summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile.Release25
-rw-r--r--env_var_HPUX.status3
-rw-r--r--env_var_Linux.status1
-rw-r--r--mak/config.mak20
-rw-r--r--src/Pegasus/Common/SSLContext.h43
-rw-r--r--test/StressTestClients/Makefile5
-rw-r--r--test/StressTestClients/ModelWalkStressClient/Makefile5
7 files changed, 56 insertions, 46 deletions
diff --git a/Makefile.Release b/Makefile.Release
index de15bf1..6703412 100644
--- a/Makefile.Release
+++ b/Makefile.Release
@@ -642,31 +642,6 @@ stage_genOpenPegasusSSLCertsFile: FORCE
@$(CAT) $(ROOT)/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec >> \
$(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
-stage_SSLRandomSeedFiles: FORCE
- $(MAKE) -f $(ROOT)/Makefile.Release createrandomseed FILENAME=$(PEGASUS_STAGING_DIR)$(PEGASUS_VARDATA_DIR)/$(PEGASUS_CIMSERVER_RANDOMFILE)
- $(MAKE) -f $(ROOT)/Makefile.Release createrandomseed FILENAME=$(PEGASUS_STAGING_DIR)$(PEGASUS_VARDATA_DIR)/$(PEGASUS_WBEMEXEC_RANDOMFILE)
-
-setpermissions_SSLRandomSeedFiles: FORCE
- $(MAKE) -f $(ROOT)/Makefile.Release setpermissions PERMISSIONS="$(Pr________)" OWNER="$(INSTALL_USR)" GROUP="$(INSTALL_GRP)" OBJECT=$(PEGASUS_STAGING_DIR)$(PEGASUS_VARDATA_DIR)/$(PEGASUS_CIMSERVER_RANDOMFILE)
- $(MAKE) -f $(ROOT)/Makefile.Release setpermissions PERMISSIONS="$(Pr__r__r__)" OWNER="$(INSTALL_USR)" GROUP="$(INSTALL_GRP)" OBJECT=$(PEGASUS_STAGING_DIR)$(PEGASUS_VARDATA_DIR)/$(PEGASUS_WBEMEXEC_RANDOMFILE)
-
-stage_ServerCertificateFiles: FORCE
-ifdef PEGASUS_SSL_RANDOMFILE
- $(OPENSSL_COMMAND) req -x509 -days 3650 -newkey rsa:2048 -rand $(PEGASUS_STAGING_DIR)$(PEGASUS_CONFIG_DIR)/$(PEGASUS_CIMSERVER_RANDOMFILE) -nodes -config $(PEGASUS_STAGING_DIR)$(PEGASUS_CONFIG_DIR)/ssl.cnf -keyout $(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE) -out $(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
-else
- $(OPENSSL_COMMAND) req -x509 -days 3650 -newkey rsa:2048 -nodes -config $(PEGASUS_STAGING_DIR)$(PEGASUS_CONFIG_DIR)/ssl.cnf -keyout $(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE) -out $(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
-endif
-
-setpermissions_ServerCertificateFiles: FORCE
- $(MAKE) -f $(ROOT)/Makefile.Release setpermissions PERMISSIONS="$(Pr________)" OWNER="$(INSTALL_USR)" GROUP="$(INSTALL_GRP)" OBJECT=$(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
- $(MAKE) -f $(ROOT)/Makefile.Release setpermissions PERMISSIONS="$(Pr________)" OWNER="$(INSTALL_USR)" GROUP="$(INSTALL_GRP)" OBJECT=$(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
-
-stage_ClientCertificateFiles: FORCE
- $(COPY) $(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE) $(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE)
-
-setpermissions_ClientCertificateFiles: FORCE
- $(MAKE) -f $(ROOT)/Makefile.Release setpermissions PERMISSIONS="$(Pr__r__r__)" OWNER="$(INSTALL_USR)" GROUP="$(INSTALL_GRP)" OBJECT=$(PEGASUS_STAGING_DIR)$(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE)
