From: Aki Tuomi Date: Tue, 24 Oct 2017 11:43:51 +0000 (+0300) Subject: lib-ssl-iostream: Seed OpenSSL RNG earlier X-Git-Tag: 2.3.0.rc1~678 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=98c2cac72e2032f223050a4edd229993c1d5c1f0;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Seed OpenSSL RNG earlier Make sure we give the RNG a chance to seed before we chroot. --- diff --git a/src/lib-ssl-iostream/dovecot-openssl-common.c b/src/lib-ssl-iostream/dovecot-openssl-common.c index e53a2d77b8..ac1d90af6d 100644 --- a/src/lib-ssl-iostream/dovecot-openssl-common.c +++ b/src/lib-ssl-iostream/dovecot-openssl-common.c @@ -1,6 +1,7 @@ /* Copyright (c) 2016-2017 Dovecot authors, see the included COPYING file */ #include "lib.h" +#include "randgen.h" #include "dovecot-openssl-common.h" #include @@ -51,8 +52,6 @@ static void dovecot_openssl_free(void *ptr) void dovecot_openssl_common_global_ref(void) { - unsigned char buf; - if (openssl_init_refcount++ > 0) return; @@ -67,12 +66,6 @@ void dovecot_openssl_common_global_ref(void) SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); - - /* PRNG initialization might want to use /dev/urandom, make sure it - does it before chrooting. We might not have enough entropy at - the first try, so this function may fail. It's still been - initialized though. */ - (void)RAND_bytes(&buf, 1); } bool dovecot_openssl_common_global_unref(void) diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 958cd73167..e6f5480ec7 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -5,6 +5,7 @@ #include "ostream-private.h" #include "iostream-openssl.h" +#include #include static void openssl_iostream_free(struct ssl_iostream *ssl_io); @@ -777,6 +778,9 @@ static const struct iostream_ssl_vfuncs ssl_vfuncs = { void ssl_iostream_openssl_init(void) { + unsigned char buf; + if (RAND_bytes(&buf, 1) < 1) + i_fatal("OpenSSL RNG failed to initialize"); iostream_ssl_module_init(&ssl_vfuncs); }