Closed
Conversation
paulidale
added
branch: master
levitte
reviewed
Dec 9, 2020
2 tasks
t8m
previously approved these changes
Dec 9, 2020
Member
|
Approved, however the CIs still fail |
t8m
added
the
approval: done
Contributor
Author
|
I think I found the problem. At least I found another problem. |
Member
|
The last commit (b3118eb) is already in #13635 |
Member
|
And unfortunately 118ea31 still did not fix the seed src issues. |
Contributor
Author
|
I'll drop b3118eb once the CI's pass. |
Contributor
Author
|
Got it. |
levitte
requested changes
Dec 9, 2020
This satisfies EVP's RAND layer.
levitte
reviewed
Dec 9, 2020
levitte
approved these changes
Dec 9, 2020
1 task
openssl-machine
pushed a commit
that referenced
this pull request
Dec 9, 2020
Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #13640)
openssl-machine
pushed a commit
that referenced
this pull request
Dec 9, 2020
This satisfies EVP's RAND layer. Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #13640)
openssl-machine
pushed a commit
that referenced
this pull request
Dec 9, 2020
Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #13640)
openssl-machine
pushed a commit
that referenced
this pull request
Dec 9, 2020
Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #13640)
Contributor
Author
|
I've removed the fix from #13635 and merged this to master. |
xnox
added a commit
to xnox/openssl
that referenced
this pull request
Dec 5, 2025
If a custom seed source is specified in the config file, it can be silently ignored. For example if it is missing, fails to be created, or fails to initialize it can be silently ignored and fallback to os entropy instead. To reproduce this, perform default configuration of openssl without jitter entropy source, and then specify jitter entropy source. Currently entropy will fall back to getrandom, instead of erroring out. This is not unique to jitter entropy source, there are a few other entropy source providers out there on the market, and in all cases if one is configuring OpenSSL to use a given seed source by name, it should be honored. Currently this will output a fresh rsa key, with this change however it will now result in an error: ``` ./Configure make ./util/wrap.pl -jitter ./apps/openssl genrsa Warning: generating random key material may take a long time if the system has a poor entropy source genrsa: Error generating RSA key 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: ``` IMHO, if a user is configuring a custom seed source, it should be honored without silently eating errors. Note this partially reverts 1d180bb "rand: allow seed-src to be missing", which as far as I understand was done to ensure that fallback seedsource is allowed to be missing. This new implementation preserves this behaviour by ensuring error is not raised if SEED-SRC (which since the above commit was changed to a macro define OPENSSL_DEFAULT_SEED_SRC) is used as a fallback, and it fails to be fetched. Previously all errors were popped unconditionaly, thus same behaviour is preserved if SEED-SRC is completely missing and it wasn't configured in the config file. cc @paulidale, also see: - openssl#13640
xnox
added a commit
to xnox/openssl
that referenced
this pull request
Dec 5, 2025
If a custom seed source is specified in the config file, it can be silently ignored. For example if it is missing, fails to be created, or fails to initialize it can be silently ignored and fallback to os entropy instead. To reproduce this, perform default configuration of openssl without jitter entropy source, and then specify jitter entropy source. Currently entropy will fall back to getrandom, instead of erroring out. This is not unique to jitter entropy source, there are a few other entropy source providers out there on the market, and in all cases if one is configuring OpenSSL to use a given seed source by name, it should be honored. Currently this will output a fresh rsa key, with this change however it will now result in an error: ``` ./Configure make ./util/wrap.pl -jitter ./apps/openssl genrsa Warning: generating random key material may take a long time if the system has a poor entropy source genrsa: Error generating RSA key 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: ``` IMHO, if a user is configuring a custom seed source, it should be honored without silently eating errors. Note this partially reverts 1d180bb "rand: allow seed-src to be missing", which as far as I understand was done to ensure that fallback seedsource is allowed to be missing. This new implementation preserves this behaviour by ensuring error is not raised if SEED-SRC (which since the above commit was changed to a macro define OPENSSL_DEFAULT_SEED_SRC) is used as a fallback, and it fails to be fetched. Previously all errors were popped unconditionaly, thus same behaviour is preserved if SEED-SRC is completely missing and it wasn't configured in the config file. cc @paulidale, also see: - openssl#13640
xnox
added a commit
to xnox/openssl
that referenced
this pull request
Dec 5, 2025
If a custom seed source is specified in the config file, it can be silently ignored. For example if it is missing, fails to be created, or fails to initialize it can be silently ignored and fallback to os entropy instead. To reproduce this, perform default configuration of openssl without jitter entropy source, and then specify jitter entropy source. Currently entropy will fall back to getrandom, instead of erroring out. This is not unique to jitter entropy source, there are a few other entropy source providers out there on the market, and in all cases if one is configuring OpenSSL to use a given seed source by name, it should be honored. Currently this will output a fresh rsa key, with this change however it will now result in an error: ``` ./Configure make ./util/wrap.pl -jitter ./apps/openssl genrsa Warning: generating random key material may take a long time if the system has a poor entropy source genrsa: Error generating RSA key 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: ``` IMHO, if a user is configuring a custom seed source, it should be honored without silently eating errors. Note this partially reverts 1d180bb "rand: allow seed-src to be missing", which as far as I understand was done to ensure that fallback seedsource is allowed to be missing. This new implementation preserves this behaviour by ensuring error is not raised if SEED-SRC (which since the above commit was changed to a macro define OPENSSL_DEFAULT_SEED_SRC) is used as a fallback, and it fails to be fetched. Previously all errors were popped unconditionaly, thus same behaviour is preserved if SEED-SRC is completely missing and it wasn't configured in the config file. cc @paulidale, also see: - openssl#13640
openssl-machine
pushed a commit
that referenced
this pull request
Jan 18, 2026
If a custom seed source is specified in the config file, it can be silently ignored. For example if it is missing, fails to be created, or fails to initialize it can be silently ignored and fallback to os entropy instead. To reproduce this, perform default configuration of openssl without jitter entropy source, and then specify jitter entropy source. Currently entropy will fall back to getrandom, instead of erroring out. This is not unique to jitter entropy source, there are a few other entropy source providers out there on the market, and in all cases if one is configuring OpenSSL to use a given seed source by name, it should be honored. Currently this will output a fresh rsa key, with this change however it will now result in an error: ``` ./Configure make ./util/wrap.pl -jitter ./apps/openssl genrsa Warning: generating random key material may take a long time if the system has a poor entropy source genrsa: Error generating RSA key 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: ``` IMHO, if a user is configuring a custom seed source, it should be honored without silently eating errors. Note this partially reverts 1d180bb "rand: allow seed-src to be missing", which as far as I understand was done to ensure that fallback seedsource is allowed to be missing. This new implementation preserves this behaviour by ensuring error is not raised if SEED-SRC (which since the above commit was changed to a macro define OPENSSL_DEFAULT_SEED_SRC) is used as a fallback, and it fails to be fetched. Previously all errors were popped unconditionaly, thus same behaviour is preserved if SEED-SRC is completely missing and it wasn't configured in the config file. cc @paulidale, also see: - #13640 Reviewed-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from #29316)
esyr
pushed a commit
to esyr/openssl
that referenced
this pull request
Jan 19, 2026
If a custom seed source is specified in the config file, it can be silently ignored. For example if it is missing, fails to be created, or fails to initialize it can be silently ignored and fallback to os entropy instead. To reproduce this, perform default configuration of openssl without jitter entropy source, and then specify jitter entropy source. Currently entropy will fall back to getrandom, instead of erroring out. This is not unique to jitter entropy source, there are a few other entropy source providers out there on the market, and in all cases if one is configuring OpenSSL to use a given seed source by name, it should be honored. Currently this will output a fresh rsa key, with this change however it will now result in an error: ``` ./Configure make ./util/wrap.pl -jitter ./apps/openssl genrsa Warning: generating random key material may take a long time if the system has a poor entropy source genrsa: Error generating RSA key 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: 80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>) 80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613: ``` IMHO, if a user is configuring a custom seed source, it should be honored without silently eating errors. Note this partially reverts 1d180bb "rand: allow seed-src to be missing", which as far as I understand was done to ensure that fallback seedsource is allowed to be missing. This new implementation preserves this behaviour by ensuring error is not raised if SEED-SRC (which since the above commit was changed to a macro define OPENSSL_DEFAULT_SEED_SRC) is used as a fallback, and it fails to be fetched. Previously all errors were popped unconditionaly, thus same behaviour is preserved if SEED-SRC is completely missing and it wasn't configured in the config file. cc @paulidale, also see: - openssl#13640 Reviewed-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#29316)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A recent merge broken the build.
This fixes it.