diff --git a/CHANGES b/CHANGES index 06f7e63..f594c49 100644 --- a/CHANGES +++ b/CHANGES @@ -58,6 +58,9 @@ porting: Make Socat compatible with BoringSSL. Thanks to Matt Braithwaite for providing a patch. + OpenSSL: Use RAND_status to determine PRNG state + Thanks to Adam Langley for providing a patch + testing: socks4echo.sh and socks4a-echo.sh hung with new bash with read -n diff --git a/config.h.in b/config.h.in index 2c2468b..543326a 100644 --- a/config.h.in +++ b/config.h.in @@ -456,6 +456,9 @@ /* Define if you have the OpenSSL RAND_egd function */ #undef HAVE_RAND_egd +/* Define if you have the OpenSSL RAND_status function */ +#undef HAVE_RAND_status + /* Define if you have the OpenSSL DH_set0_pqg function */ #undef HAVE_DH_set0_pqg diff --git a/configure.in b/configure.in index a32473b..2b804d0 100644 --- a/configure.in +++ b/configure.in @@ -1464,6 +1464,7 @@ AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHE AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(RAND_status, AC_DEFINE(HAVE_RAND_status)) AC_MSG_CHECKING(for type EC_KEY) AC_CACHE_VAL(sc_cv_type_EC_TYPE, diff --git a/xio-openssl.c b/xio-openssl.c index 3fe460c..bd95ad2 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1123,6 +1123,8 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) { ( #if defined(OPENSSL_IS_BORINGSSL) 0 /* BoringSSL's RNG always succeeds. */ +#elif defined(HAVE_RAND_status) + ERR_GET_LIB(e) == ERR_LIB_RAND && RAND_status() != 1 #else e == ((ERR_LIB_RAND<<24)| #if defined(RAND_F_RAND_BYTES)