LibreSSL 3.7.x dossn't implment 'openssl genrsa -rand'

[orbea]

With LibreSSL the command openssl genrsa doesn't support the -rand command-line argument as does OpenSSL, but Gentoo inside the eclasses has this function.

# @FUNCTION: gen_key
# @INTERNAL
# @USAGE: <base path>
# @DESCRIPTION:
# Generates an RSA key
#
gen_key() {
    local base=$(get_base "$1")
    ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
        openssl genrsa -rand "${SSL_RANDOM}" \
            -out "${base}.key" "${SSL_BITS}" &> /dev/null
    eend $?

    return $?
}

Where $SSL_RANDOM is:

# Location of some random files OpenSSL can use: don't use
# /dev/u?random here -- doesn't work properly on all platforms
SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"

Which causes many ebuild to generate this error.

 * Generating 4096 bit RSA key for CA ...                                  [ !! ]
chown: cannot access '/etc/openldap/ssl/ldap.*': No such file or directory

Is it possible to implement openssl genrsa -rand in LibreSSL? Doing so as a no-op would be adequate for my needs. Changing the eclass in the Gentoo LibreSSL overlay would be problematic.

OpenSSL documents the feature:

-rand file(s)

a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified separated by an OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others.

https://www.openssl.org/docs/man1.0.2/man1/genrsa.html

[botovq]

This option was neutered in the very early days of the fork and removed a couple of months later, nearly 9 years ago. Did gentoo add use of this only recently? That would seem odd...

Implementing -rand as a noop is very easy. The question really is whether we want to do that for genrsa and potentially all the other commands that used to have it. I'd expect the answer to be "probably not". In any case, if this were to be added, it would only be available in the next major release 3.8.

Here's a diff you can use if you want:

--- apps/openssl/genrsa.c.orig
+++ apps/openssl/genrsa.c
@@ -90,6 +90,7 @@ static struct {
 	unsigned long f4;
 	char *outfile;
 	char *passargout;
+	char *rand_dummy;
 } cfg;
 
 static int
@@ -251,6 +252,11 @@ static const struct option genrsa_option
 		.desc = "Output file passphrase source",
 		.type = OPTION_ARG,
 		.opt.arg = &cfg.passargout,
+	},
+	{
+		.name = "rand",
+		.type = OPTION_ARG,
+		.opt.arg = &cfg.rand_dummy,
 	},
 	{ NULL },
 };

[orbea]

The patch does work for me and is very helpful, thanks! Given the background I imagine adding it back might not be the best idea, although I wonder if any build systems depend on this?

Did gentoo add use of this only recently? That would seem odd...

Seems not, it was part of the Github initial commit for Gentoo.

gentoo/gentoo@56bd759

Then LibreSSl support was added.

gentoo/gentoo@e21b7de

And then removed...

gentoo/gentoo@738b94a

Its not a fatal error so it seems it was overlooked before. Since patching it in the Gentoo overlay is good enough for me I will close this.

[orbea]

@botovq Another user of genrsa -rand (And dsaparam -rand) is neon.

https://github.com/notroj/neon/blob/18e868e4449cd46d494944ced798f9dcd01f65c5/test/makekeys.sh#L31-L37

Perhaps it might help if these were added as no-ops?