-
stage_PegasusDirectories: FORCE
$(MAKE) -f $(ROOT)/Makefile.Release stage_PegasusProductDirectories
$(MAKE) -f $(ROOT)/Makefile.Release stage_PegasusSocketDirectory
diff --git a/env_var_HPUX.status b/env_var_HPUX.status
index e64922b..29a11b3 100644
--- a/env_var_HPUX.status
+++ b/env_var_HPUX.status
@@ -25,7 +25,6 @@ PEGASUS_USE_RELEASE_CONFIG_OPTIONS=true
PEGASUS_USE_RELEASE_DIRS=true
PEGASUS_USE_SYSLOGS=true
PEGASUS_CIM_SCHEMA=CIM29
-PEGASUS_SSL_RANDOMFILE = true
PEGASUS_PROD_DIR = /opt/wbem
PEGASUS_PRODSHARE_DIR = $(PEGASUS_PROD_DIR)/share
@@ -54,8 +53,6 @@ PEGASUS_PEM_DIR = /etc/opt/hp/sslshare
PEGASUS_SSL_KEY_FILE = file.pem
PEGASUS_SSL_CERT_FILE = cert.pem
PEGASUS_SSL_TRUSTSTORE = client.pem
-PEGASUS_CIMSERVER_RANDOMFILE = cimserver.rnd
-PEGASUS_WBEMEXEC_RANDOMFILE = wbemexec.rnd
PEGASUS_SAMPLES_DIR = $(PEGASUS_PROD_DIR)/samples
PEGASUS_SAMPLES_OBJ_DIR = $(PEGASUS_SAMPLES_DIR)/obj
diff --git a/env_var_Linux.status b/env_var_Linux.status
index 13a17b9..ea09ca5 100644
--- a/env_var_Linux.status
+++ b/env_var_Linux.status
@@ -25,6 +25,7 @@ PEGASUS_DISABLE_PERFINST=yes
PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
PEGASUS_HAS_SSL=yes
+PEGASUS_USE_SSL_RANDOMFILE=false
PEGASUS_NOASSERTS=yes
PEGASUS_PAM_AUTHENTICATION=true
PEGASUS_USE_PAM_STANDALONE_PROC=true
diff --git a/mak/config.mak b/mak/config.mak
index 1c75319..27d861f 100644
--- a/mak/config.mak
+++ b/mak/config.mak
@@ -532,7 +532,25 @@ ifdef PEGASUS_USE_NET_SNMP
endif
ifdef PEGASUS_HAS_SSL
- DEFINES += -DPEGASUS_HAS_SSL -DPEGASUS_SSL_RANDOMFILE
+ DEFINES += -DPEGASUS_HAS_SSL
+
+ # Enable SSL Random file by default.
+ ifndef PEGASUS_USE_SSL_RANDOMFILE
+ PEGASUS_USE_SSL_RANDOMFILE = true
+ endif
+
+ # Allow SSL Random file functionality to be optionally disabled.
+ ifdef PEGASUS_USE_SSL_RANDOMFILE
+ ifeq ($(PEGASUS_USE_SSL_RANDOMFILE), true)
+ DEFINES += -DPEGASUS_SSL_RANDOMFILE
+ else
+ ifneq ($(PEGASUS_USE_SSL_RANDOMFILE), false)
+ $(error PEGASUS_USE_SSL_RANDOMFILE\
+ ($(PEGASUS_USE_SSL_RANDOMFILE)) invalid, \
+ must be true or false)
+ endif
+ endif
+ endif
ifndef OPENSSL_COMMAND
ifdef OPENSSL_BIN
diff --git a/src/Pegasus/Common/SSLContext.h b/src/Pegasus/Common/SSLContext.h
index 81fae21..665dd08 100644
--- a/src/Pegasus/Common/SSLContext.h
+++ b/src/Pegasus/Common/SSLContext.h
@@ -297,10 +297,6 @@ private:
/** This class provides the interface that a client uses to create
SSL context.
-
- For the OSs that don't have /dev/random device file,
- must enable PEGASUS_SSL_RANDOMFILE flag and pass
- random file name to constructor.
*/
class PEGASUS_COMMON_LINKAGE SSLContext
{
@@ -311,9 +307,20 @@ public:
@param verifyCert function pointer to a certificate verification
call back function. A null pointer indicates that no callback is
requested for certificate verification.
