Re: RNG seeding

Ralf S. Engelschall Tue, 10 Aug 1999 22:35:12 -0700
On Tue, Aug 10, 1999, Kimmell, Garrin wrote:

> [...]
> I wrote an app to access a hardware RNG, then print the bytes to stdout. I
> was under the impression that the number of bytes specified in the
> SSLRandomSeed directive would be passed   on the command line and be
> accessible by argv[1]. Apparently this is not true. Does this require Unix
> signals to provide the ability to control the number of bytes to be read?

Yes, the idea was that the app writes until a SIGPIPE occurrs.  But I see no
real reason why we couldn't also pass the bytes as argv[1]. Here is a possible
change you can try:

Index: ssl_engine_rand.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_rand.c,v
retrieving revision 1.6
diff -u -r1.6 ssl_engine_rand.c
--- ssl_engine_rand.c   1999/05/01 10:06:07     1.6
+++ ssl_engine_rand.c   1999/08/11 06:15:31
@@ -108,7 +108,8 @@
                 /*
                  * seed in contents generated by an external program
                  */
-                if ((fp = ssl_util_ppopen(s, p, pRandSeed->cpPath)) == NULL)
+                if ((fp = ssl_util_ppopen(s, p, ap_psprintf(p, "%s %d",
+                                          pRandSeed->cpPath, pRandSeed->nBytes))) == 
+NULL)
                     continue;
                 nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
                 ssl_util_ppclose(s, p, fp);

> SSLRandomSeed startup builtin
> SSLRandomSeed startup exec:c:/Progra~1/Apache/bin/intelrng.exe 1024
> SSLRandomSeed connect builtin
> SSLRandomSeed connect exec:c:/Progra~1/Apache/bin/intelrng.exe 1024
> 
> Additionally, my application does not seem to be executed in the connection
> context. I know this is stated as not practical in the docs, but I'm just
> doing some testing. The application IS executed in the startup context,
> though. 

It should be executed also on a per connection basis. What makes
you thinking that it isn't executed?

> It's probable that these problems are a result of doing this on NT. 

Maybe. I've never tried this under NT and certainly will never try it there ;)
At least the program spawning code for Unix and NT is totally different...

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Re: RNG seeding

Reply via email to
