mod_ssl: Drop SSLRandomSeed implementation with OpenSSL 1.1.1.

Require that OpenSSL is configured with a suitable entropy source, or fail startup otherwise. * modules/ssl/ssl_private.h: Define MODSSL_USE_SSLRAND for OpenSSL < 1.1.1. (SSLModConfigRec): Only define pid, aRandSeed for <1.1.1. (ssl_rand_seed): Define as noop if !MODSSL_USE_SSLRAND. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Only initialize mc->pid for MODSSL_USE_SSLRAND. Fail if RAND_status() returns zero. (ssl_init_Child): Drop getpid and srand for !MODSSL_USE_SSLRAND. * modules/ssl/ssl_engine_rand.c: ifdef-out for !MODSSL_USE_SSLRAND. (ssl_rand_seed): Drop warning if PRNG not seeded (now a startup error as above). * modules/ssl/ssl_engine_config.c (ssl_config_global_create): Drop aRandSeed initialization. (ssl_cmd_SSLRandomSeed): Log a warning if used w/!MODSSL_USE_SSLRAND. Github: closes #123 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877467 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2020-05-07 10:34:12 +00:00
parent e9945c13ee
commit c2321e5b8f
6 changed files with 43 additions and 10 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -237,11 +237,13 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
                     MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT);
    }

+#ifdef MODSSL_USE_SSLRAND
    /* We initialize mc->pid per-process in the child init,
     * but it should be initialized for startup before we
     * call ssl_rand_seed() below.
     */
    mc->pid = getpid();
+#endif

    /*
     * Let us cleanup on restarts and exits
@@ -330,6 +332,14 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
     */
    ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");

+    if (RAND_status() == 0) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, 0, base_server, APLOGNO(01990)
+                     MODSSL_LIBRARY_NAME " PRNG does not contain sufficient "
+                     "randomness.  Build the SSL library with a suitable "
+                     "entropy source configured.");
+        return APR_EGENERAL;
+    }
+
 #ifdef HAVE_FIPS
    if (!FIPS_mode() && mc->fips == TRUE) {
        if (!FIPS_mode_set(1)) {
@@ -2277,11 +2287,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,

 void ssl_init_Child(apr_pool_t *p, server_rec *s)
 {
+#ifdef MODSSL_USE_SSLRAND
    SSLModConfigRec *mc = myModConfig(s);
    mc->pid = getpid(); /* only call getpid() once per-process */

    /* XXX: there should be an ap_srand() function */
    srand((unsigned int)time(NULL));
+#endif

    /* open the mutex lockfile */
    ssl_mutex_reinit(s, p);