- @param randomFile file path of a random file that is used as a seed
+ @param randomFile file path of a random file that may be used as a seed
for random number generation by OpenSSL.
+ NOTE:
+ For platforms that support /dev/random(urandom), the /dev/random
+ files will be used to seed OpenSSL. The specified random file
+ may be used as a fallback when /dev/random(urandom) is unavailable
+ or fails. Using /dev/random to seed OpenSSL is more secure than using
+ a random file.
+
+ An empty random file string indicates that a random file should not
+ be used. If sufficient randomness is not achieved using /dev/random
+ and/or a random file, an SSLException is thrown.
+
@exception SSLException indicates failure to create an SSL context.
*/
SSLContext(
@@ -382,9 +389,20 @@ public:
@param verifyCert function pointer to a certificate verification
call back function. A null pointer indicates that no callback is
requested for certificate verification.
- @param randomFile file path of a random file that is used as a seed
+ @param randomFile file path of a random file that may be used as a seed
for random number generation by OpenSSL.
+ NOTE:
+ For platforms that support /dev/random(urandom), the /dev/random
+ files will be used to seed OpenSSL. The specified random file
+ may be used as a fallback when /dev/random(urandom) is unavailable
+ or fails. Using /dev/random to seed OpenSSL is more secure than using
+ a random file.
+
+ An empty random file string indicates that a random file should not
+ be used. If sufficient randomness is not achieved using /dev/random
+ and/or a random file, an SSLException is thrown.
+
@exception SSLException indicates failure to create an SSL context.
*/
SSLContext(
@@ -405,9 +423,20 @@ public:
@param verifyCert function pointer to a certificate verification
call back function. A null pointer indicates that no callback is
requested for certificate verification.
- @param randomFile file path of a random file that is used as a seed
+ @param randomFile file path of a random file that may be used as a seed
for random number generation by OpenSSL.
+ NOTE:
+ For platforms that support /dev/random(urandom), the /dev/random
+ files will be used to seed OpenSSL. The specified random file
+ may be used as a fallback when /dev/random(urandom) is unavailable
+ or fails. Using /dev/random to seed OpenSSL is more secure than using
+ a random file.
+
+ An empty random file string indicates that a random file should not
+ be used. If sufficient randomness is not achieved using /dev/random
+ and/or a random file, an SSLException is thrown.
+
@exception SSLException indicates failure to create an SSL context.
*/
SSLContext(
diff --git a/test/StressTestClients/Makefile b/test/StressTestClients/Makefile
index 3858372..56f2021 100644
--- a/test/StressTestClients/Makefile
+++ b/test/StressTestClients/Makefile
@@ -33,11 +33,6 @@ ROOT = $(PEGASUS_ROOT)
DIR = ../test/StressTestClients
include $(ROOT)/mak/config.mak
-ifdef PEGASUS_HAS_SSL
- FLAGS += -DPEGASUS_HAS_SSL -DPEGASUS_SSL_RANDOMFILE
- SYS_INCLUDES += -I$(OPENSSL_HOME)/include
-endif
-
LOCAL_DEFINES = -DPEGASUS_STRESSTESTCLIENT_INTERNAL -DPEGASUS_INTERNALONLY
LIBRARY = TestStressTestClient
diff --git a/test/StressTestClients/ModelWalkStressClient/Makefile b/test/StressTestClients/ModelWalkStressClient/Makefile
index 12a6ff6..c6ff698 100644
--- a/test/StressTestClients/ModelWalkStressClient/Makefile
+++ b/test/StressTestClients/ModelWalkStressClient/Makefile
@@ -34,11 +34,6 @@ DIR = ../test/StressTestClients/ModelWalkStressClient
include $(ROOT)/mak/config.mak
-ifdef PEGASUS_HAS_SSL
- FLAGS += -DPEGASUS_HAS_SSL -DPEGASUS_SSL_RANDOMFILE
- SYS_INCLUDES += -I$(OPENSSL_HOME)/include
-endif
-
LIBRARIES = \
TestStressTestClient \
pegclient \