Re: [Dovecot] Dovecot + SSL + Fedora

On Mon, May 24, 2004 at 07:50:54PM +0300, Timo Sirainen wrote:

This could also be fixed by patching OpenSSL (I think). Patch in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284

That looks similar to a private patch I created some time back when openssl changed its RAND_bytes logic . I've moved it forward to successive openssl releases as I've installed them. This is pretty specific to the environment here though-- particularly where you know that you have a /dev/urandom. That openssl change (the one that necessitated this patch) also broke systems where the /dev/urandom was implemented via a pipe to a command.

Anyway, just for grins.. here's that local patch as carried forward to 0.9.7d

*** rand_unix.c.orig Sat Dec 27 11:01:52 2003 --- rand_unix.c Wed Mar 17 23:13:25 2004

*** 167,182 **** --- 167,203 ----

for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++)
	{

• #ifndef MV_COMM if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK
• #else /* mem 20030409 -- yes, let's block */

•   if ((fd = open(*randomfile, O_RDONLY

• #endif /* MV_COMM */
• #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it our controlling tty */ |O_NOCTTY #endif
• #ifndef MV_COMM /* mem 20030409 -- we don't have O_NOFOLLOW

•   	   but let's not even accidently consider

•   	   preventing following symbolic link here.

•   	*/

  #ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */ |O_NOFOLLOW #endif
• #endif /* MV_COMM */ )) >= 0) {
• #ifndef MV_COMM /* mem 20030409 -- don't do this idiotic timeout

•   	   stuff-- just read from the file.  I don't care

•   	   if it hangs forever, it's better than failing.

•   	   Besides we'll put /dev/urandom first in the

•   	   list so if it hangs there are bigger problems

•   	   anyway.

•   	*/

•   	struct timeval t = { 0, 10*1000 }; /* Spend 10ms on
    					      each file. */
    	int r;

*** 208,213 **** --- 229,251 ---- } while ((r > 0 || (errno == EINTR || errno == EAGAIN)) && t.tv_usec != 0 && n < ENTROPY_NEEDED); +

• #else /* MV_COMM */

•   	int r;

•   	do {

•   	    r = read(fd, (unsigned char*)tmpbuf+n,

•   		         ENTROPY_NEEDED-n);

•   	    if ( r > 0 )

•   	        n += r;

•   	}

•   	while ( (r > 0) ||

•   	        ( (errno == EINTR) || ( errno == EAGAIN ) ) );

•   		/* yeah sure, check for AGAIN even though we

•   		   should be blocking.

•   		*/

• #endif /* MV_COMM */

    	close(fd);
    	}