Remove RANDFILE settings from configuration files

OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding mechanism, which makes it dispensable to define a RANDFILE for saving and restoring randomness. This commit removes the RANDFILE declarations from our own configuration files and adds documentation that this option is not needed anymore and retained mainly for compatibility reasons. Fixes #10433 Reviewed-by: N Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10436)

Remove RANDFILE settings from configuration files
OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding mechanism, which makes it dispensable to define a RANDFILE for saving and restoring randomness. This commit removes the RANDFILE declarations from our own configuration files and adds documentation that this option is not needed anymore and retained mainly for compatibility reasons. Fixes #10433 Reviewed-by: N Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10436)
23f39931 · Dr. Matthias St. Pierre · 0c080f73 · 23f39931 · 23f39931 · 23f39931
23 changed file
--- a/.gitignore
+++ b/.gitignore
@@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod
 /out32dll.dbg
 /inc32
 /MINFO
-/ms/.rnd
 /ms/bcb.mak
 /ms/libeay32.def
 /ms/nt.mak

--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"

 ####################################################################

--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 default_ca		= ca


--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -446,7 +446,8 @@ CA private key. Mandatory.
 =item B<RANDFILE>

 At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.

 =item B<default_days>

@@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command:
 serial         = $dir/serial           # serial no file
 #rand_serial    = yes                  # for random serial#'s
 private_key    = $dir/private/cakey.pem# CA private key
- RANDFILE       = $dir/private/.rand    # random number file

 default_days   = 365                   # how long to certify for
 default_crl_days= 30                   # how long before next CRL
@@ -690,7 +690,6 @@ The values below reflect the default values.
 ./demoCA/index.txt             - CA text database file
 ./demoCA/index.txt.old         - CA text database backup file
 ./demoCA/certs                 - certificate output file
- ./demoCA/.rnd                  - CA random seed information

 =head1 RESTRICTIONS

@@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
 earlier than year 2049 (included), and as GeneralizedTime if the dates
 are in year 2050 or later.

+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO

 L<openssl(1)>,

--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -592,8 +592,6 @@ Sample configuration file prompting for field values:
 Sample configuration containing all field values:


- RANDFILE               = $ENV::HOME/.rnd
-
 [ req ]
 default_bits           = 2048
 default_keyfile        = keyfile.pem

--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional)

 =item B<oid_file>

-See L<openssl-ca(1)> for description. (Optional)
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. (Optional)

 =item B<oid_section>

-See L<openssl-ca(1)> for description. (Optional)
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used. (Optional)

 =item B<RANDFILE>

-See L<openssl-ca(1)> for description. (Optional)
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.

 =item B<serial>

@@ -644,6 +652,13 @@ test/testtsa).

 =back

+=head1 HISTORY
+
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO

 L<openssl(1)>,

--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -416,7 +416,6 @@ mentioned above.
 # This is the default section.

 HOME=/temp
- RANDFILE= ${ENV::HOME}/.rnd
 configdir=$ENV::HOME/config

 [ section_one ]

--- a/test/CAss.cnf
+++ b/test/CAss.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #

-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048
@@ -43,7 +41,6 @@ certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file

 x509_extensions	= v3_ca			# The extensions to add to the cert


--- a/test/CAssdh.cnf
+++ b/test/CAssdh.cnf
@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DH certs - CA

-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

--- a/test/CAssdsa.cnf
+++ b/test/CAssdsa.cnf
@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DSA certs - CA

-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

--- a/test/CAssrsa.cnf
+++ b/test/CAssrsa.cnf
@@ -4,8 +4,6 @@
 #
 # create RSA certs - CA

-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -3,8 +3,6 @@
 # This config is used by the Time Stamp Authority tests.
 #

-RANDFILE		= ./.rnd
-
 # Extra OBJECT IDENTIFIER info:
 oid_section		= new_oids

@@ -32,7 +30,6 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file

 default_days	= 365			# how long to certify for
 default_md	= sha256			# which md to use.

--- a/test/P1ss.cnf
+++ b/test/P1ss.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #

-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048

--- a/test/P2ss.cnf
+++ b/test/P2ss.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #

-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048

--- a/test/Sssdsa.cnf
+++ b/test/Sssdsa.cnf
@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DSA certs - Server

-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

--- a/test/Sssrsa.cnf
+++ b/test/Sssrsa.cnf
@@ -4,8 +4,6 @@
 #
 # create RSA certs - Server

-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

--- a/test/Uss.cnf
+++ b/test/Uss.cnf
@@ -3,7 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #

-RANDFILE		= ./.rnd
 CN2 = Brother 2

 ####################################################################

--- a/test/conf_include_test.c
+++ b/test/conf_include_test.c
@@ -90,13 +90,6 @@ static int test_load_config(void)
        return 0;
    }

-    /* verify whether RANDFILE is set correctly */
-    str = NCONF_get_string(conf, "", "RANDFILE");
-    if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) {
-        TEST_note("RANDFILE incorrect");
-        return 0;
-    }
-
    /* verify whether CA_default/default_days is set */
    val = 0;
    if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1)

--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -19,10 +19,6 @@ plan tests => 13;

 require_ok(srctop_file('test','recipes','tconversion.pl'));

-open RND, ">>", ".rnd";
-print RND "string to make the random number generator think it has randomness";
-close RND;
-
 # What type of key to generate?
 my @req_new;
 if (disabled("rsa")) {

--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert);
 # -----------
 # subtest functions
 sub testss {
-    open RND, ">>", ".rnd";
-    print RND "string to make the random number generator think it has randomness";
-    close RND;
-
    my @req_dsa = ("-newkey",
                   "dsa:".srctop_file("apps", "dsa1024.pem"));
    my $dsaparams = srctop_file("apps", "dsa1024.pem");

--- a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
+++ b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
@@ -4,8 +4,6 @@
 # This is mostly being used for generation of certificate requests.
 #

-RANDFILE		= ./.rnd
-
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
@@ -23,7 +21,6 @@ certificate	= $dir/CAcert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/CAkey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file

 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL

--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 default_ca		= ca


--- a/test/test.cnf
+++ b/test/test.cnf
@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #

-RANDFILE		= ./.rnd
-
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
@@ -22,7 +20,6 @@ certificate	= $dir/CAcert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/CAkey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file

 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL