tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-21 12:44:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ensure that password hash generation from OpenSSL is atomic

Browse Source 
This is supposed to solve a problem with segfaults caused by
race conditions withing the random byte generation of OpenSSL.

fixes #6279
This commit is contained in:
Jean Flach 2018-05-22 15:01:15 +02:00 committed by Michael Friedrich
parent f00f9f7270
commit 08a14cd136
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/base/tlsutility.cpp
View File

@ -31,6 +31,7 @@ namespace icinga
static bool l_SSLInitialized = false; static bool l_SSLInitialized = false;
static boost::mutex *l_Mutexes; static boost::mutex *l_Mutexes;
static boost::mutex l_RandomMutex;
#ifdef CRYPTO_LOCK #ifdef CRYPTO_LOCK
static void OpenSSLLockingCallback(int mode, int type, const char *, int) static void OpenSSLLockingCallback(int mode, int type, const char *, int)
@ -718,6 +719,11 @@ String RandomString(int length)
{ {
auto *bytes = new unsigned char[length]; auto *bytes = new unsigned char[length];
/* Ensure that password generation is atomic. RAND_bytes is not thread-safe
* in OpenSSL < 1.1.0.
*/
boost::mutex::scoped_lock lock(l_RandomMutex);
if (!RAND_bytes(bytes, length)) { if (!RAND_bytes(bytes, length)) {
delete [] bytes; delete [] bytes;
@ -730,6 +736,8 @@ String RandomString(int length)
<< errinfo_openssl_error(ERR_peek_error())); << errinfo_openssl_error(ERR_peek_error()));
} }
lock.unlock();
auto *output = new char[length * 2 + 1]; auto *output = new char[length * 2 + 1];
for (int i = 0; i < length; i++) for (int i = 0; i < length; i++)
sprintf(output + 2 * i, "%02x", bytes[i]); sprintf(output + 2 * i, "%02x", bytes[i]);