Ejemplo n.º 1
0
static bool pluto_init_nss(char *nssdb)
{
	SECStatus rv;

	/* little lie, lsw_nss_setup doesn't have logging */
	loglog(RC_LOG_SERIOUS, "NSS DB directory: sql:%s", nssdb);

	lsw_nss_buf_t err;
	if (!lsw_nss_setup(nssdb, LSW_NSS_READONLY, lsw_nss_get_password, err)) {
		loglog(RC_LOG_SERIOUS, "%s", err);
		return FALSE;
	}

	libreswan_log("NSS initialized");

	/*
	 * This exists purely to make the BSI happy.
	 * We do not inflict this on other users
	 */
	if (pluto_nss_seedbits != 0) {
		int seedbytes = BYTES_FOR_BITS(pluto_nss_seedbits);
		unsigned char *buf = alloc_bytes(seedbytes,"TLA seedmix");

		get_bsi_random(seedbytes, buf); /* much TLA, very blocking */
		rv = PK11_RandomUpdate(buf, seedbytes);
		libreswan_log("seeded %d bytes into the NSS PRNG", seedbytes);
		passert(rv == SECSuccess);
		messupn(buf, seedbytes);
		pfree(buf);
	}

	return TRUE;
}
Ejemplo n.º 2
0
static bool pluto_init_nss(char *nssdb)
{
	SECStatus rv;
	char dbuf[1024];

	snprintf(dbuf, sizeof(dbuf), "sql:%s", nssdb);
	loglog(RC_LOG_SERIOUS, "NSS DB directory: %s", dbuf);
	rv = NSS_Initialize(dbuf, "", "", SECMOD_DB, NSS_INIT_READONLY);
	if (rv != SECSuccess) {
		loglog(RC_LOG_SERIOUS, "NSS readonly initialization (\"%s\") failed (err %d)\n",
			dbuf, PR_GetError());
		return FALSE;
	}

	libreswan_log("NSS initialized");
	PK11_SetPasswordFunc(getNSSPassword);

	/*
	 * This exists purely to make the BSI happy.
	 * We do not inflict this on other users
	 */
	if (pluto_nss_seedbits != 0) {
		int seedbytes = BYTES_FOR_BITS(pluto_nss_seedbits);
		unsigned char *buf = alloc_bytes(seedbytes,"TLA seedmix");

		get_bsi_random(seedbytes, buf); /* much TLA, very blocking */
		rv = PK11_RandomUpdate(buf, seedbytes);
		libreswan_log("seeded %d bytes into the NSS PRNG", seedbytes);
		passert(rv == SECSuccess);
		messupn(buf, seedbytes);
		pfree(buf);
	}

	return TRUE;
}
Ejemplo n.º 3
0
/* UpdateRNG - Updates NSS's PRNG with user generated entropy. */
void UpdateNSS_RNG(void)
{
    SECStatus rv;
    unsigned char buf[RAND_BUF_SIZE];
    getrandom(RAND_BUF_SIZE, buf);
    rv = PK11_RandomUpdate(buf, sizeof buf);
    assert(rv == SECSuccess);
    memset(buf, 0, sizeof buf);
}
Ejemplo n.º 4
0
/*
 * UpdateRNG - Updates NSS's PRNG with user generated entropy
 *
 * pluto and rsasigkey use the NSS crypto library as its random source.
 * Some government Three Letter Agencies require that pluto reads additional
 * bits from /dev/random and feed these into the NSS RNG before drawing random
 * from the NSS library, despite the NSS library itself already seeding its
 * internal state. This process can block pluto or rsasigkey for an extended
 * time during startup, depending on the entropy of the system. Therefore
 * the default is to not perform this redundant seeding. If specifying a
 * value, it is recommended to specify at least 460 bits (for FIPS) or 440
 * bits (for BSI).
 */
static void UpdateNSS_RNG(int seedbits)
{
	SECStatus rv;
	int seedbytes = BYTES_FOR_BITS(seedbits);
	unsigned char *buf = alloc_bytes(seedbytes,"TLA seedmix");

	lsw_random(seedbytes, buf);
	rv = PK11_RandomUpdate(buf, seedbytes);
	assert(rv == SECSuccess);
	messupn(buf, seedbytes);
	pfree(buf);
}
Ejemplo n.º 5
0
Archivo: prng.c Proyecto: Baalmart/krb5
krb5_error_code
k5_nss_prng_add_entropy(krb5_context context, const krb5_data *indata)
{
    krb5_error_code ret;

    ret = k5_nss_init();
    if (ret)
        return ret;
    if (PK11_RandomUpdate(indata->data, indata->length) != SECSuccess)
        return k5_nss_map_last_error();
    return 0;
}
Ejemplo n.º 6
0
/*
 * bundle - bundle e and n into an RFC2537-format chunk_t
 */
static char *base64_bundle(int e, chunk_t modulus)
{
	/*
	 * Pack the single-byte exponent into a byte array.
	 */
	assert(e <= 255);
	u_char exponent_byte = 1;
	chunk_t exponent = {
		.ptr = &exponent_byte,
		.len = 1,
	};

	/*
	 * Create the resource record.
	 */
	char *bundle;
	err_t err = rsa_pubkey_to_base64(exponent, modulus, &bundle);
	if (err) {
		fprintf(stderr, "%s: can't-happen bundle convert error `%s'\n",
			progname, err);
		exit(1);
	}

	return bundle;
}

/* UpdateRNG - Updates NSS's PRNG with user generated entropy. */
static void UpdateNSS_RNG(int seedbits)
{
	SECStatus rv;
	int seedbytes = BYTES_FOR_BITS(seedbits);
	unsigned char *buf = alloc_bytes(seedbytes,"TLA seedmix");

	getrandom(seedbytes, buf);
	rv = PK11_RandomUpdate(buf, seedbytes);
	assert(rv == SECSuccess);
	messupn(buf, seedbytes);
	pfree(buf);
}