File openssl-urandom-reseeding.patch of Package openssl.1633
Index: openssl-1.0.1i/crypto/rand/rand_unix.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rand/rand_unix.c
+++ openssl-1.0.1i/crypto/rand/rand_unix.c
@@ -239,7 +239,8 @@ int RAND_poll(void)
unsigned long l;
pid_t curr_pid = getpid();
#if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
- unsigned char tmpbuf[ENTROPY_NEEDED];
+ /* STATE_SIZE is 1023 ... but it was suggested to seed with 1024 bytes */
+ unsigned char tmpbuf[1024];
int n = 0;
#endif
#ifdef DEVRANDOM
@@ -260,7 +261,7 @@ int RAND_poll(void)
* if it runs out of random entries. */
for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
- (n < ENTROPY_NEEDED); i++)
+ (n < sizeof(tmpbuf)); i++)
{
if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
#ifdef O_NONBLOCK
@@ -344,7 +345,7 @@ int RAND_poll(void)
if (try_read)
{
- r = read(fd,(unsigned char *)tmpbuf+n, ENTROPY_NEEDED-n);
+ r = read(fd,(unsigned char *)tmpbuf+n, sizeof(tmpbuf)-n);
if (r > 0)
n += r;
#if defined(OPENSSL_SYS_BEOS_R5)
@@ -365,7 +366,7 @@ int RAND_poll(void)
usec = 0;
}
while ((r > 0 ||
- (errno == EINTR || errno == EAGAIN)) && usec != 0 && n < ENTROPY_NEEDED);
+ (errno == EINTR || errno == EAGAIN)) && usec != 0 && n < sizeof(tmpbuf));
close(fd);
}
Index: openssl-1.0.1i/crypto/rand/md_rand.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rand/md_rand.c
+++ openssl-1.0.1i/crypto/rand/md_rand.c
@@ -347,6 +347,10 @@ int ssleay_rand_bytes(unsigned char *buf
if (num <= 0)
return 1;
+ /* special rule for /dev/urandom seeding ... seed with as much bytes
+ * from /dev/urandom as you get out */
+ RAND_load_file("/dev/urandom", num);
+
EVP_MD_CTX_init(&m);
/* round upwards to multiple of MD_DIGEST_LENGTH/2 */
num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2);
Index: openssl-1.0.1i/crypto/fips/fips_drbg_rand.c
===================================================================
--- openssl-1.0.1i.orig/crypto/fips/fips_drbg_rand.c
+++ openssl-1.0.1i/crypto/fips/fips_drbg_rand.c
@@ -78,6 +78,11 @@ static int fips_drbg_bytes(unsigned char
unsigned char *adin = NULL;
size_t adinlen = 0;
int locked;
+
+ /* add entropy in 1:1 relation (number pulled bytes / number pushed from /dev/urandom) */
+ if (count > dctx->min_entropy)
+ RAND_load_file("/dev/urandom", count - dctx->min_entropy);
+
locked = private_RAND_lock(1);
do
{
Index: openssl-1.0.1i/crypto/rand/rand_lib.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rand/rand_lib.c
+++ openssl-1.0.1i/crypto/rand/rand_lib.c
@@ -278,7 +278,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
if (FIPS_rand_status())
{
int locked = private_RAND_lock(1);
- FIPS_drbg_reseed(ctx, NULL, 0);
+ FIPS_drbg_reseed(ctx, in, inlen);
if (locked) private_RAND_lock(0);
}
return 1;