Small set of changes to make Mike happy (for a moment); make sure that

the .rnd file is created and used from the ssl directory only. No escapees please.

Small set of changes to make Mike happy (for a moment); make sure that
7fa21607 · Leigh B Stoller · 083e8a28 · 7fa21607 · 7fa21607 · 7fa21607
Commit 7fa21607 authored 4 years ago by Leigh B Stoller
--- a/ssl/GNUmakefile.in
+++ b/ssl/GNUmakefile.in
@@ -26,6 +26,7 @@ TESTBED_SRCDIR	= @top_srcdir@
 EVENTSYS	= @EVENTSYS@
 OBJDIR		= ..
 SUBDIR		= ssl
+RANDFILE        = ./.rnd

 # Installed certs and keys.
 APACHE_ETCDIR	    = @INSTALL_APACHE_CONFIG@
@@ -133,7 +134,7 @@ capture.pem:	dirsmade mkserial capture.cnf ca.cnf capture.key capture.req
 # tiptunnel binary, and it needs SHA
 #
 capture.fingerprint:	capture.pem
-	openssl x509 -sha -noout -fingerprint -in capture.pem \
+	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
 	    > capture.fingerprint

 capture.sha1fingerprint:	capture.pem
@@ -154,12 +155,13 @@ ctrlnode.pem:	dirsmade mkserial ctrlnode.cnf ca.cnf ctrlnode.key ctrlnode.req

 keys:		emulab_privkey.pem emulab_pubkey.pem

-emulab_privkey.pem:
+emulab_privkey.pem: $(RANDFILE)
 	#
 	# Generate a priv key for signing stuff. This one gets a
 	# passphrase.
 	# 
-	openssl genrsa -out emulab_privkey.pem -des3 2048
+	(RANDFILE=$(RANDFILE) \
+	 openssl genrsa -out emulab_privkey.pem -rand $(RANDFILE) -des3 2048)

 emulab_pubkey.pem:	emulab_privkey.pem
 	#
@@ -172,8 +174,8 @@ emulab_pubkey.pem:	emulab_privkey.pem
 # If this fails, check to make sure that ~/.rnd is owned
 # by you and writable. 
 #
-%.key:
-	openssl genrsa -out $@ -rand .rand 2048
+%.key:	$(RANDFILE)
+	(RANDFILE=$(RANDFILE) openssl genrsa -out $@ -rand $(RANDFILE) 2048)

 #
 # Rule to extract public key from private key,
@@ -181,6 +183,9 @@ emulab_pubkey.pem:	emulab_privkey.pem
 %.pub:
 	openssl rsa -in $*.key -pubout -out $@

+$(RANDFILE):
+	dd if=/dev/urandom of=$(RANDFILE) bs=256 count=4
+
 # The point of the this is to recover the keys from where they were
 # originally installed. We do this cause people often lose their
 # original build tree, but if want to rebuild the certs, we usually
@@ -339,7 +344,7 @@ clean:
 	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

 cleanX: clean-certs clean-keys
-	rm -f serial index.txt *.old dirsmade *.cnf
+	rm -f serial index.txt *.old dirsmade *.cnf .rnd
 	rm -f mkserial updatecert mksig
 	rm -rf newcerts certs crl


--- a/ssl/apache-ops.cnf.in
+++ b/ssl/apache-ops.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/apache.cnf.in
+++ b/ssl/apache.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/ca.cnf.in
+++ b/ssl/ca.cnf.in
@@ -4,7 +4,7 @@
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
+RANDFILE		= ./.rnd

 ####################################################################
 [ ca ]

--- a/ssl/capture.cnf.in
+++ b/ssl/capture.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/ctrlnode.cnf.in
+++ b/ssl/ctrlnode.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/emulab-geni.cnf.in
+++ b/ssl/emulab-geni.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/emulab.cnf.in
+++ b/ssl/emulab.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/jabber.cnf.in
+++ b/ssl/jabber.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/localnode.cnf.in
+++ b/ssl/localnode.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024

--- a/ssl/server.cnf.in
+++ b/ssl/server.cnf.in
+RANDFILE               = ./.rnd
+
 [ req ]
 prompt                  = no
 default_bits		= 1024