Addendum to previous commit 7fa21607 ...

6aedb67e · Leigh B Stoller · 7fa21607 · 6aedb67e · 6aedb67e
Commit 6aedb67e authored 4 years ago by Leigh B Stoller
--- a/account/mksyscert.in
+++ b/account/mksyscert.in
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2019 University of Utah and the Flux Group.
+# Copyright (c) 2000-2020 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -87,6 +87,7 @@ my $EMULAB_CERT = "$TB/etc/emulab.pem";
 my $EMULAB_KEY  = "$TB/etc/emulab.key";
 my $OPENSSL     = "/usr/bin/openssl";
 my $WORKDIR     = "$TB/ssl";
+my $RANDFILE    = "./.rnd";
 my $SAVEUID	= $UID;
 my $certfile    = $EMULAB_CERT;
 my $keyfile     = $EMULAB_KEY;
@@ -207,6 +208,22 @@ if (!defined($email)) {
 chdir("$WORKDIR") or
    fatal("Could not chdir to $WORKDIR: $!");

+#
+# Some sillyness to deal with changes to .rnd file handling across
+# versions of openssl.
+#
+if (! -e $RANDFILE) {
+    system("/bin/dd if=/dev/urandom of=${RANDFILE} bs=256 count=4");
+    if ($?) {
+	fatal("Could not generate $RANDFILE");
+    }
+}
+#
+# Older versions of openssl ignore -rand option, but use this environment
+# variable. New versions ignore the environment variable but use -rand.
+#
+$ENV{"RANDFILE"} = $RANDFILE;
+
 #
 # Need an index file, which is the openssl version of the DB.
 #
@@ -295,7 +312,7 @@ if( defined( $oldkeyfile ) ) {
    #
    # Create a client side private key and certificate request.
    #
-    my $genopts =
+    my $genopts = " -rand $RANDFILE " .
 	($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");

    my $output =

--- a/account/mkusercert.in
+++ b/account/mkusercert.in
 #!/usr/bin/perl -wT
 #
-# Copyright (c) 2000-2018 University of Utah and the Flux Group.
+# Copyright (c) 2000-2020 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -64,6 +64,7 @@ my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
 my $CONTROL	= "@USERNODE@";
 my $BOSSNODE	= "@BOSSNODE@";
 my $OU          = "sslxmlrpc";	# orgunit
+my $RANDFILE    = "./.rnd";

 # Locals
 my $USERDIR	= USERROOT();
@@ -252,6 +253,22 @@ chdir("$WORKDIR") or
 TBScriptLock("mkusercert") == 0 or
    fatal("Could not get the lock!");

+#
+# Some sillyness to deal with changes to .rnd file handling across
+# versions of openssl.
+#
+if (! -e $RANDFILE) {
+    system("/bin/dd if=/dev/urandom of=${RANDFILE} bs=256 count=4");
+    if ($?) {
+	fatal("Could not generate $RANDFILE");
+    }
+}
+#
+# Older versions of openssl ignore -rand option, but use this environment
+# variable. New versions ignore the environment variable but use -rand.
+#
+$ENV{"RANDFILE"} = $RANDFILE;
+
 #
 # Create a client side cert. Reuse the original key if are told to,
 # and it actually exists, and the password is valid.
@@ -398,7 +415,7 @@ sub CreateNewCert() {
    # Create a client side private key and certificate request.
    #
    if (!$reusekey) {
-	my $genopts =
+	my $genopts = " -rand $RANDFILE " .
 	    ($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");

 	system("$OPENSSL genrsa $genopts -out usercert_key.pem 2048")
@@ -652,7 +669,7 @@ if ($encrypted) {
    #
    system("$OPENSSL pkcs12 -export -in usercert.pem -des3 ".
 	   "-passin 'pass:${sh_password}' -passout 'pass:${sh_password}' ".
-	   "-out usercert.p12 -rand ./.rnd")
+	   "-out usercert.p12 -rand $RANDFILE")
 	== 0 or fatal("Could not create usercert.p12");

    # Drop the file into the user .ssl directory.