Overview

File openssl-urandom-reseeding.patch of Package openssl.1633

Index: openssl-1.0.1i/crypto/rand/rand_unix.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rand/rand_unix.c
+++ openssl-1.0.1i/crypto/rand/rand_unix.c
@@ -239,7 +239,8 @@ int RAND_poll(void)
 	unsigned long l;
 	pid_t curr_pid = getpid();
 #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
-	unsigned char tmpbuf[ENTROPY_NEEDED];
+	/* STATE_SIZE is 1023 ... but it was suggested to seed with 1024 bytes */
+	unsigned char tmpbuf[1024];
 	int n = 0;
 #endif
 #ifdef DEVRANDOM
@@ -260,7 +261,7 @@ int RAND_poll(void)
 	 * if it runs out of random entries.  */
 
 	for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
-			(n < ENTROPY_NEEDED); i++)
+			(n < sizeof(tmpbuf)); i++)
 		{
 		if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
 #ifdef O_NONBLOCK
@@ -344,7 +345,7 @@ int RAND_poll(void)
 				
 				if (try_read)
 					{
-					r = read(fd,(unsigned char *)tmpbuf+n, ENTROPY_NEEDED-n);
+					r = read(fd,(unsigned char *)tmpbuf+n, sizeof(tmpbuf)-n);
 					if (r > 0)
 						n += r;
 #if defined(OPENSSL_SYS_BEOS_R5)
@@ -365,7 +366,7 @@ int RAND_poll(void)
 					usec = 0;
 				}
 			while ((r > 0 ||
-			       (errno == EINTR || errno == EAGAIN)) && usec != 0 && n < ENTROPY_NEEDED);
+			       (errno == EINTR || errno == EAGAIN)) && usec != 0 && n < sizeof(tmpbuf));
 
 			close(fd);
 			}
Index: openssl-1.0.1i/crypto/rand/md_rand.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rand/md_rand.c
+++ openssl-1.0.1i/crypto/rand/md_rand.c
@@ -347,6 +347,10 @@ int ssleay_rand_bytes(unsigned char *buf
 	if (num <= 0)
 		return 1;
 
+	/* special rule for /dev/urandom seeding ... seed with as much bytes
+	 * from /dev/urandom as you get out */
+	RAND_load_file("/dev/urandom", num);
+
 	EVP_MD_CTX_init(&m);
 	/* round upwards to multiple of MD_DIGEST_LENGTH/2 */
 	num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2);
Index: openssl-1.0.1i/crypto/fips/fips_drbg_rand.c
===================================================================
--- openssl-1.0.1i.orig/crypto/fips/fips_drbg_rand.c
+++ openssl-1.0.1i/crypto/fips/fips_drbg_rand.c
@@ -78,6 +78,11 @@ static int fips_drbg_bytes(unsigned char
 	unsigned char *adin = NULL;
 	size_t adinlen = 0;
 	int locked;
+
+	/* add entropy in 1:1 relation (number pulled bytes / number pushed from /dev/urandom) */
+	if (count > dctx->min_entropy)
+		RAND_load_file("/dev/urandom", count - dctx->min_entropy);
+
 	locked = private_RAND_lock(1);
 	do 
 		{
Index: openssl-1.0.1i/crypto/rand/rand_lib.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rand/rand_lib.c
+++ openssl-1.0.1i/crypto/rand/rand_lib.c
@@ -278,7 +278,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
 	if (FIPS_rand_status())
 		{
 		int locked = private_RAND_lock(1);
-		FIPS_drbg_reseed(ctx, NULL, 0);
+		FIPS_drbg_reseed(ctx, in, inlen);
 		if (locked) private_RAND_lock(0);
 		}
 	return 1;
openSUSE Build Service is sponsored by
Places