ssl: Only invoke RAND_poll on older versions of OpenSSL

Summary: Only do RAND_poll on older versions of OpenSSL. RAND_poll is not required on OpenSSL 1.1.0+, as the RNG is implicitly seeded. On OpenSSL 1.1.1., RAND_poll became aliased to RAND_add. With some custom RNG implementations that did not implement RAND_add, (e.g. python-cryptography's osrandom implementation), this would manifest as a failure. Reviewed By: ngoyal, yfeldblum Differential Revision: D16786271 fbshipit-source-id: 4fb7876525006517c3e554d70736d7071bd3b4e3

ssl: Only invoke RAND_poll on older versions of OpenSSL
Summary: Only do RAND_poll on older versions of OpenSSL. RAND_poll is not required on OpenSSL 1.1.0+, as the RNG is implicitly seeded. On OpenSSL 1.1.1., RAND_poll became aliased to RAND_add. With some custom RNG implementations that did not implement RAND_add, (e.g. python-cryptography's osrandom implementation), this would manifest as a failure. Reviewed By: ngoyal, yfeldblum Differential Revision: D16786271 fbshipit-source-id: 4fb7876525006517c3e554d70736d7071bd3b4e3
af0d320e · Mingtao Yang · Facebook Github Bot · 73c65d44 · af0d320e
Commit af0d320e authored Oct 31, 2019 by Mingtao Yang Committed by Facebook Github Bot Oct 31, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

folly/ssl/Init.cpp folly/ssl/Init.cpp +5 -0

No files found.
--- a/folly/ssl/Init.cpp
+++ b/folly/ssl/Init.cpp
@@ -44,11 +44,16 @@ void initializeOpenSSLLocked() {
    // pointers to global resources.
    throw std::runtime_error("Failed to initialize OpenSSL.");
  }
+
+  // OpenSSL implicitly seeds its RNG since 1.1.0, so this call is unnecessary
+  // and is only here for compatibility with older versions of OpenSSL.
+#if !(FOLLY_OPENSSL_IS_110)
  if (RAND_poll() != 1) {
    // Similarly, if we fail to seed the RNG, future crypto operations
    // may no longer be safe to use; fail fast and hard here.
    throw std::runtime_error("Failed to initialize OpenSSL RNG.");
  }
+#endif
  initialized_ = true;
 }