From: Dr. Matthias St. Pierre Date: Wed, 13 Nov 2019 15:02:09 +0000 (+0100) Subject: Remove RANDFILE settings from configuration files X-Git-Tag: openssl-3.0.0-alpha1~911 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=23f3993127c0a05651e28701d91edb478ebe6efa;p=thirdparty%2Fopenssl.git Remove RANDFILE settings from configuration files OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding mechanism, which makes it dispensable to define a RANDFILE for saving and restoring randomness. This commit removes the RANDFILE declarations from our own configuration files and adds documentation that this option is not needed anymore and retained mainly for compatibility reasons. Fixes #10433 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10436) --- diff --git a/.gitignore b/.gitignore index 8629499c497..eb95e48bfe9 100644 --- a/.gitignore +++ b/.gitignore @@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod /out32dll.dbg /inc32 /MINFO -/ms/.rnd /ms/bcb.mak /ms/libeay32.def /ms/nt.mak diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf index 531afe64b20..bd762b7ddc4 100644 --- a/demos/certs/apps/apps.cnf +++ b/demos/certs/apps/apps.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" #################################################################### diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index 5a8a5f29ef5..c75a71a6aac 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" default_ca = ca diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 6df41d897f7..c439fde5d9f 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -446,7 +446,8 @@ CA private key. Mandatory. =item B At startup the specified file is loaded into the random number generator, -and at exit 256 bytes will be written to it. +and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is +not necessary anymore, see the L section. =item B @@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command: serial = $dir/serial # serial no file #rand_serial = yes # for random serial#'s private_key = $dir/private/cakey.pem# CA private key - RANDFILE = $dir/private/.rand # random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL @@ -690,7 +690,6 @@ The values below reflect the default values. ./demoCA/index.txt - CA text database file ./demoCA/index.txt.old - CA text database backup file ./demoCA/certs - certificate output file - ./demoCA/.rnd - CA random seed information =head1 RESTRICTIONS @@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later. +OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved +seeding mechanism. The new seeding mechanism makes it unnecessary to +define a RANDFILE for saving and restoring randomness. This option is +retained mainly for compatibility reasons. + =head1 SEE ALSO L, diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 8ca4acc1118..83aa1ad54ee 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -592,8 +592,6 @@ Sample configuration file prompting for field values: Sample configuration containing all field values: - RANDFILE = $ENV::HOME/.rnd - [ req ] default_bits = 2048 default_keyfile = keyfile.pem diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 035763260dc..6827fe84d17 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional) =item B -See L for description. (Optional) +This specifies a file containing additional B. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. (Optional) =item B -See L for description. (Optional) +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by B<=> and the numerical form. The short +and long names are the same when this option is used. (Optional) =item B -See L for description. (Optional) +At startup the specified file is loaded into the random number generator, +and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is +not necessary anymore, see the L section. =item B @@ -644,6 +652,13 @@ test/testtsa). =back +=head1 HISTORY + +OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved +seeding mechanism. The new seeding mechanism makes it unnecessary to +define a RANDFILE for saving and restoring randomness. This option is +retained mainly for compatibility reasons. + =head1 SEE ALSO L, diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 4b8465594af..1776439edd2 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -416,7 +416,6 @@ mentioned above. # This is the default section. HOME=/temp - RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config [ section_one ] diff --git a/test/CAss.cnf b/test/CAss.cnf index b20a2427603..8ca62b5cf7e 100644 --- a/test/CAss.cnf +++ b/test/CAss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 @@ -43,7 +41,6 @@ certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file x509_extensions = v3_ca # The extensions to add to the cert diff --git a/test/CAssdh.cnf b/test/CAssdh.cnf index 4e0a908679f..7c08a6e1cca 100644 --- a/test/CAssdh.cnf +++ b/test/CAssdh.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DH certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAssdsa.cnf b/test/CAssdsa.cnf index a6b4d1810c9..8328abd7b44 100644 --- a/test/CAssdsa.cnf +++ b/test/CAssdsa.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DSA certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAssrsa.cnf b/test/CAssrsa.cnf index eb24a6dfc0e..d5aa20a72b2 100644 --- a/test/CAssrsa.cnf +++ b/test/CAssrsa.cnf @@ -4,8 +4,6 @@ # # create RSA certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index d1642879be3..e7ca8c5a1e1 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -3,8 +3,6 @@ # This config is used by the Time Stamp Authority tests. # -RANDFILE = ./.rnd - # Extra OBJECT IDENTIFIER info: oid_section = new_oids @@ -32,7 +30,6 @@ new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_md = sha256 # which md to use. diff --git a/test/P1ss.cnf b/test/P1ss.cnf index e6118dc816c..03f3cdb1ad3 100644 --- a/test/P1ss.cnf +++ b/test/P1ss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 diff --git a/test/P2ss.cnf b/test/P2ss.cnf index d530e31f991..5adaecc7d50 100644 --- a/test/P2ss.cnf +++ b/test/P2ss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 diff --git a/test/Sssdsa.cnf b/test/Sssdsa.cnf index 8e170a28ef5..2fb35e08809 100644 --- a/test/Sssdsa.cnf +++ b/test/Sssdsa.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DSA certs - Server -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/Sssrsa.cnf b/test/Sssrsa.cnf index 8c79a03fca8..f2b6e72b912 100644 --- a/test/Sssrsa.cnf +++ b/test/Sssrsa.cnf @@ -4,8 +4,6 @@ # # create RSA certs - Server -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/Uss.cnf b/test/Uss.cnf index f655e7448dc..27517bd1060 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -3,7 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd CN2 = Brother 2 #################################################################### diff --git a/test/conf_include_test.c b/test/conf_include_test.c index 16459c46d76..0cf8d497403 100644 --- a/test/conf_include_test.c +++ b/test/conf_include_test.c @@ -90,13 +90,6 @@ static int test_load_config(void) return 0; } - /* verify whether RANDFILE is set correctly */ - str = NCONF_get_string(conf, "", "RANDFILE"); - if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) { - TEST_note("RANDFILE incorrect"); - return 0; - } - /* verify whether CA_default/default_days is set */ val = 0; if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1) diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 6da8e897f5e..0e085b435de 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -19,10 +19,6 @@ plan tests => 13; require_ok(srctop_file('test','recipes','tconversion.pl')); -open RND, ">>", ".rnd"; -print RND "string to make the random number generator think it has randomness"; -close RND; - # What type of key to generate? my @req_new; if (disabled("rsa")) { diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 0290b489ebc..2d213b7daa7 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert); # ----------- # subtest functions sub testss { - open RND, ">>", ".rnd"; - print RND "string to make the random number generator think it has randomness"; - close RND; - my @req_dsa = ("-newkey", "dsa:".srctop_file("apps", "dsa1024.pem")); my $dsaparams = srctop_file("apps", "dsa1024.pem"); diff --git a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf index 66c89006d0c..5959b23e4b4 100644 --- a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf +++ b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf @@ -4,8 +4,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -23,7 +21,6 @@ certificate = $dir/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/CAkey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf index 835b2c672de..00d40e74791 100644 --- a/test/smime-certs/ca.cnf +++ b/test/smime-certs/ca.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" default_ca = ca diff --git a/test/test.cnf b/test/test.cnf index 718b0bf1f2c..1e2fa31cce6 100644 --- a/test/test.cnf +++ b/test/test.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -22,7 +20,6 @@ certificate = $dir/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/CAkey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL