Module: kamailio Branch: master Commit: 8539b7cf6c5db86973f4f74f92762de9011b968b URL: https://github.com/kamailio/kamailio/commit/8539b7cf6c5db86973f4f74f92762de9...
Author: Henning Westerholt hw@skalatan.de Committer: Henning Westerholt hw@skalatan.de Date: 2019-10-07T10:38:55+02:00
tls: add cryptorand support for TLS module, add some more comments to existing code
---
Modified: src/modules/tls/tls_rand.c Modified: src/modules/tls/tls_rand.h
---
Diff: https://github.com/kamailio/kamailio/commit/8539b7cf6c5db86973f4f74f92762de9... Patch: https://github.com/kamailio/kamailio/commit/8539b7cf6c5db86973f4f74f92762de9...
---
diff --git a/src/modules/tls/tls_rand.c b/src/modules/tls/tls_rand.c index d5c29b845f..a149b07d33 100644 --- a/src/modules/tls/tls_rand.c +++ b/src/modules/tls/tls_rand.c @@ -16,7 +16,11 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
- +/* + * OpenSSL docs: + * https://www.openssl.org/docs/man1.1.1/man7/RAND.html + * https://www.openssl.org/docs/man1.1.1/man3/RAND_set_rand_method.html + */
#include <stdlib.h> #include <string.h> @@ -28,7 +32,12 @@ #include "../../core/dprint.h" #include "../../core/rand/kam_rand.h" #include "../../core/rand/fastrand.h" +#include "../../core/rand/fortuna/random.h"
+/* + * Implementation for tests with system library PNRG, + * do not use this in production. + */ static int ksr_krand_bytes(unsigned char *outdata, int size) { int r; @@ -76,6 +85,11 @@ const RAND_METHOD *RAND_ksr_krand_method(void) return &_ksr_krand_method; }
+/* + * Implementation for tests with fastrand implementation, + * better as system library but still not secure enough. + * Do not use this in production.y + */ static int ksr_fastrand_bytes(unsigned char *outdata, int size) { int r; @@ -123,4 +137,47 @@ const RAND_METHOD *RAND_ksr_fastrand_method(void) return &_ksr_fastrand_method; }
+/* + * Implementation with Fortuna cryptographic PRNG. + * We are not strictly implementing the OpenSSL API here - we will + * not return an error if the PRNG has not been seeded with enough + * randomness to ensure an unpredictable byte sequence. + */ +static int ksr_cryptorand_bytes(unsigned char *outdata, int size) +{ + if (size < 0) { + return 0; + } else if (size == 0) { + return 1; + } + + sr_get_pseudo_random_bytes(outdata, size); + return 1; +} + +static int ksr_cryptorand_status(void) +{ + return 1; +} + +/* + * We don't have a dedicated function for pseudo-random + * bytes, just use the secure version as well for it. + */ +const RAND_METHOD _ksr_cryptorand_method = { + NULL, + ksr_cryptorand_bytes, + NULL, + NULL, + ksr_cryptorand_bytes, + ksr_cryptorand_status +}; + +const RAND_METHOD *RAND_ksr_cryptorand_method(void) +{ + return &_ksr_cryptorand_method; +} + + + #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h index d1a3f0d37f..c73d36b8d9 100644 --- a/src/modules/tls/tls_rand.h +++ b/src/modules/tls/tls_rand.h @@ -27,6 +27,7 @@
const RAND_METHOD *RAND_ksr_krand_method(void); const RAND_METHOD *RAND_ksr_fastrand_method(void); +const RAND_METHOD *RAND_ksr_cryptorand_method(void);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ #endif