svn commit: r368553 - head/sbin/decryptcore

Fri Dec 11 14:32:43 UTC 2020

Author: vangyzen
Date: Fri Dec 11 14:32:42 2020
New Revision: 368553
URL: https://svnweb.freebsd.org/changeset/base/368553

Log:
  decryptcore: preload OpenSSL error strings; seed PRNG
  
  As in r360226, preload OpenSSL error strings and seed the PRNG
  before entering capability mode.
  
  MFC after:	2 weeks
  Sponsored by:	Dell EMC Isilon

Modified:
  head/sbin/decryptcore/decryptcore.c

Modified: head/sbin/decryptcore/decryptcore.c
==============================================================================

--- head/sbin/decryptcore/decryptcore.c	Fri Dec 11 14:11:41 2020	(r368552)
+++ head/sbin/decryptcore/decryptcore.c	Fri Dec 11 14:32:42 2020	(r368553)
@@ -170,6 +170,19 @@ decrypt(int ofd, const char *privkeyfile, const char *
 		goto failed;
 	}
 
+	/*
+	 * Obsolescent OpenSSL only knows about /dev/random, and needs to
+	 * pre-seed before entering cap mode.  For whatever reason,
+	 * RSA_pub_encrypt uses the internal PRNG.
+	 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	{
+		unsigned char c[1];
+		RAND_bytes(c, 1);
+	}
+#endif
+	ERR_load_crypto_strings();
+
 	caph_cache_catpages();
 	if (caph_enter() < 0) {
 		pjdlog_errno(LOG_ERR, "Unable to enter capability mode");
