diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-07-14 04:36:01 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:52:13 -0500 |
commit | 9d0783bf211dffe58845b36b0669f05bf8bf25b5 (patch) | |
tree | 3a7434e8a13cf736d2deb7268ef7cf3864cf9499 /source3/passdb | |
parent | 8f93b500320d7d4341dfea37fd1f82d02b1ce980 (diff) | |
download | samba-9d0783bf211dffe58845b36b0669f05bf8bf25b5.tar.gz samba-9d0783bf211dffe58845b36b0669f05bf8bf25b5.tar.bz2 samba-9d0783bf211dffe58845b36b0669f05bf8bf25b5.zip |
r1492: Rework our random number generation system.
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork().
For other systems, we now only re-seed after a fork, and on startup.
No need to do it per-operation. This removes the 'need_reseed'
parameter from generate_random_buffer().
Andrew Bartlett
(This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
Diffstat (limited to 'source3/passdb')
-rw-r--r-- | source3/passdb/machine_sid.c | 2 | ||||
-rw-r--r-- | source3/passdb/secrets.c | 60 |
2 files changed, 30 insertions, 32 deletions
diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c index 47b9e2d487..ce1354ce81 100644 --- a/source3/passdb/machine_sid.c +++ b/source3/passdb/machine_sid.c @@ -67,7 +67,7 @@ static void generate_random_sid(DOM_SID *sid) sid->num_auths = 0; sid->sub_auths[sid->num_auths++] = 21; - generate_random_buffer(raw_sid_data, 12, True); + generate_random_buffer(raw_sid_data, 12); for (i = 0; i < 3; i++) sid->sub_auths[sid->num_auths++] = IVAL(raw_sid_data, i*4); } diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 2b3175bed2..e7637f689d 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -30,10 +30,27 @@ static TDB_CONTEXT *tdb; +/** + * Use a TDB to store an incrementing random seed. + * + * Initialised to the current pid, the very first time Samba starts, + * and incremented by one each time it is needed. + * + * @note Not called by systems with a working /dev/urandom. + */ +static void get_rand_seed(int *new_seed) +{ + *new_seed = sys_getpid(); + if (tdb) { + tdb_change_int32_atomic(tdb, "INFO/random_seed", new_seed, 1); + } +} + /* open up the secrets database */ BOOL secrets_init(void) { pstring fname; + char dummy; if (tdb) return True; @@ -47,6 +64,18 @@ BOOL secrets_init(void) DEBUG(0,("Failed to open %s\n", fname)); return False; } + + /** + * Set a reseed function for the crypto random generator + * + * This avoids a problem where systems without /dev/urandom + * could send the same challenge to multiple clients + */ + set_rand_reseed_callback(get_rand_seed); + + /* Ensure that the reseed is done now, while we are root, etc */ + generate_random_buffer(&dummy, sizeof(dummy)); + return True; } @@ -504,37 +533,6 @@ BOOL trusted_domain_password_delete(const char *domain) } -/******************************************************************* - Reset the 'done' variables so after a client process is created - from a fork call these calls will be re-done. This should be - expanded if more variables need reseting. - ******************************************************************/ - -void reset_globals_after_fork(void) -{ - unsigned char dummy; - - secrets_init(); - - /* - * Increment the global seed value to ensure every smbd starts - * with a new random seed. - */ - - if (tdb) { - uint32 initial_val = sys_getpid(); - tdb_change_int32_atomic(tdb, "INFO/random_seed", (int *)&initial_val, 1); - set_rand_reseed_data((unsigned char *)&initial_val, sizeof(initial_val)); - } - - /* - * Re-seed the random crypto generator, so all smbd's - * started from the same parent won't generate the same - * sequence. - */ - generate_random_buffer( &dummy, 1, True); -} - BOOL secrets_store_ldap_pw(const char* dn, char* pw) { char *key = NULL; |