Remove RANDFILE settings from configuration files

OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding
mechanism, which makes it dispensable to define a RANDFILE for
saving and restoring randomness. This commit removes the RANDFILE
declarations from our own configuration files and adds documentation
that this option is not needed anymore and retained mainly for
compatibility reasons.

Fixes #10433

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10436)

.gitignore

@@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod
 /out32dll.dbg
 /inc32
 /MINFO
-/ms/.rnd
 /ms/bcb.mak
 /ms/libeay32.def
 /ms/nt.mak

demos/certs/apps/apps.cnf

@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 
 ####################################################################

demos/certs/ca.cnf

@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 default_ca		= ca
 

doc/man1/openssl-ca.pod.in

@@ -446,7 +446,8 @@ CA private key. Mandatory.
 =item B<RANDFILE>
 
 At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
 
 =item B<default_days>
 
@@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command:
  serial         = $dir/serial           # serial no file
  #rand_serial    = yes                  # for random serial#'s
  private_key    = $dir/private/cakey.pem# CA private key
- RANDFILE       = $dir/private/.rand    # random number file
 
  default_days   = 365                   # how long to certify for
  default_crl_days= 30                   # how long before next CRL
@@ -690,7 +690,6 @@ The values below reflect the default values.
  ./demoCA/index.txt             - CA text database file
  ./demoCA/index.txt.old         - CA text database backup file
  ./demoCA/certs                 - certificate output file
- ./demoCA/.rnd                  - CA random seed information
 
 =head1 RESTRICTIONS
 
@@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
 earlier than year 2049 (included), and as GeneralizedTime if the dates
 are in year 2050 or later.
 
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,

doc/man1/openssl-req.pod.in

@@ -592,8 +592,6 @@ Sample configuration file prompting for field values:
 Sample configuration containing all field values:
 
 
- RANDFILE               = $ENV::HOME/.rnd
-
  [ req ]
  default_bits           = 2048
  default_keyfile        = keyfile.pem

doc/man1/openssl-ts.pod.in

@@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. (Optional)
 
 =item B<oid_section>
 
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used. (Optional)
 
 =item B<RANDFILE>
 
-See L<openssl-ca(1)> for description. (Optional)
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
 
 =item B<serial>
 
@@ -644,6 +652,13 @@ test/testtsa).
 
 =back
 
+=head1 HISTORY
+
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,

doc/man5/config.pod

@@ -416,7 +416,6 @@ mentioned above.
  # This is the default section.
 
  HOME=/temp
- RANDFILE= ${ENV::HOME}/.rnd
  configdir=$ENV::HOME/config
 
  [ section_one ]

test/CAss.cnf

@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048
@@ -43,7 +41,6 @@ certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 x509_extensions	= v3_ca			# The extensions to add to the cert
 

test/CAssdh.cnf

@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DH certs - CA
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

test/CAssdsa.cnf

@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DSA certs - CA
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

test/CAssrsa.cnf

@@ -4,8 +4,6 @@
 #
 # create RSA certs - CA
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

test/CAtsa.cnf

@@ -3,8 +3,6 @@
 # This config is used by the Time Stamp Authority tests.
 #
 
-RANDFILE		= ./.rnd
-
 # Extra OBJECT IDENTIFIER info:
 oid_section		= new_oids
 
@@ -32,7 +30,6 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
 default_md	= sha256			# which md to use.

test/P1ss.cnf

@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048

test/P2ss.cnf

@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ req ]
 default_bits		= 2048

test/Sssdsa.cnf

@@ -4,8 +4,6 @@
 #
 # hacked by iang to do DSA certs - Server
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

test/Sssrsa.cnf

@@ -4,8 +4,6 @@
 #
 # create RSA certs - Server
 
-RANDFILE              = ./.rnd
-
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name

test/Uss.cnf

@@ -3,7 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
 CN2 = Brother 2
 
 ####################################################################

test/conf_include_test.c

@@ -90,13 +90,6 @@ static int test_load_config(void)
         return 0;
     }
 
-    /* verify whether RANDFILE is set correctly */
-    str = NCONF_get_string(conf, "", "RANDFILE");
-    if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) {
-        TEST_note("RANDFILE incorrect");
-        return 0;
-    }
-
     /* verify whether CA_default/default_days is set */
     val = 0;
     if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1)

test/recipes/25-test_req.t

@@ -19,10 +19,6 @@ plan tests => 13;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
-open RND, ">>", ".rnd";
-print RND "string to make the random number generator think it has randomness";
-close RND;
-
 # What type of key to generate?
 my @req_new;
 if (disabled("rsa")) {

test/recipes/80-test_ssl_old.t

@@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert);
 # -----------
 # subtest functions
 sub testss {
-    open RND, ">>", ".rnd";
-    print RND "string to make the random number generator think it has randomness";
-    close RND;
-
     my @req_dsa = ("-newkey",
                    "dsa:".srctop_file("apps", "dsa1024.pem"));
     my $dsaparams = srctop_file("apps", "dsa1024.pem");

test/recipes/90-test_includes_data/conf-includes/includes1.cnf

@@ -4,8 +4,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
@@ -23,7 +21,6 @@ certificate	= $dir/CAcert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/CAkey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL

test/smime-certs/ca.cnf

@@ -5,7 +5,6 @@
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 CN			= "Not Defined"
 default_ca		= ca
 

test/test.cnf

@@ -3,8 +3,6 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= ./.rnd
-
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
@@ -22,7 +20,6 @@ certificate	= $dir/CAcert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/CAkey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL