RE: Win ssl bug
Resubmit as attachment since my previous posts wrapped. Applies to 1.8-beta3 . Changelog: * windows\Makefile.src: add gen_sslfunc.c * windows\Makefile.src.bor: ditto. * gen_sslfunc.c: on windows provide ssl crypto random initialization through RAND_screen(); could possibly be not enough for strong ssl communication (see the relevant manual page from the openssl package). Heiko -- -- PREVINET S.p.A.[EMAIL PROTECTED] -- Via Ferretto, 1ph x39-041-5907073 -- I-31021 Mogliano V.to (TV) fax x39-041-5907087 -- ITALY -Original Message- From: Herold Heiko [mailto:[EMAIL PROTECTED]] Sent: Monday, December 03, 2001 5:37 PM To: List wget-bug (E-mail) Subject: RE: Win ssl bug Sorry, I forgot. Changelog: * windows\Makefile.src: add gen_sslfunc.c * windows\Makefile.src.bor: ditto. Heiko -- -- PREVINET S.p.A.[EMAIL PROTECTED] -- Via Ferretto, 1ph x39-041-5907073 -- I-31021 Mogliano V.to (TV) fax x39-041-5907087 -- ITALY 20011204.diff Description: Binary data
Re: Win ssl bug
Herold Heiko [EMAIL PROTECTED] writes: Resubmit as attachment since my previous posts wrapped. Applies to 1.8-beta3 . Thanks. I've applied this, because it's a good stop-gap solution. But I still have some remarks... * We're now using lrand48 on Unix and RAND_screen on Windows. This looks completely wrong because we're not checking for lrand48 at all, and it could be missing. Also, RAND_screen might be useless on Windows if you're running Wget from a batch job. So, two things: + Switch to rand() for a random value. It's less secure, but as Daniel explained, anyone who cares about security will not use an RNG to seed another RNG. This will make Wget compile on Windows and MacOS X. + If possible, use rand() in addition to RAND_screen, in case RAND_screen is useless. This is optional. + Implement a `--random-file' option for people who do care about security, but cannot or don't want to use /dev/random or EGD. I'm not sure if Christian has time for this, so I might take a stab at it before 1.8. One problem is that I'm a cryptography dummy. The problem with bad cryptography is that it looks just like good cryptography and all that.
Re: Win ssl bug
On Mon, 3 Dec 2001, Herold Heiko wrote: However it still won' work due to mising gen_sslfunc.obj : error LNK2001: unresolved external symbol _lrand48 gen_sslfunc.obj : error LNK2001: unresolved external symbol _srand48 In fact looking through the VC++ documentation there doesn't seem to be a rand48() available. You can replace those onse with just plain rand() and srand() or just write your own. No one in their right mind shall ever depend on using that random value anyway for anything that pretends to be secure, as that wouldn't be considered random enough, and thus it is not secure enough to use for seeding SSL. If /dev/urandom or similar isn't present, a serious SSL-using person should provide a good random source himself. If not, there's not much difference in using lrand48() or just plain rand(). They're both software (faked) random generators. For windows users, I recommend using the RAND_screen() function (it is only presen in windows), it uses the current displayed screen as input to the random engine. Of course, I may be completely wrong. -- Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77 ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
RE: Win ssl bug
Sorry, I forgot. Changelog: * windows\Makefile.src: add gen_sslfunc.c * windows\Makefile.src.bor: ditto. Heiko -- -- PREVINET S.p.A.[EMAIL PROTECTED] -- Via Ferretto, 1ph x39-041-5907073 -- I-31021 Mogliano V.to (TV) fax x39-041-5907087 -- ITALY