CVS commit: src/crypto/external/bsd/openssl/dist/crypto/rand
Module Name:src Committed By: nia Date: Thu Apr 30 10:59:02 UTC 2020 Modified Files: src/crypto/external/bsd/openssl/dist/crypto/rand: rand_unix.c Log Message: Fix the detection of KERN_ARND by OpenSSL. Firstly, include the correct headers. Then, make sure that requests never exceed 256 bytes. Disable a hack for old FreeBSD versions, just in case it actually gets used. This should mean that OpenSSL doesn't ever fall back to reading from /dev/urandom. XXX pullup, XXX upstream. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 \ src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.15 src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.16 --- src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.15 Sun Mar 22 00:53:07 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c Thu Apr 30 10:59:02 2020 @@ -26,12 +26,12 @@ # include # endif #endif -#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI) +#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(OPENSSL_SYS_UEFI) # include # include # include #endif -#if defined(__OpenBSD__) || defined(__NetBSD__) +#if defined(__OpenBSD__) # include #endif @@ -247,10 +247,12 @@ static ssize_t sysctl_random(char *buf, * when the sysctl returns long and we want to request something not a * multiple of longs, which should never be the case. */ +#if defined(__FreeBSD__) if (!ossl_assert(buflen % sizeof(long) == 0)) { errno = EINVAL; return -1; } +#endif /* * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only @@ -268,7 +270,8 @@ static ssize_t sysctl_random(char *buf, mib[1] = KERN_ARND; do { -len = buflen; +/* On NetBSD, KERN_ARND fails if more than 256 bytes are requested */ +len = buflen > 256 ? 256 : buflen; if (sysctl(mib, 2, buf, , NULL, 0) == -1) return done > 0 ? done : -1; done += len;
CVS commit: src/crypto/external/bsd/openssl/dist/crypto/rand
Module Name:src Committed By: riastradh Date: Sat Feb 15 23:19:37 UTC 2020 Modified Files: src/crypto/external/bsd/openssl/dist/crypto/rand: rand_unix.c Log Message: Open /dev/urandom with O_CLOEXEC. Let's avoid bleeding file descriptors into our clients' children, shall we? XXX pullup To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 \ src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.13 src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.14 --- src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.13 Thu Jan 23 02:54:55 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c Sat Feb 15 23:19:37 2020 @@ -479,7 +479,7 @@ static int get_random_device(size_t n) return rd->fd; /* open the random device ... */ -if ((rd->fd = open(random_device_paths[n], O_RDONLY)) == -1) +if ((rd->fd = open(random_device_paths[n], O_RDONLY|O_CLOEXEC)) == -1) return rd->fd; /* ... and cache its relevant stat(2) data */
CVS commit: src/crypto/external/bsd/openssl/dist/crypto/rand
Module Name:src Committed By: tls Date: Sun Jul 28 14:13:29 UTC 2013 Modified Files: src/crypto/external/bsd/openssl/dist/crypto/rand: md_rand.c Log Message: Re-check the entropy level after we call RAND_poll(), so that we do not continuously suck data out of /dev/urandom if we receive a stream of requests larger than the initial-entropy threshold (hi Roland!). To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 \ src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.4 src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.5 --- src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.4 Tue Feb 5 21:31:25 2013 +++ src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c Sun Jul 28 14:13:29 2013 @@ -397,6 +397,11 @@ static int ssleay_rand_bytes(unsigned ch RAND_poll(); ok = (entropy = ENTROPY_NEEDED); + } + + if (!ok) + { + /* If the PRNG state is not yet unpredictable, then seeing * the PRNG output may help attackers to determine the new * state; thus we have to decrease the entropy estimate.
CVS commit: src/crypto/external/bsd/openssl/dist/crypto/rand
Module Name:src Committed By: tls Date: Wed Mar 7 10:17:48 UTC 2012 Modified Files: src/crypto/external/bsd/openssl/dist/crypto/rand: md_rand.c Log Message: Fix applications that call RAND_bytes() before any other RAND function. Last change was...a bit too simple. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 \ src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.2 src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.3 --- src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.2 Mon Mar 5 20:13:36 2012 +++ src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c Wed Mar 7 10:17:47 2012 @@ -395,6 +395,7 @@ static int ssleay_rand_bytes(unsigned ch { RAND_poll(); + ok = (entropy = ENTROPY_NEEDED); /* If the PRNG state is not yet unpredictable, then seeing * the PRNG output may help attackers to determine the new