[openssl] master update

matthias.st.pierre at ncp-e.com matthias.st.pierre at ncp-e.com
Sun Nov 24 07:35:24 UTC 2019


The branch master has been updated
       via  23f3993127c0a05651e28701d91edb478ebe6efa (commit)
      from  0c080f73e8fc3cf7e73a42b15011d8a0a0c8aab7 (commit)


- Log -----------------------------------------------------------------
commit 23f3993127c0a05651e28701d91edb478ebe6efa
Author: Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Date:   Wed Nov 13 16:02:09 2019 +0100

    Remove RANDFILE settings from configuration files
    
    OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding
    mechanism, which makes it dispensable to define a RANDFILE for
    saving and restoring randomness. This commit removes the RANDFILE
    declarations from our own configuration files and adds documentation
    that this option is not needed anymore and retained mainly for
    compatibility reasons.
    
    Fixes #10433
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/10436)

-----------------------------------------------------------------------

Summary of changes:
 .gitignore                                          |  1 -
 demos/certs/apps/apps.cnf                           |  1 -
 demos/certs/ca.cnf                                  |  1 -
 doc/man1/openssl-ca.pod.in                          | 10 +++++++---
 doc/man1/openssl-req.pod.in                         |  2 --
 doc/man1/openssl-ts.pod.in                          | 21 ++++++++++++++++++---
 doc/man5/config.pod                                 |  1 -
 test/CAss.cnf                                       |  3 ---
 test/CAssdh.cnf                                     |  2 --
 test/CAssdsa.cnf                                    |  2 --
 test/CAssrsa.cnf                                    |  2 --
 test/CAtsa.cnf                                      |  3 ---
 test/P1ss.cnf                                       |  2 --
 test/P2ss.cnf                                       |  2 --
 test/Sssdsa.cnf                                     |  2 --
 test/Sssrsa.cnf                                     |  2 --
 test/Uss.cnf                                        |  1 -
 test/conf_include_test.c                            |  7 -------
 test/recipes/25-test_req.t                          |  4 ----
 test/recipes/80-test_ssl_old.t                      |  4 ----
 .../conf-includes/includes1.cnf                     |  3 ---
 test/smime-certs/ca.cnf                             |  1 -
 test/test.cnf                                       |  3 ---
 23 files changed, 25 insertions(+), 55 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8629499c49..eb95e48bfe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod
 /out32dll.dbg
 /inc32
 /MINFO
-/ms/.rnd
 /ms/bcb.mak
 /ms/libeay32.def
 /ms/nt.mak
diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index 531afe64b2..bd762b7ddc 100644
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 
 ####################################################################
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index 5a8a5f29ef..c75a71a6aa 100644
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 default_ca		= ca
 
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 6df41d897f..c439fde5d9 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -446,7 +446,8 @@ CA private key. Mandatory.
 =item B<RANDFILE>
 
 At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
 
 =item B<default_days>
 
@@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command:
  serial         = $dir/serial           # serial no file
  #rand_serial    = yes                  # for random serial#'s
  private_key    = $dir/private/cakey.pem# CA private key
- RANDFILE       = $dir/private/.rand    # random number file
 
  default_days   = 365                   # how long to certify for
  default_crl_days= 30                   # how long before next CRL
@@ -690,7 +690,6 @@ The values below reflect the default values.
  ./demoCA/index.txt             - CA text database file
  ./demoCA/index.txt.old         - CA text database backup file
  ./demoCA/certs                 - certificate output file
- ./demoCA/.rnd                  - CA random seed information
 
 =head1 RESTRICTIONS
 
@@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
 earlier than year 2049 (included), and as GeneralizedTime if the dates
 are in year 2050 or later.
 
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 8ca4acc111..83aa1ad54e 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -592,8 +592,6 @@ Sample configuration file prompting for field values:
 Sample configuration containing all field values:
 
 
- RANDFILE               = $ENV::HOME/.rnd
-
  [ req ]
  default_bits           = 2048
  default_keyfile        = keyfile.pem
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index 035763260d..6827fe84d1 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. (Optional)
 
 =item B<oid_section>
 
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used. (Optional)
 
 =item B<RANDFILE>
 
-See L<openssl-ca(1)> for description. (Optional)
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
 
 =item B<serial>
 
@@ -644,6 +652,13 @@ test/testtsa).
 
 =back
 
+=head1 HISTORY
+
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 4b8465594a..1776439edd 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -416,7 +416,6 @@ mentioned above.
  # This is the default section.
 
