Skip to content
  1. Nov 23, 2018
  2. Nov 22, 2018
  3. Nov 21, 2018
  4. Nov 20, 2018
  5. Nov 19, 2018
  6. Nov 16, 2018
  7. Nov 15, 2018
  8. Nov 14, 2018
  9. Nov 13, 2018
  10. Nov 12, 2018
  11. Nov 10, 2018
  12. Nov 09, 2018
  13. Nov 08, 2018
    • Dr. Matthias St. Pierre's avatar
      rand_unix.c: open random devices on first use only · abf58ed3
      Dr. Matthias St. Pierre authored
      Commit c7504aeb
      
       (pr #6432) fixed a regression for applications in
      chroot environments, which compensated the fact that the new OpenSSL CSPRNG
      (based on the NIST DRBG) now reseeds periodically, which the previous
      one didn't. Now the reseeding could fail in the chroot environment if the
      DEVRANDOM devices were not present anymore and no other entropy source
      (e.g. getrandom()) was available.
      
      The solution was to keep the file handles for the DEVRANDOM devices open
      by default. In fact, the fix did more than this, it opened the DEVRANDOM
      devices early and unconditionally in rand_pool_init(), which had the
      unwanted side effect that the devices were opened (and kept open) even
      in cases when they were not used at all, for example when the getrandom()
      system call was available. Due  to a bug (issue #7419) this even happened
      when the feature was disabled by the application.
      
      This commit removes the unconditional opening of all DEVRANDOM devices.
      They will now only be opened (and kept open) on first use. In particular,
      if getrandom() is available, the handles will not be opened unnecessarily.
      
      This change does not introduce a regression for applications compiled for
      libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the
      above constellation the CSPRNG will only be properly seeded if it is happens
      before the forking and chrooting.
      
      Fixes #7419
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/7437)
      
      (cherry picked from commit 8cfc1971)
      abf58ed3