diff --git a/.gitignore b/.gitignore index 8629499c497abe48a85df9dc506b5881a4897c36..eb95e48bfe9399a490cc0b60dc5fc24a18298da3 100644 --- a/.gitignore +++ b/.gitignore @@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod /out32dll.dbg /inc32 /MINFO -/ms/.rnd /ms/bcb.mak /ms/libeay32.def /ms/nt.mak diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf index 531afe64b20f7dc801ea08c53d624885c052e3a8..bd762b7ddc45fdb3b41a74f1af47970a0378cdd1 100644 --- a/demos/certs/apps/apps.cnf +++ b/demos/certs/apps/apps.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" #################################################################### diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index 5a8a5f29ef51d196fd078341635c5fc2a3f4a121..c75a71a6aaca009445ac4d25f1ab9a61df72e9a1 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" default_ca = ca diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 6df41d897f76253ce6f3a1f6e20df93c1347eee0..c439fde5d9f4b321dfbb48d1afc61b85d213f940 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -446,7 +446,8 @@ CA private key. Mandatory. =item B At startup the specified file is loaded into the random number generator, -and at exit 256 bytes will be written to it. +and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is +not necessary anymore, see the L section. =item B @@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command: serial = $dir/serial # serial no file #rand_serial = yes # for random serial#'s private_key = $dir/private/cakey.pem# CA private key - RANDFILE = $dir/private/.rand # random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL @@ -690,7 +690,6 @@ The values below reflect the default values. ./demoCA/index.txt - CA text database file ./demoCA/index.txt.old - CA text database backup file ./demoCA/certs - certificate output file - ./demoCA/.rnd - CA random seed information =head1 RESTRICTIONS @@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later. +OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved +seeding mechanism. The new seeding mechanism makes it unnecessary to +define a RANDFILE for saving and restoring randomness. This option is +retained mainly for compatibility reasons. + =head1 SEE ALSO L, diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 8ca4acc1118fbd7ba875928c2d7c3ef537c23e63..83aa1ad54ee00b8f48d4d2a872bc38cecfd471b6 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -592,8 +592,6 @@ Sample configuration file prompting for field values: Sample configuration containing all field values: - RANDFILE = $ENV::HOME/.rnd - [ req ] default_bits = 2048 default_keyfile = keyfile.pem diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 035763260dc15551e9572e245fd9f0c0125ca80a..6827fe84d1777e7d4cd17f99ba55525bc5839b31 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional) =item B -See L for description. (Optional) +This specifies a file containing additional B. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. (Optional) =item B -See L for description. (Optional) +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by B<=> and the numerical form. The short +and long names are the same when this option is used. (Optional) =item B -See L for description. (Optional) +At startup the specified file is loaded into the random number generator, +and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is +not necessary anymore, see the L section. =item B @@ -644,6 +652,13 @@ test/testtsa). =back +=head1 HISTORY + +OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved +seeding mechanism. The new seeding mechanism makes it unnecessary to +define a RANDFILE for saving and restoring randomness. This option is +retained mainly for compatibility reasons. + =head1 SEE ALSO L, diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 4b8465594af2b288edea3c4479c101e4a40fa992..1776439edd2e7a4df0cf33e913c15acfcf3dd6b1 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -416,7 +416,6 @@ mentioned above. # This is the default section. HOME=/temp - RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config [ section_one ] diff --git a/test/CAss.cnf b/test/CAss.cnf index b20a2427603ba9f9507a76251a31706497417e4c..8ca62b5cf7e6ab9f61d5363ffac1cc7cbae33a2b 100644 --- a/test/CAss.cnf +++ b/test/CAss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 @@ -43,7 +41,6 @@ certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file x509_extensions = v3_ca # The extensions to add to the cert diff --git a/test/CAssdh.cnf b/test/CAssdh.cnf index 4e0a908679f768c3bfe731e59cf07847b4882dba..7c08a6e1cca068b2e015a5ff3014e32eb12bde7a 100644 --- a/test/CAssdh.cnf +++ b/test/CAssdh.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DH certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAssdsa.cnf b/test/CAssdsa.cnf index a6b4d1810c9516bafefc306d9f81f5726fa77a1a..8328abd7b44a1ea06c3e5735e3f95871b6002d5b 100644 --- a/test/CAssdsa.cnf +++ b/test/CAssdsa.