X-Git-Url: http://sjero.net/git/?a=blobdiff_plain;f=src%2Fgen_sslfunc.c;h=1f97edcc38b315c083bb8fde959b7e450dee302f;hb=75699d62131af1f72895bfa7c8858ccaf1cb100c;hp=be5e31e20801e2c41fe7f5b0ad3c60673aebd273;hpb=0b056d17201d2bae32857dbec4c8f7a95578cdf9;p=wget

diff --git a/src/gen_sslfunc.c b/src/gen_sslfunc.c
index be5e31e2..1f97edcc 100644
--- a/src/gen_sslfunc.c
+++ b/src/gen_sslfunc.c
@@ -24,6 +24,14 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
 
 #include <assert.h>
 #include <errno.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+#ifdef HAVE_STRING_H
+# include <string.h>
+#else
+# include <strings.h>
+#endif
 
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
@@ -31,9 +39,12 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/rand.h>
 
 #include "wget.h"
+#include "utils.h"
 #include "connect.h"
+#include "url.h"
 
 #ifndef errno
 extern int errno;
@@ -41,6 +52,66 @@ extern int errno;
 
 static int verify_callback PARAMS ((int, X509_STORE_CTX *));
 
+void
+ssl_init_prng (void)
+{
+  /* It is likely that older versions of OpenSSL will fail on
+     non-Linux machines because this code is unable to seed the PRNG
+     on older versions of the library.  */
+
+#if SSLEAY_VERSION_NUMBER >= 0x00905100
+  char rand_file[256];
+  int maxrand = 500;
+
+  /* First, seed from a file specified by the user.  This will be
+     $RANDFILE, if set, or ~/.rnd.  */
+  RAND_file_name (rand_file, sizeof (rand_file));
+  if (rand_file)
+    /* Seed at most 16k (value borrowed from curl) from random file. */
+    RAND_load_file (rand_file, 16384);
+
+  if (RAND_status ())
+    return;
+
+  /* Get random data from EGD if opt.sslegdsock was set.  */
+  if (opt.sslegdsock && *opt.sslegdsock)
+    RAND_egd (opt.sslegdsock);
+
+  if (RAND_status ())
+    return;
+
+#ifdef WINDOWS
+  /* Under Windows, we can try to seed the PRNG using screen content.
+     This may or may not work, depending on whether we'll calling Wget
+     interactively.  */
+
+  RAND_screen ();
+  if (RAND_status ())
+    return;
+#endif
+
+  /* Still not enough randomness, presumably because neither random
+     file nor EGD have been available.  Use the stupidest possible
+     method -- seed OpenSSL's PRNG with the system's PRNG.  This is
+     insecure in the cryptographic sense, but people who care about
+     security will use /dev/random or their own source of randomness
+     anyway.  */
+
+  while (RAND_status () == 0 && maxrand-- > 0)
+    {
+      unsigned char rnd = random_number (256);
+      RAND_seed (&rnd, sizeof (rnd));
+    }
+
+  if (RAND_status () == 0)
+    {
+      logprintf (LOG_NOTQUIET,
+		 _("Could not seed OpenSSL PRNG; disabling SSL.\n"));
+      scheme_disable (SCHEME_HTTPS);
+    }
+#endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */
+}
+
 /* Creates a SSL Context and sets some defaults for it */
 uerr_t
 init_ssl (SSL_CTX **ctx)
@@ -82,6 +153,9 @@ connect_ssl (SSL **con, SSL_CTX *ctx, int fd)
   SSL_connect (*con);  
   if ((*con)->state != SSL_ST_OK)
     return 1;
+  /*while((SSLerror=ERR_get_error())!=0)
+    printf("%s\n", ERR_error_string(SSLerror,NULL));*/
+
   return 0;
 }