portable
portable copied to clipboard
libressl
LibreSSL 3.7.x dossn't implment 'openssl genrsa -rand'
With LibreSSL the command openssl genrsa doesn't support the -rand command-line argument as does OpenSSL, but Gentoo inside the eclasses has this function.
# @FUNCTION: gen_key
# @INTERNAL
# @USAGE: <base path>
# @DESCRIPTION:
# Generates an RSA key
#
gen_key() {
local base=$(get_base "$1")
ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
openssl genrsa -rand "${SSL_RANDOM}" \
-out "${base}.key" "${SSL_BITS}" &> /dev/null
eend $?
return $?
}
Where $SSL_RANDOM is:
# Location of some random files OpenSSL can use: don't use
# /dev/u?random here -- doesn't work properly on all platforms
SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
Which causes many ebuild to generate this error.
* Generating 4096 bit RSA key for CA ... [ !! ]
chown: cannot access '/etc/openldap/ssl/ldap.*': No such file or directory
Is it possible to implement openssl genrsa -rand in LibreSSL? Doing so as a no-op would be adequate for my needs. Changing the eclass in the Gentoo LibreSSL overlay would be problematic.
OpenSSL documents the feature:
-rand file(s)
a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified separated by an OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others.
https://www.openssl.org/docs/man1.0.2/man1/genrsa.html
This option was neutered in the very early days of the fork and removed a couple of months later, nearly 9 years ago. Did gentoo add use of this only recently? That would seem odd...
Implementing -rand as a noop is very easy. The question really is whether we want to do that for genrsa and potentially all the other commands that used to have it. I'd expect the answer to be "probably not". In any case, if this were to be added, it would only be available in the next major release 3.8.
Here's a diff you can use if you want:
--- apps/openssl/genrsa.c.orig
+++ apps/openssl/genrsa.c
@@ -90,6 +90,7 @@ static struct {
unsigned long f4;
char *outfile;
char *passargout;
+ char *rand_dummy;
} cfg;
static int
@@ -251,6 +252,11 @@ static const struct option genrsa_option
.desc = "Output file passphrase source",
.type = OPTION_ARG,
.opt.arg = &cfg.passargout,
+ },
+ {
+ .name = "rand",
+ .type = OPTION_ARG,
+ .opt.arg = &cfg.rand_dummy,
},
{ NULL },
};
The patch does work for me and is very helpful, thanks! Given the background I imagine adding it back might not be the best idea, although I wonder if any build systems depend on this?
Did gentoo add use of this only recently? That would seem odd...
Seems not, it was part of the Github initial commit for Gentoo.
https://github.com/gentoo/gentoo/commit/56bd759df1d0c750a065b8c845e93d5dfa6b549d
Then LibreSSl support was added.
https://github.com/gentoo/gentoo/commit/e21b7de461c1ea87cca4423a57dbc6d355611c9b
And then removed...
https://github.com/gentoo/gentoo/commit/738b94a40903a77b4970807fc6754231719679c5
Its not a fatal error so it seems it was overlooked before. Since patching it in the Gentoo overlay is good enough for me I will close this.
@botovq Another user of genrsa -rand (And dsaparam -rand) is neon.
https://github.com/notroj/neon/blob/18e868e4449cd46d494944ced798f9dcd01f65c5/test/makekeys.sh#L31-L37
Perhaps it might help if these were added as no-ops?