[sr-dev] git:master:8539b7cf: tls: add cryptorand support for TLS module, add some more comments to existing code

Henning Westerholt hw at skalatan.de
Mon Oct 7 10:39:33 CEST 2019


Module: kamailio
Branch: master
Commit: 8539b7cf6c5db86973f4f74f92762de9011b968b
URL: https://github.com/kamailio/kamailio/commit/8539b7cf6c5db86973f4f74f92762de9011b968b

Author: Henning Westerholt <hw at skalatan.de>
Committer: Henning Westerholt <hw at skalatan.de>
Date: 2019-10-07T10:38:55+02:00

tls: add cryptorand support for TLS module, add some more comments to existing code

---

Modified: src/modules/tls/tls_rand.c
Modified: src/modules/tls/tls_rand.h

---

Diff:  https://github.com/kamailio/kamailio/commit/8539b7cf6c5db86973f4f74f92762de9011b968b.diff
Patch: https://github.com/kamailio/kamailio/commit/8539b7cf6c5db86973f4f74f92762de9011b968b.patch

---

diff --git a/src/modules/tls/tls_rand.c b/src/modules/tls/tls_rand.c
index d5c29b845f..a149b07d33 100644
--- a/src/modules/tls/tls_rand.c
+++ b/src/modules/tls/tls_rand.c
@@ -16,7 +16,11 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-
+/*
+ * OpenSSL docs:
+ * https://www.openssl.org/docs/man1.1.1/man7/RAND.html
+ * https://www.openssl.org/docs/man1.1.1/man3/RAND_set_rand_method.html
+ */
 
 #include <stdlib.h>
 #include <string.h>
@@ -28,7 +32,12 @@
 #include "../../core/dprint.h"
 #include "../../core/rand/kam_rand.h"
 #include "../../core/rand/fastrand.h"
+#include "../../core/rand/fortuna/random.h"
 
+/*
+ * Implementation for tests with system library PNRG,
+ * do not use this in production.
+ */
 static int ksr_krand_bytes(unsigned char *outdata, int size)
 {
 	int r;
@@ -76,6 +85,11 @@ const RAND_METHOD *RAND_ksr_krand_method(void)
     return &_ksr_krand_method;
 }
 
+/*
+ * Implementation for tests with fastrand implementation,
+ * better as system library but still not secure enough.
+ * Do not use this in production.y
+ */
 static int ksr_fastrand_bytes(unsigned char *outdata, int size)
 {
 	int r;
@@ -123,4 +137,47 @@ const RAND_METHOD *RAND_ksr_fastrand_method(void)
     return &_ksr_fastrand_method;
 }
 
+/*
+ * Implementation with Fortuna cryptographic PRNG.
+ * We are not strictly implementing the OpenSSL API here - we will
+ * not return an error if the PRNG has not been seeded with enough
+ * randomness to ensure an unpredictable byte sequence.
+ */
+static int ksr_cryptorand_bytes(unsigned char *outdata, int size)
+{
+	if (size < 0) {
+		return 0;
+	} else if (size == 0) {
+		return 1;
+	}
+
+	sr_get_pseudo_random_bytes(outdata, size);
+	return 1;
+}
+
+static int ksr_cryptorand_status(void)
+{
+    return 1;
+}
+
+/*
+ * We don't have a dedicated function for pseudo-random
+ * bytes, just use the secure version as well for it.
+ */
+const RAND_METHOD _ksr_cryptorand_method = {
+    NULL,
+    ksr_cryptorand_bytes,
+    NULL,
+    NULL,
+    ksr_cryptorand_bytes,
+    ksr_cryptorand_status
+};
+
+const RAND_METHOD *RAND_ksr_cryptorand_method(void)
+{
+    return &_ksr_cryptorand_method;
+}
+
+
+
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h
index d1a3f0d37f..c73d36b8d9 100644
--- a/src/modules/tls/tls_rand.h
+++ b/src/modules/tls/tls_rand.h
@@ -27,6 +27,7 @@
 
 const RAND_METHOD *RAND_ksr_krand_method(void);
 const RAND_METHOD *RAND_ksr_fastrand_method(void);
+const RAND_METHOD *RAND_ksr_cryptorand_method(void);
 
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 #endif




More information about the sr-dev mailing list