  HOME=/temp
- RANDFILE= ${ENV::HOME}/.rnd
  configdir=$ENV::HOME/config
 
  [ section_one ]
diff --git a/test/CAss.cnf b/test/CAss.cnf
index b20a242760..8ca62b5cf7 100644
--- a/test/CAss.cnf
+++ b/test/CAss.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048
@@ -43,7 +41,6 @@ certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 x509_extensions	= v3_ca			# The extensions to add to the cert
 
diff --git a/test/CAssdh.cnf b/test/CAssdh.cnf
index 4e0a908679..7c08a6e1cc 100644
--- a/test/CAssdh.cnf
+++ b/test/CAssdh.cnf
@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DH certs - CA
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name
diff --git a/test/CAssdsa.cnf b/test/CAssdsa.cnf
index a6b4d1810c..8328abd7b4 100644
--- a/test/CAssdsa.cnf
+++ b/test/CAssdsa.cnf
@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DSA certs - CA
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name
diff --git a/test/CAssrsa.cnf b/test/CAssrsa.cnf
index eb24a6dfc0..d5aa20a72b 100644
--- a/test/CAssrsa.cnf
+++ b/test/CAssrsa.cnf
@@ -4,8 +4,6 @@
 #
 # create RSA certs - CA
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index d1642879be..e7ca8c5a1e 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -3,8 +3,6 @@
 # This config is used by the Time Stamp Authority tests.
 #
 
-RANDFILE		= ./.rnd
-
 # Extra OBJECT IDENTIFIER info:
 oid_section		= new_oids
 
@@ -32,7 +30,6 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
 default_md	= sha256			# which md to use.
diff --git a/test/P1ss.cnf b/test/P1ss.cnf
index e6118dc816..03f3cdb1ad 100644
--- a/test/P1ss.cnf
+++ b/test/P1ss.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048
diff --git a/test/P2ss.cnf b/test/P2ss.cnf
index d530e31f99..5adaecc7d5 100644
--- a/test/P2ss.cnf
+++ b/test/P2ss.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048
diff --git a/test/Sssdsa.cnf b/test/Sssdsa.cnf
index 8e170a28ef..2fb35e0880 100644
--- a/test/Sssdsa.cnf
+++ b/test/Sssdsa.cnf
@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DSA certs - Server
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name
diff --git a/test/Sssrsa.cnf b/test/Sssrsa.cnf
index 8c79a03fca..f2b6e72b91 100644
--- a/test/Sssrsa.cnf
+++ b/test/Sssrsa.cnf
@@ -4,8 +4,6 @@
 #
 # create RSA certs - Server
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name
diff --git a/test/Uss.cnf b/test/Uss.cnf
index f655e7448d..27517bd106 100644
--- a/test/Uss.cnf
+++ b/test/Uss.cnf
@@ -3,7 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
 CN2 = Brother 2
 
 ####################################################################
diff --git a/test/conf_include_test.c b/test/conf_include_test.c
index 16459c46d7..0cf8d49740 100644
--- a/test/conf_include_test.c
+++ b/test/conf_include_test.c
@@ -90,13 +90,6 @@ static int test_load_config(void)
         return 0;
     }
 
-    /* verify whether RANDFILE is set correctly */
-    str = NCONF_get_string(conf, "", "RANDFILE");
-    if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) {
-        TEST_note("RANDFILE incorrect");
-        return 0;
-    }
-
     /* verify whether CA_default/default_days is set */
     val = 0;
     if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1)
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 6da8e897f5..0e085b435d 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -19,10 +19,6 @@ plan tests => 13;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
-open RND, ">>", ".rnd";
-print RND "string to make the random number generator think it has randomness";
-close RND;
-
 # What type of key to generate?
 my @req_new;
 if (disabled("rsa")) {
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 0290b489eb..2d213b7daa 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert);
 # -----------
 # subtest functions
 sub testss {
-    open RND, ">>", ".rnd";
-    print RND "string to make the random number generator think it has randomness";
-    close RND;
-
     my @req_dsa = ("-newkey",
                    "dsa:".srctop_file("apps", "dsa1024.pem"));
     my $dsaparams = srctop_file("apps", "dsa1024.pem");
diff --git a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
index 66c89006d0..5959b23e4b 100644
--- a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
+++ b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
@@ -4,8 +4,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
@@ -23,7 +21,6 @@ certificate	= $dir/CAcert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/CAkey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 835b2c672d..00d40e7479 100644
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 default_ca		= ca
 
diff --git a/test/test.cnf b/test/test.cnf
index 718b0bf1f2..1e2fa31cce 100644
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
@@ -22,7 +20,6 @@ certificate	= $dir/CAcert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/CAkey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL


More information about the openssl-commits mailing list