Rename fdOpen to seedFdOpen to avoid potential conflicts.

Gate keeping the seed FD open behind WOLFSSL_KEEP_RNG_SEED_FD_OPEN and only enable by default for HAProxy. It is causing issues on OS X and may cause issues on other OSes, and is generally a major behavior change.
2026-01-27 04:02:18 +01:00 · 2025-12-18 15:55:35 -07:00
parent 755097d512
commit b0b840aa0f
3 changed files with 21 additions and 14 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -7835,7 +7835,7 @@ fi
 if test "$ENABLED_HAPROXY" = "yes"
 then
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAPROXY -DOPENSSL_COMPATIBLE_DEFAULTS"
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT -DWOLFSSL_KEEP_RNG_SEED_FD_OPEN"
    # --enable-all defines its own DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS
    if test -z "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS"
    then
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -894,8 +894,8 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
    }
 #endif

-#ifndef USE_WINDOWS_API
-    if (!rng->seed.fdOpen)
+#if defined(WOLFSSL_KEEP_RNG_SEED_FD_OPEN) && !defined(USE_WINDOWS_API)
+    if (!rng->seed.seedFdOpen)
        rng->seed.fd = -1;
 #endif

@@ -1378,11 +1378,12 @@ int wc_FreeRng(WC_RNG* rng)
        ret = WC_HW_E;
 #endif

-#ifdef XCLOSE
-    if(rng->seed.fdOpen && rng->seed.fd != -1) {
+#if defined(WOLFSSL_KEEP_RNG_SEED_FD_OPEN) && defined(XCLOSE) && \
+    !defined(USE_WINDOWS_API)
+    if(rng->seed.seedFdOpen && rng->seed.fd != -1) {
        XCLOSE(rng->seed.fd);
        rng->seed.fd = -1;
-        rng->seed.fdOpen = 0;
+        rng->seed.seedFdOpen = 0;
    }
 #endif

@@ -3566,7 +3567,10 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)

 #ifndef NO_FILESYSTEM
    #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
-        if (!os->fdOpen && os->fd == -1) {
+        #ifdef WOLFSSL_KEEP_RNG_SEED_FD_OPEN
+        if (os->fd == -1 && !os->seedFdOpen)
+        #endif
+        {
            os->fd = open("/dev/urandom", O_RDONLY);
            #if defined(DEBUG_WOLFSSL)
                WOLFSSL_MSG("opened /dev/urandom.");
@@ -3581,13 +3585,11 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
        #endif
                if (os->fd == -1)
                    return OPEN_RAN_E;
-                else
-                    os->fdOpen = 1;
-            }
-            else
-            {
-                os->fdOpen = 1;
            }
+        #ifdef WOLFSSL_KEEP_RNG_SEED_FD_OPEN
+            if (os->fd != -1)
+                os->seedFdOpen = 1;
+        #endif
        }
    #if defined(DEBUG_WOLFSSL)
        WOLFSSL_MSG("rnd read...");
@@ -3611,6 +3613,9 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    #endif
            }
        }
+    #ifndef WOLFSSL_KEEP_RNG_SEED_FD_OPEN
+        close(os->fd);
+    #endif
 #else
        (void)output;
        (void)sz;
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@@ -156,7 +156,9 @@ struct OS_Seed {
        ProviderHandle handle;
    #else
        int fd;
-        byte fdOpen:1;
+    #if defined(WOLFSSL_KEEP_RNG_SEED_FD_OPEN)
+        byte seedFdOpen:1;
+    #endif
    #endif
    #if defined(WOLF_CRYPTO_CB)
        int devId;