.\n", L_WARNxSTR,
- u->GetAlias(), nUin);
- gUserManager.DropUser(u);
- return NULL;
- }
+ ICQUser *u = gUserManager.FetchUser(nUin, LOCK_W);
+ if (u == NULL)
+ {
+ gLog.Warn("%sCannot send secure channel request to user not on list (%ld).\n",
+ L_WARNxSTR, nUin);
+ return NULL;
+ }
- CPT_OpenSecureChannel *pkt = new CPT_OpenSecureChannel(u);
- gLog.Info("%sSending request for secure channel to %s (#%ld).\n", L_TCPxSTR,
- u->GetAlias(), -pkt->Sequence());
- result = SendExpectEvent_Client(u, pkt, NULL);
-
- u->SetSendServer(false);
-
- CICQEventTag *t = NULL;
- if (result != NULL)
- t = new CICQEventTag(result);
+ // Check that the user doesn't already have a secure channel
+ if (u->Secure())
+ {
+ gLog.Warn("%s%s (%ld) already has a secure channel.\n", L_WARNxSTR,
+ u->GetAlias(), nUin);
+ gUserManager.DropUser(u);
+ return NULL;
+ }
- gUserManager.DropUser(u);
+ CPT_OpenSecureChannel *pkt = new CPT_OpenSecureChannel(u);
+ gLog.Info("%sSending request for secure channel to %s (#%ld).\n", L_TCPxSTR,
+ u->GetAlias(), -pkt->Sequence());
+ result = SendExpectEvent_Client(u, pkt, NULL);
+
+ u->SetSendServer(false);
+
+ CICQEventTag *t = NULL;
+ if (result != NULL)
+ t = new CICQEventTag(result);
- return (t);
+ gUserManager.DropUser(u);
+ return (t);
+ }
+ else
+ {
+ gLog.Warn("%sicqOpenSecureChannel() to %ld called when SSL is disabled.\n",
+ L_WARNxSTR, nUin);
+ return NULL;
+ }
#else // No OpenSSL
gLog.Warn("%sicqOpenSecureChannel() to %ld called when we do not support OpenSSL.\n",
L_WARNxSTR, nUin);
return NULL;
-
#endif
}
@@ -461,45 +468,52 @@ CICQEventTag *CICQDaemon::icqOpenSecureC
CICQEventTag *CICQDaemon::icqCloseSecureChannel(unsigned long nUin)
{
#ifdef USE_OPENSSL
- ICQEvent *result = NULL;
-
- ICQUser *u = gUserManager.FetchUser(nUin, LOCK_W);
- if (u == NULL)
+ if (gSSLEnabled)
{
- gLog.Warn("%sCannot send secure channel request to user not on list (%ld).\n",
- L_WARNxSTR, nUin);
- return NULL;
- }
+ ICQEvent *result = NULL;
- // Check that the user doesn't already have a secure channel
- if (!u->Secure())
- {
- gLog.Warn("%s%s (%ld) does not have a secure channel.\n", L_WARNxSTR,
- u->GetAlias(), nUin);
- gUserManager.DropUser(u);
- return NULL;
- }
+ ICQUser *u = gUserManager.FetchUser(nUin, LOCK_W);
+ if (u == NULL)
+ {
+ gLog.Warn("%sCannot send secure channel request to user not on list (%ld).\n",
+ L_WARNxSTR, nUin);
+ return NULL;
+ }
+
+ // Check that the user doesn't already have a secure channel
+ if (!u->Secure())
+ {
+ gLog.Warn("%s%s (%ld) does not have a secure channel.\n", L_WARNxSTR,
+ u->GetAlias(), nUin);
+ gUserManager.DropUser(u);
+ return NULL;
+ }
- CPT_CloseSecureChannel *pkt = new CPT_CloseSecureChannel(u);
- gLog.Info("%sClosing secure channel with %s (#%ld).\n", L_TCPxSTR,
- u->GetAlias(), -pkt->Sequence());
- result = SendExpectEvent_Client(u, pkt, NULL);
-
- u->SetSendServer(false);
-
- CICQEventTag *t = NULL;
- if (result != NULL)
- t = new CICQEventTag(result);
+ CPT_CloseSecureChannel *pkt = new CPT_CloseSecureChannel(u);
+ gLog.Info("%sClosing secure channel with %s (#%ld).\n", L_TCPxSTR,
+ u->GetAlias(), -pkt->Sequence());
+ result = SendExpectEvent_Client(u, pkt, NULL);
- gUserManager.DropUser(u);
+ u->SetSendServer(false);
- return (t);
+ CICQEventTag *t = NULL;
+ if (result != NULL)
+ t = new CICQEventTag(result);
+ gUserManager.DropUser(u);
+
+ return (t);
+ }
+ else
+ {
+ gLog.Warn("%sicqCloseSecureChannel() to %ld called when SSL is diabled.\n",
+ L_WARNxSTR, nUin);
+ return NULL;
+ }
#else // No OpenSSL
gLog.Warn("%sicqCloseSecureChannel() to %ld called when we do not support OpenSSL.\n",
L_WARNxSTR, nUin);
return NULL;
-
#endif
}
@@ -1342,32 +1356,43 @@ bool CICQDaemon::ProcessTcpPacket(TCPSoc
case ICQ_CMDxSUB_SECURExOPEN:
{
#ifdef USE_OPENSSL
- if (nInVersion <= 4) packet >> theSequence;
- packet >> licqChar >> licqVersion;
+ if (gSSLEnabled)
+ {
+ if (nInVersion <= 4) packet >> theSequence;
+ packet >> licqChar >> licqVersion;
- if (licqChar == 'L')
- gLog.Info("%sSecure channel request from %s (%ld) [Licq v0.%d].\n",
- L_TCPxSTR, u->GetAlias(), nUin, licqVersion);
- else
- gLog.Info("%sSecure channel request from %s (%ld).\n", L_TCPxSTR,
- u->GetAlias(), nUin);
+ if (licqChar == 'L')
+ gLog.Info("%sSecure channel request from %s (%ld) [Licq v0.%d].\n",
+ L_TCPxSTR, u->GetAlias(), nUin, licqVersion);
+ else
+ gLog.Info("%sSecure channel request from %s (%ld).\n", L_TCPxSTR,
+ u->GetAlias(), nUin);
- CPT_AckOpenSecureChannel p(theSequence, true, u);
- AckTCP(p, pSock);
+ CPT_AckOpenSecureChannel p(theSequence, true, u);
+ AckTCP(p, pSock);
+
+ if (!pSock->SecureListen())
+ {
+ errorOccured = true;
+ break;
+ }
+ u->SetSecure(true);
+ PushPluginSignal(new CICQSignal(SIGNAL_UPDATExUSER, USER_SECURITY, nUin, 1));
- if (!pSock->SecureListen())
+ gLog.Info("%sSecure channel established with %s (%ld).\n",
+ L_SSLxSTR, u->GetAlias(), nUin);
+
+ break;
+ }
+ else
{
- errorOccured = true;
+ gLog.Info("%sReceived secure channel request from %s (%ld) but SSL is disabled.\n",
+ L_TCPxSTR, u->GetAlias(), nUin);
+ // Send the nack back
+ CPT_AckOpenSecureChannel p(theSequence, false, u);
+ AckTCP(p, pSock);
break;
}
- u->SetSecure(true);
- PushPluginSignal(new CICQSignal(SIGNAL_UPDATExUSER, USER_SECURITY, nUin, 1));
-
- gLog.Info("%sSecure channel established with %s (%ld).\n",
- L_SSLxSTR, u->GetAlias(), nUin);
-
- break;
-
#else // We do not support OpenSSL
gLog.Info("%sReceived secure channel request from %s (%ld) but we do not support OpenSSL.\n",
L_TCPxSTR, u->GetAlias(), nUin);
Index: src/icqd-threads.cpp
===================================================================
RCS file: /extra/cvsroot/licq/src/icqd-threads.cpp,v
retrieving revision 1.8
diff -u -p -r1.8 icqd-threads.cpp
--- icqd-threads.cpp 2000/06/29 01:55:41 1.8
+++ icqd-threads.cpp 2000/06/29 02:43:48
@@ -483,7 +483,7 @@ void *MonitorSockets_tep(void *p)
}
// Save the bytes pending status of the socket
- bool bPending = tcp->SSL_Pending();
+ bool bPending = tcp->Pending();
bool r = true;
// Process the packet if the buffer is full
Index: src/licq.cpp
===================================================================
RCS file: /extra/cvsroot/licq/src/licq.cpp,v
retrieving revision 1.40
diff -u -p -r1.40 licq.cpp
--- licq.cpp 2000/06/29 01:55:41 1.40
+++ licq.cpp 2000/06/29 02:43:50
@@ -43,8 +43,11 @@ extern int errno;
/*-----Start OpenSSL code--------------------------------------------------*/
#ifdef USE_OPENSSL
-#include <openssl/ssl.h>
#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include <openssl/ssl.h>
+
+bool gSSLEnabled, gSSLUseFile;
// AUTOGENERATED by dhparam
static DH *get_dh512()
@@ -349,9 +352,6 @@ bool CLicq::Init(int argc, char **argv)
}
}
- // Close the conf file
- licqConf.CloseFile();
-
#ifdef USE_OPENSSL
// Initialize SSL
SSL_library_init();
@@ -365,7 +365,40 @@ bool CLicq::Init(int argc, char **argv)
DH *dh = get_dh512();
SSL_CTX_set_tmp_dh(gSSL_CTX, dh);
DH_free(dh);
+
+ gSSLEnabled = true;
+ gSSLUseFile = false;
+ if (licqConf.SetSection("SSL"))
+ {
+ char szData[MAX_FILENAME_LEN];
+ if (licqConf.ReadStr("EGD", szData))
+ {
+ RAND_egd(szData);
+ }
+ if (!RAND_status())
+ {
+ if (!licqConf.ReadStr("RandFile", szData))
+ {
+ strcpy(szData, getenv("HOME"));
+ strcat(szData, "/.rnd");
+ }
+ if (access(szData, R_OK))
+ {
+ RAND_load_file(szData, 0);
+ gSSLUseFile = true;
+ }
+ }
+ }
+ if (!RAND_status())
+ {
+ gLog.Warn("%sInsufficient entropy available. SSL disabled.\n", L_SSLxSTR);
+ gSSLEnabled = false;
+ gSSLUseFile = false; // Make sure we don't save non-random data
+ }
#endif
+
+ // Close the conf file
+ licqConf.CloseFile();
// Start things going
if (!gUserManager.Load())
Index: src/socket.cpp
===================================================================
RCS file: /extra/cvsroot/licq/src/socket.cpp,v
retrieving revision 1.9
diff -u -p -r1.9 socket.cpp
--- socket.cpp 2000/06/29 01:55:41 1.9
+++ socket.cpp 2000/06/29 02:43:52
@@ -787,7 +787,7 @@ TCPSocket::~TCPSocket()
}
-bool TCPSocket::SSL_Pending()
+bool TCPSocket::Pending()
{
#ifdef USE_OPENSSL
return (m_pSSL && SSL_pending(m_pSSL));
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic