generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add a no-egd option to disable EGD-related code

Browse Source 
The entropy-gathering daemon is used only on a small number of machines.
Provide a configure knob so that EGD support can be disabled by default
but re-enabled on those systems that do need it.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This commit is contained in:
Benjamin Kaduk 2016-01-12 18:02:16 -06:00 committed by Rich Salz
parent 47153c7253
commit 0423f812dc
10 changed files with 74 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -4,6 +4,10 @@
Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] Changes between 1.0.2e and 1.1.0 [xx XXX xxxx]
*) EGD is no longer supported by default; use enable-egd when
configuring.
[Ben Kaduv and Rich Salz]
*) The distribution now has Makefile.in files, which are used to *) The distribution now has Makefile.in files, which are used to
create Makefile's when Configure is run. *Configure must be run create Makefile's when Configure is run. *Configure must be run
before trying to build now.* before trying to build now.*

4
Configure
View File

@ -14,7 +14,7 @@ use File::Spec::Functions;
# see INSTALL for instructions. # see INSTALL for instructions.
my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] [--config=FILE] os/compiler[:flags]\n"; my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] [--config=FILE] os/compiler[:flags]\n";
# Options: # Options:
# #
@ -50,6 +50,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
# no-asm do not use assembler # no-asm do not use assembler
# no-dso do not compile in any native shared-library methods. This # no-dso do not compile in any native shared-library methods. This
# will ensure that all methods just return NULL. # will ensure that all methods just return NULL.
# no-egd do not compile support for the entropy-gathering daemon APIs
# [no-]zlib [don't] compile support for zlib compression. # [no-]zlib [don't] compile support for zlib compression.
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library. # library and will be loaded in run-time by the OpenSSL library.
@ -905,6 +906,7 @@ my @disablables = (
my %disabled = ( # "what" => "comment" [or special keyword "experimental"] my %disabled = ( # "what" => "comment" [or special keyword "experimental"]
"ec_nistp_64_gcc_128" => "default", "ec_nistp_64_gcc_128" => "default",
"egd" => "default",
"jpake" => "experimental", "jpake" => "experimental",
"md2" => "default", "md2" => "default",
"rc5" => "default", "rc5" => "default",

6
apps/app_rand.c
View File

@ -126,6 +126,7 @@ int app_RAND_load_file(const char *file, int dont_warn)
if (file == NULL) if (file == NULL)
file = RAND_file_name(buffer, sizeof buffer); file = RAND_file_name(buffer, sizeof buffer);
#ifndef OPENSSL_NO_EGD
else if (RAND_egd(file) > 0) { else if (RAND_egd(file) > 0) {
/* /*
* we try if the given filename is an EGD socket. if it is, we don't * we try if the given filename is an EGD socket. if it is, we don't
@ -134,6 +135,7 @@ int app_RAND_load_file(const char *file, int dont_warn)
egdsocket = 1; egdsocket = 1;
return 1; return 1;
} }
#endif
if (file == NULL || !RAND_load_file(file, -1)) { if (file == NULL || !RAND_load_file(file, -1)) {
if (RAND_status() == 0) { if (RAND_status() == 0) {
if (!dont_warn) { if (!dont_warn) {
@ -161,7 +163,9 @@ long app_RAND_load_files(char *name)
char *p, *n; char *p, *n;
int last; int last;
long tot = 0; long tot = 0;
#ifndef OPENSSL_NO_EGD
int egd; int egd;
#endif
for (;;) { for (;;) {
last = 0; last = 0;
@ -174,10 +178,12 @@ long app_RAND_load_files(char *name)
if (*n == '\0') if (*n == '\0')
break; break;
#ifndef OPENSSL_NO_EGD
egd = RAND_egd(n); egd = RAND_egd(n);
if (egd > 0) if (egd > 0)
tot += egd; tot += egd;
else else
#endif
tot += RAND_load_file(n, -1); tot += RAND_load_file(n, -1);
if (last) if (last)
break; break;

84
crypto/rand/rand_egd.c
View File

@ -95,7 +95,9 @@
* RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
*/ */
#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI) #ifndef OPENSSL_NO_EGD
# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI)
int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
{ {
return (-1); return (-1);
@ -110,26 +112,26 @@ int RAND_egd_bytes(const char *path, int bytes)
{ {
return (-1); return (-1);
} }
#else
# include <openssl/opensslconf.h>
# include OPENSSL_UNISTD
# include <stddef.h>
# include <sys/types.h>
# include <sys/socket.h>
# ifndef NO_SYS_UN_H
# ifdef OPENSSL_SYS_VXWORKS
# include <streams/un.h>
# else
# include <sys/un.h>
# endif
# else # else
# include <openssl/opensslconf.h>
# include OPENSSL_UNISTD
# include <stddef.h>
# include <sys/types.h>
# include <sys/socket.h>
# ifndef NO_SYS_UN_H
# ifdef OPENSSL_SYS_VXWORKS
# include <streams/un.h>
# else
# include <sys/un.h>
# endif
# else
struct sockaddr_un { struct sockaddr_un {
short sun_family; /* AF_UNIX */ short sun_family; /* AF_UNIX */
char sun_path[108]; /* path name (gag) */ char sun_path[108]; /* path name (gag) */
}; };
# endif /* NO_SYS_UN_H */ # endif /* NO_SYS_UN_H */
# include <string.h> # include <string.h>
# include <errno.h> # include <errno.h>
int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
{ {
@ -155,25 +157,25 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
success = 1; success = 1;
else { else {
switch (errno) { switch (errno) {
# ifdef EINTR # ifdef EINTR
case EINTR: case EINTR:
# endif # endif
# ifdef EAGAIN # ifdef EAGAIN
case EAGAIN: case EAGAIN:
# endif # endif
# ifdef EINPROGRESS # ifdef EINPROGRESS
case EINPROGRESS: case EINPROGRESS:
# endif # endif
# ifdef EALREADY # ifdef EALREADY
case EALREADY: case EALREADY:
# endif # endif
/* No error, try again */ /* No error, try again */
break; break;
# ifdef EISCONN # ifdef EISCONN
case EISCONN: case EISCONN:
success = 1; success = 1;
break; break;
# endif # endif
default: default:
goto err; /* failure */ goto err; /* failure */
} }
@ -190,12 +192,12 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
numbytes += num; numbytes += num;
else { else {
switch (errno) { switch (errno) {
# ifdef EINTR # ifdef EINTR
case EINTR: case EINTR:
# endif # endif
# ifdef EAGAIN # ifdef EAGAIN
case EAGAIN: case EAGAIN:
# endif # endif
/* No error, try again */ /* No error, try again */
break; break;
default: default:
@ -213,12 +215,12 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
numbytes += num; numbytes += num;
else { else {
switch (errno) { switch (errno) {
# ifdef EINTR # ifdef EINTR
case EINTR: case EINTR:
# endif # endif
# ifdef EAGAIN # ifdef EAGAIN
case EAGAIN: case EAGAIN:
# endif # endif
/* No error, try again */ /* No error, try again */
break; break;
default: default:
@ -242,12 +244,12 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
numbytes += num; numbytes += num;
else { else {
switch (errno) { switch (errno) {
# ifdef EINTR # ifdef EINTR
case EINTR: case EINTR:
# endif # endif
# ifdef EAGAIN # ifdef EAGAIN
case EAGAIN: case EAGAIN:
# endif # endif
/* No error, try again */ /* No error, try again */
break; break;
default: default:
@ -285,4 +287,10 @@ int RAND_egd(const char *path)
return (RAND_egd_bytes(path, 255)); return (RAND_egd_bytes(path, 255));
} }
# endif
#else /* OPENSSL_NO_EGD */
# if PEDANTIC
static void *dummy = &dummy;
# endif
#endif #endif

10
crypto/rand/rand_unix.c
View File

@ -244,7 +244,7 @@ int RAND_poll(void)
{ {
unsigned long l; unsigned long l;
pid_t curr_pid = getpid(); pid_t curr_pid = getpid();
# if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) # if defined(DEVRANDOM) || (!defined(OPENSS_NO_EGD) && defined(DEVRANDOM_EGD))
unsigned char tmpbuf[ENTROPY_NEEDED]; unsigned char tmpbuf[ENTROPY_NEEDED];
int n = 0; int n = 0;
# endif # endif
@ -254,7 +254,7 @@ int RAND_poll(void)
int fd; int fd;
unsigned int i; unsigned int i;
# endif # endif
# ifdef DEVRANDOM_EGD # if !defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD)
static const char *egdsockets[] = { DEVRANDOM_EGD, NULL }; static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
const char **egdsocket = NULL; const char **egdsocket = NULL;
# endif # endif
@ -371,7 +371,7 @@ int RAND_poll(void)
} }
# endif /* defined(DEVRANDOM) */ # endif /* defined(DEVRANDOM) */
# ifdef DEVRANDOM_EGD # if !defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD)
/* /*
* Use an EGD socket to read entropy from an EGD or PRNGD entropy * Use an EGD socket to read entropy from an EGD or PRNGD entropy
* collecting daemon. * collecting daemon.
@ -388,7 +388,7 @@ int RAND_poll(void)
} }
# endif /* defined(DEVRANDOM_EGD) */ # endif /* defined(DEVRANDOM_EGD) */
# if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) # if defined(DEVRANDOM) || (!defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD))
if (n > 0) { if (n > 0) {
RAND_add(tmpbuf, sizeof tmpbuf, (double)n); RAND_add(tmpbuf, sizeof tmpbuf, (double)n);
OPENSSL_cleanse(tmpbuf, n); OPENSSL_cleanse(tmpbuf, n);
@ -404,7 +404,7 @@ int RAND_poll(void)
l = time(NULL); l = time(NULL);
RAND_add(&l, sizeof(l), 0.0); RAND_add(&l, sizeof(l), 0.0);
# if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) # if defined(DEVRANDOM) || (!defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD))
return 1; return 1;
# else # else
return 0; return 0;

2
e_os.h
View File

@ -90,7 +90,7 @@ extern "C" {
*/ */
# define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom" # define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
# endif # endif
# ifndef DEVRANDOM_EGD # if !defined(OPENSSL_NO_EGD) && !defined(DEVRANDOM_EGD)
/* /*
* set this to a comma-separated list of 'egd' sockets to try out. These * set this to a comma-separated list of 'egd' sockets to try out. These
* sockets will be tried in the order listed in case accessing the device * sockets will be tried in the order listed in case accessing the device

2
include/openssl/rand.h
View File

@ -105,9 +105,11 @@ int RAND_load_file(const char *file, long max_bytes);
int RAND_write_file(const char *file); int RAND_write_file(const char *file);
const char *RAND_file_name(char *file, size_t num); const char *RAND_file_name(char *file, size_t num);
int RAND_status(void); int RAND_status(void);
# ifndef OPENSSL_NO_EGD
int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes); int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes);
int RAND_egd(const char *path); int RAND_egd(const char *path);
int RAND_egd_bytes(const char *path, int bytes); int RAND_egd_bytes(const char *path, int bytes);
# endif
int RAND_poll(void); int RAND_poll(void);
# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) # if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)

6
util/libeay.num
View File

@ -1754,7 +1754,7 @@ DES_crypt 2249 1_1_0 EXIST::FUNCTION:DES
PEM_write_bio_X509_REQ_NEW 2250 1_1_0 EXIST::FUNCTION: PEM_write_bio_X509_REQ_NEW 2250 1_1_0 EXIST::FUNCTION:
PEM_write_X509_REQ_NEW 2251 1_1_0 EXIST::FUNCTION: PEM_write_X509_REQ_NEW 2251 1_1_0 EXIST::FUNCTION:
BIO_callback_ctrl 2252 1_1_0 EXIST::FUNCTION: BIO_callback_ctrl 2252 1_1_0 EXIST::FUNCTION:
RAND_egd 2253 1_1_0 EXIST::FUNCTION: RAND_egd 2253 1_1_0 EXIST::FUNCTION:EGD
RAND_status 2254 1_1_0 EXIST::FUNCTION: RAND_status 2254 1_1_0 EXIST::FUNCTION:
bn_dump1 2255 1_1_0 NOEXIST::FUNCTION: bn_dump1 2255 1_1_0 NOEXIST::FUNCTION:
DES_check_key_parity 2256 1_1_0 EXIST::FUNCTION:DES DES_check_key_parity 2256 1_1_0 EXIST::FUNCTION:DES
@ -1809,7 +1809,7 @@ X509_ALGOR_cmp 2398 1_1_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_set_key_length 2399 1_1_0 EXIST::FUNCTION: EVP_CIPHER_CTX_set_key_length 2399 1_1_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_ctrl 2400 1_1_0 EXIST::FUNCTION: EVP_CIPHER_CTX_ctrl 2400 1_1_0 EXIST::FUNCTION:
BN_mod_exp_mont_word 2401 1_1_0 EXIST::FUNCTION: BN_mod_exp_mont_word 2401 1_1_0 EXIST::FUNCTION:
RAND_egd_bytes 2402 1_1_0 EXIST::FUNCTION: RAND_egd_bytes 2402 1_1_0 EXIST::FUNCTION:EGD
X509_REQ_get1_email 2403 1_1_0 EXIST::FUNCTION: X509_REQ_get1_email 2403 1_1_0 EXIST::FUNCTION:
X509_get1_email 2404 1_1_0 EXIST::FUNCTION: X509_get1_email 2404 1_1_0 EXIST::FUNCTION:
X509_email_free 2405 1_1_0 EXIST::FUNCTION: X509_email_free 2405 1_1_0 EXIST::FUNCTION:
@ -2436,7 +2436,7 @@ X509V3_EXT_nconf_nid 2942 1_1_0 EXIST::FUNCTION:
ASN1_SEQUENCE_it 2943 1_1_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_SEQUENCE_it 2943 1_1_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
ASN1_SEQUENCE_it 2943 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: ASN1_SEQUENCE_it 2943 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
UI_set_default_method 2944 1_1_0 EXIST::FUNCTION: UI_set_default_method 2944 1_1_0 EXIST::FUNCTION:
RAND_query_egd_bytes 2945 1_1_0 EXIST::FUNCTION: RAND_query_egd_bytes 2945 1_1_0 EXIST::FUNCTION:EGD
UI_method_get_writer 2946 1_1_0 EXIST::FUNCTION: UI_method_get_writer 2946 1_1_0 EXIST::FUNCTION:
UI_OpenSSL 2947 1_1_0 EXIST::FUNCTION: UI_OpenSSL 2947 1_1_0 EXIST::FUNCTION:
PEM_def_callback 2948 1_1_0 EXIST::FUNCTION: PEM_def_callback 2948 1_1_0 EXIST::FUNCTION:

2
util/mk1mf.pl
View File

@ -140,6 +140,7 @@ and [options] can be one of
no-srp - No SRP no-srp - No SRP
no-ec - No EC no-ec - No EC
no-engine - No engine no-engine - No engine
no-egd - No EGD
no-hw - No hw no-hw - No hw
nasm - Use NASM for x86 asm nasm - Use NASM for x86 asm
nw-nasm - Use NASM x86 asm for NetWare nw-nasm - Use NASM x86 asm for NetWare
@ -1390,6 +1391,7 @@ sub read_options
"no-ec" => \$no_ec, "no-ec" => \$no_ec,
"no-gost" => \$no_gost, "no-gost" => \$no_gost,
"no-engine" => \$no_engine, "no-engine" => \$no_engine,
"no-egd" => 0,
"no-hw" => \$no_hw, "no-hw" => \$no_hw,
"just-ssl" => "just-ssl" =>
[\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast, [\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast,

2
util/mkdef.pl
View File

@ -84,6 +84,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
"CRYPTO_MDEBUG", "CRYPTO_MDEBUG",
# Engines # Engines
"STATIC_ENGINE", "ENGINE", "HW", "GMP", "STATIC_ENGINE", "ENGINE", "HW", "GMP",
# Entropy Gathering
"EGD",
# X.509v3 Signed Certificate Timestamps # X.509v3 Signed Certificate Timestamps
"SCT", "SCT",
# RFC3779 # RFC3779