Author: vangyzen
Date: Fri Dec 11 14:32:42 2020
New Revision: 368553
URL: https://svnweb.freebsd.org/changeset/base/368553
Log:
decryptcore: preload OpenSSL error strings; seed PRNG
As in r360226, preload OpenSSL error strings and seed the PRNG
before entering capability mode.
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
Modified:
head/sbin/decryptcore/decryptcore.c
Modified: head/sbin/decryptcore/decryptcore.c
==============================================================================
--- head/sbin/decryptcore/decryptcore.c Fri Dec 11 14:11:41 2020
(r368552)
+++ head/sbin/decryptcore/decryptcore.c Fri Dec 11 14:32:42 2020
(r368553)
@@ -170,6 +170,19 @@ decrypt(int ofd, const char *privkeyfile, const char *
goto failed;
}
+ /*
+ * Obsolescent OpenSSL only knows about /dev/random, and needs to
+ * pre-seed before entering cap mode. For whatever reason,
+ * RSA_pub_encrypt uses the internal PRNG.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ {
+ unsigned char c[1];
+ RAND_bytes(c, 1);
+ }
+#endif
+ ERR_load_crypto_strings();
+
caph_cache_catpages();
if (caph_enter() < 0) {
pjdlog_errno(LOG_ERR, "Unable to enter capability mode");
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