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DSA certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAssrsa.cnf b/test/CAssrsa.cnf index eb24a6dfc0ef4caa1cdd6903e24a572da6ff8b97..d5aa20a72b2cf1b6e29ebf34aeed62ad4db3f67d 100644 --- a/test/CAssrsa.cnf +++ b/test/CAssrsa.cnf @@ -4,8 +4,6 @@ # # create RSA certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index d1642879be3baee737bc019b2f8e91ad4641ea02..e7ca8c5a1e124e7d1f4d5dc34f44c87b1da56f95 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -3,8 +3,6 @@ # This config is used by the Time Stamp Authority tests. # -RANDFILE = ./.rnd - # Extra OBJECT IDENTIFIER info: oid_section = new_oids @@ -32,7 +30,6 @@ new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_md = sha256 # which md to use. diff --git a/test/P1ss.cnf b/test/P1ss.cnf index e6118dc816c96165ecad42349e11a7c1808d5be9..03f3cdb1ad3f14e4a0cc39b72cc9a5ac62ec8cee 100644 --- a/test/P1ss.cnf +++ b/test/P1ss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 diff --git a/test/P2ss.cnf b/test/P2ss.cnf index d530e31f9914e4de8a4d2d28fd10c363089d87b4..5adaecc7d50cd197bbbbbab676c08cdf173e2640 100644 --- a/test/P2ss.cnf +++ b/test/P2ss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 diff --git a/test/Sssdsa.cnf b/test/Sssdsa.cnf index 8e170a28ef59afa6d5c86c316b12448b5e784c3f..2fb35e08809081ad3681c6c47a9c2f3f005edeac 100644 --- a/test/Sssdsa.cnf +++ b/test/Sssdsa.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DSA certs - Server -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/Sssrsa.cnf b/test/Sssrsa.cnf index 8c79a03fca8735b3cc4dbf45266ff841846a9f57..f2b6e72b912ca2d917d20f1835ed94eae6d32795 100644 --- a/test/Sssrsa.cnf +++ b/test/Sssrsa.cnf @@ -4,8 +4,6 @@ # # create RSA certs - Server -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/Uss.cnf b/test/Uss.cnf index f655e7448dc6c35e34a62b94d794e88c3bbec8d2..27517bd1060220af6dceef49441c8758c8e842a5 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -3,7 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd CN2 = Brother 2 #################################################################### diff --git a/test/conf_include_test.c b/test/conf_include_test.c index 16459c46d76dee5da6d7454157965d734b7b69f7..0cf8d49740317f7e969ca0de7be86b97a78f5f5b 100644 --- a/test/conf_include_test.c +++ b/test/conf_include_test.c @@ -90,13 +90,6 @@ static int test_load_config(void) return 0; } - /* verify whether RANDFILE is set correctly */ - str = NCONF_get_string(conf, "", "RANDFILE"); - if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) { - TEST_note("RANDFILE incorrect"); - return 0; - } - /* verify whether CA_default/default_days is set */ val = 0; if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1) diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 6da8e897f5e9a80a88f959521c184ede39e78833..0e085b435defc606114fa4e5d32d3ee0079bfd98 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -19,10 +19,6 @@ plan tests => 13; require_ok(srctop_file('test','recipes','tconversion.pl')); -open RND, ">>", ".rnd"; -print RND "string to make the random number generator think it has randomness"; -close RND; - # What type of key to generate? my @req_new; if (disabled("rsa")) { diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 0290b489ebcbf56096b3163d77de4f26dbeebdcd..2d213b7daa7f7affc215608984650d820430c438 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert); # ----------- # subtest functions sub testss { - open RND, ">>", ".rnd"; - print RND "string to make the random number generator think it has randomness"; - close RND; - my @req_dsa = ("-newkey", "dsa:".srctop_file("apps", "dsa1024.pem")); my $dsaparams = srctop_file("apps", "dsa1024.pem"); diff --git a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf index 66c89006d0ce56639ed5c91234cad2dfa3c2affc..5959b23e4b4be37492e3b4395c86461842bbf8e6 100644 --- a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf +++ b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf @@ -4,8 +4,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -23,7 +21,6 @@ certificate = $dir/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/CAkey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf index 835b2c672de79f0f1ec835a85eded08fa2e67514..00d40e74791e8223cb8a64917eb73e574db4b956 100644 --- a/test/smime-certs/ca.cnf +++ b/test/smime-certs/ca.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" default_ca = ca diff --git a/test/test.cnf b/test/test.cnf index 718b0bf1f2c92f4cf513b8266cd6fea77346e716..1e2fa31cce62d0d595d2e613f7c795a1e8d69129 100644 --- a/test/test.cnf +++ b/test/test.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -22,7 +20,6 @@ certificate = $dir/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/CAkey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL