The branch OpenSSL_1_1_1-stable has been updated
       via  247b8a0b7d784821590898a1f0534af92ec238eb (commit)
       via  ad416c80581c181f3c96f47c670626bf3ff58410 (commit)
      from  7febec94858da85afe59bd70a3e728b724ed1ea0 (commit)


- Log -----------------------------------------------------------------
commit 247b8a0b7d784821590898a1f0534af92ec238eb
Author: Dr. Matthias St. Pierre <matthias.st.pie...@ncp-e.com>
Date:   Sun Jun 9 02:13:48 2019 +0200

    Add CHANGES entries for the DEVRANDOM_WAIT feature and its removal
    
    Reviewed-by: Tim Hudson <t...@openssl.org>
    Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/9118)

commit ad416c80581c181f3c96f47c670626bf3ff58410
Author: Dr. Matthias St. Pierre <matthias.st.pie...@ncp-e.com>
Date:   Wed Jun 5 11:09:46 2019 +0200

    Revert the DEVRANDOM_WAIT feature
    
    The DEVRANDOM_WAIT feature added a select() call to wait for the
    `/dev/random` device to become readable before reading from the
    `/dev/urandom` device. It was introduced in commit 38023b87f037
    in order to mitigate the fact that the `/dev/urandom` device
    does not block until the initial seeding of the kernel CSPRNG
    has completed, contrary to the behaviour of the `getrandom()`
    system call.
    
    It turned out that this change had negative side effects on
    performance which were not acceptable. After some discussion it
    was decided to revert this feature and leave it up to the OS
    resp. the platform maintainer to ensure a proper initialization
    during early boot time.
    
    Fixes #9078
    
    This partially reverts commit 38023b87f037.
    
    Reviewed-by: Tim Hudson <t...@openssl.org>
    Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
    
    (cherry picked from commit a08714e18131b1998faa0113e5bd4024044654ac)
    
    (Merged from https://github.com/openssl/openssl/pull/9118)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                 | 22 +++++++++++++++++++++-
 crypto/rand/rand_unix.c | 23 -----------------------
 e_os.h                  |  3 ---
 3 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1fbea53..c5cd38b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,17 @@
 
  Changes between 1.1.1c and 1.1.1d [xx XXX xxxx]
 
-  *)
+  *) Revert the DEVRANDOM_WAIT feature for Linux systems
+
+     The DEVRANDOM_WAIT feature added a select() call to wait for the
+     /dev/random device to become readable before reading from the
+     /dev/urandom device.
+
+     It turned out that this change had negative side effects on
+     performance which were not acceptable. After some discussion it
+     was decided to revert this feature and leave it up to the OS
+     resp. the platform maintainer to ensure a proper initialization
+     during early boot time.
 
  Changes between 1.1.1b and 1.1.1c [28 May 2019]
 
@@ -79,6 +89,16 @@
      (CVE-2019-1543)
      [Matt Caswell]
 
+  *) Add DEVRANDOM_WAIT feature for Linux systems
+
+     On older Linux systems where the getrandom() system call is not available,
+     OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
+     Contrary to getrandom(), the /dev/urandom device will not block during
+     early boot when the kernel CSPRNG has not been seeded yet.
+
+     To mitigate this known weakness, use select() to wait for /dev/random to
+     become readable before reading from /dev/urandom.
+
   *) Ensure that SM2 only uses SM3 as digest algorithm
      [Paul Yang]
 
diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
index 4710dbb..4b91903 100644
--- a/crypto/rand/rand_unix.c
+++ b/crypto/rand/rand_unix.c
@@ -510,29 +510,6 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
     bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
     {
         size_t i;
-#ifdef DEVRANDOM_WAIT
-        static int wait_done = 0;
-
-        /*
-         * On some implementations reading from /dev/urandom is possible
-         * before it is initialized. Therefore we wait for /dev/random
-         * to be readable to make sure /dev/urandom is initialized.
-         */
-        if (!wait_done && bytes_needed > 0) {
-             int f = open(DEVRANDOM_WAIT, O_RDONLY);
-
-             if (f >= 0) {
-                 fd_set fds;
-
-                 FD_ZERO(&fds);
-                 FD_SET(f, &fds);
-                 while (select(f+1, &fds, NULL, NULL, NULL) < 0
-                        && errno == EINTR);
-                 close(f);
-             }
-             wait_done = 1;
-        }
-#endif
 
         for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); 
i++) {
             ssize_t bytes = 0;
diff --git a/e_os.h b/e_os.h
index e9ce6c9..513ea2d 100644
--- a/e_os.h
+++ b/e_os.h
@@ -28,9 +28,6 @@
  * default, we will try to read at least one of these files
  */
 #  define DEVRANDOM "/dev/urandom", "/dev/random", "/dev/hwrng", "/dev/srandom"
-#  ifdef __linux
-#   define DEVRANDOM_WAIT "/dev/random"
-#  endif
 # endif
 # if !defined(OPENSSL_NO_EGD) && !defined(DEVRANDOM_EGD)
 /*

Reply via email to