Add --with-rand-seed
Add a new config param to specify how the CSPRNG should be seeded.
Illegal values or nonsensical combinations (e.g., anything other
than "os" on VMS or HP VOS etc) result in build failures.
Add RDSEED support.
Add RDTSC but leave it disabled for now pending more investigation.
Refactor and reorganization all seeding files (rand_unix/win/vms) so
that they are simpler.
Only require 128 bits of seeding material.
Many document improvements, including why to not use RAND_add() and the
limitations around using load_file/write_file.
Document RAND_poll().
Cleanup Windows RAND_poll and return correct status
More completely initialize the default DRBG.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3965)
diff --git a/Configure b/Configure
index 9612976..ebfe01d 100755
--- a/Configure
+++ b/Configure
@@ -561,6 +561,9 @@
my %unsupported_options = ();
my %deprecated_options = ();
+# If you change this, update apps/version.c
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
+my @seed_sources = ();
while (@argvcopy)
{
$_ = shift @argvcopy;
@@ -729,6 +732,15 @@
{
$withargs{fuzzer_include}=$1;
}
+ elsif (/^--with-rand-seed=(.*)$/)
+ {
+ foreach my $x (split(m|,|, $1))
+ {
+ die "Unknown --with-rand-seed choice $x\n"
+ if ! grep { $x eq $_ } @known_seed_sources;
+ push @seed_sources, $x;
+ }
+ }
elsif (/^--cross-compile-prefix=(.*)$/)
{
$config{cross_compile_prefix}=$1;
@@ -812,6 +824,17 @@
"***** any of asan, msan or ubsan\n";
}
+if (scalar(@seed_sources) == 0) {
+ print "Using implicit seed configuration\n";
+ push @seed_sources, 'os';
+}
+die "Cannot seed with none and anything else"
+ if scalar(grep { $_ eq 'none' } @seed_sources) > 0
+ && scalar(@seed_sources) > 1;
+push @{$config{openssl_other_defines}},
+ map { (my $x = $_) =~ tr|[\-a-z]|[_A-Z]|; "OPENSSL_RAND_SEED_$x" }
+ @seed_sources;
+
my @tocheckfor = (keys %disabled);
while (@tocheckfor) {
my %new_tocheckfor = ();
