diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-10-14 13:57:53 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-10-14 22:44:58 +0200 |
| commit | f3c215e18a048fc62d8aa67d4d07983f4da9e1fe (patch) | |
| tree | e27d43fbe10326ba309332d4f3d2d50dda89abea | |
| parent | a132b927d7e6fbf4a5331afd83193c50eb778a6b (diff) | |
| download | curl-f3c215e18a048fc62d8aa67d4d07983f4da9e1fe.tar.gz | |
openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
One reason we know it can fail is if a provider is used that doesn't do
a proper job or is wrongly configured.
Reported-by: Michael Baentsch
Fixes #7840
Closes #7856
| -rw-r--r-- | lib/vtls/openssl.c | 35 |
1 files changed, 23 insertions, 12 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index aafc2ae09..03cc028b1 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -227,6 +227,10 @@ #endif #endif +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#define HAVE_RANDOM_INIT_BY_DEFAULT 1 +#endif + struct ssl_backend_data { struct Curl_easy *logger; /* transfer handle to pass trace logs to, only using sockindex 0 */ @@ -435,18 +439,21 @@ static bool rand_enough(void) static CURLcode ossl_seed(struct Curl_easy *data) { - char fname[256]; - /* This might get called before it has been added to a multi handle */ if(data->multi && data->multi->ssl_seeded) return CURLE_OK; if(rand_enough()) { - /* OpenSSL 1.1.0+ will return here */ + /* OpenSSL 1.1.0+ should return here */ if(data->multi) data->multi->ssl_seeded = TRUE; return CURLE_OK; } +#ifdef HAVE_RANDOM_INIT_BY_DEFAULT + /* with OpenSSL 1.1.0+, a failed RAND_status is a showstopper */ + failf(data, "Insufficient randomness"); + return CURLE_SSL_CONNECT_ERROR; +#else #ifndef RANDOM_FILE /* if RANDOM_FILE isn't defined, we only perform this if an option tells @@ -507,19 +514,23 @@ static CURLcode ossl_seed(struct Curl_easy *data) RAND_add(randb, (int)len, (double)len/2); } while(!rand_enough()); - /* generates a default path for the random seed file */ - fname[0] = 0; /* blank it first */ - RAND_file_name(fname, sizeof(fname)); - if(fname[0]) { - /* we got a file name to try */ - RAND_load_file(fname, RAND_LOAD_LENGTH); - if(rand_enough()) - return CURLE_OK; + { + /* generates a default path for the random seed file */ + char fname[256]; + fname[0] = 0; /* blank it first */ + RAND_file_name(fname, sizeof(fname)); + if(fname[0]) { + /* we got a file name to try */ + RAND_load_file(fname, RAND_LOAD_LENGTH); + if(rand_enough()) + return CURLE_OK; + } } infof(data, "libcurl is now using a weak random seed!"); return (rand_enough() ? CURLE_OK : - CURLE_SSL_CONNECT_ERROR /* confusing error code */); + CURLE_SSL_CONNECT_ERROR /* confusing error code */); +#endif } #ifndef SSL_FILETYPE_ENGINE |