Commit f114caca authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

- T. Bharath pointed out that we seed SSL on every connect, which is a time- 

  consuming operation that should only be needed to do once. We patched
  libcurl to now only seed on the first connect when unseeded. The seeded
  status is global so it'll now only happen once during a program's life time.
parent 9468c9c7

lib/ssluse.c

+17 −12
Original line number Diff line number Diff line
@@ -80,10 +80,8 @@ static int passwd_callback(char *buf, int num, int verify 
}



static

bool seed_enough(struct connectdata *conn, /* unused for now */

                 int nread)

bool seed_enough(int nread)

{

  conn = NULL; /* to prevent compiler warnings */

#ifdef HAVE_RAND_STATUS

  nread = 0; /* to prevent compiler warnings */
@@ -99,11 +97,10 @@ bool seed_enough(struct connectdata *conn, /* unused for now */ 
}



static

int random_the_seed(struct connectdata *conn)

int random_the_seed(struct SessionHandle *data)

{

  char *buf = conn->data->state.buffer; /* point to the big buffer */

  char *buf = data->state.buffer; /* point to the big buffer */

  int nread=0;

  struct SessionHandle *data=conn->data;



  /* Q: should we add support for a random file name as a libcurl option?

     A: Yes, it is here */
@@ -119,7 +116,7 @@ int random_the_seed(struct connectdata *conn) 
    nread += RAND_load_file((data->set.ssl.random_file?

                             data->set.ssl.random_file:RANDOM_FILE),

                            16384);

    if(seed_enough(conn, nread))

    if(seed_enough(nread))

      return nread;

  }
@@ -138,7 +135,7 @@ int random_the_seed(struct connectdata *conn) 
    int ret = RAND_egd(data->set.ssl.egdsocket?data->set.ssl.egdsocket:EGD_SOCKET);

    if(-1 != ret) {

      nread += ret;

      if(seed_enough(conn, nread))

      if(seed_enough(nread))

        return nread;

    }

  }
@@ -170,11 +167,11 @@ int random_the_seed(struct connectdata *conn) 
  if ( buf[0] ) {

    /* we got a file name to try */

    nread += RAND_load_file(buf, 16384);

    if(seed_enough(conn, nread))

    if(seed_enough(nread))

      return nread;

  }



  infof(conn->data, "Your connection is using a weak random seed!\n");

  infof(data, "libcurl is now using a weak random seed!\n");

  return nread;

}
@@ -363,6 +360,10 @@ int cert_verify_callback(int ok, X509_STORE_CTX *ctx) 
#ifdef USE_SSLEAY

/* "global" init done? */

static int init_ssl=0;



/* we have the "SSL is seeded" boolean global for the application to

   prevent multiple time-consuming seedings in vain */

static bool ssl_seeded = FALSE;

#endif



/* Global init */
@@ -677,8 +678,12 @@ Curl_SSLConnect(struct connectdata *conn) 
  /* mark this is being ssl enabled from here on out. */

  conn->ssl.use = TRUE;



  if(!ssl_seeded) {

    /* Make funny stuff to get random input */

  random_the_seed(conn);

    random_the_seed(data);



    ssl_seeded = TRUE;

  }



  /* check to see if we've been told to use an explicit SSL/TLS version */

  switch(data->set.ssl.version) {