Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit c3333db

Browse files
Only perform pg_strong_random init when required
The random number generator in OpenSSL 1.1.1 was redesigned to provide fork safety by default, thus removing the need for calling RAND_poll after forking to ensure that two processes cannot share the same state. Since we now support 1.1.0 as the minumum version, and 1.1.0 is being increasingly phased out from production use, only perform the RAND_poll initialization for installations running 1.1.0 by checking the OpenSSL version number. LibreSSL changed random number generator when forking OpenSSL and has provided fork safety since version 2.0.2. This removes the overhead of initializing the RNG for strong random for the vast majority of users for whom it is no longer required. Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com> Reviewed-by: Peter Eisentraut <peter@eisentraut.org> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://postgr.es/m/CA+hUKGKh7QrYzu=8yWEUJvXtMVm_CNWH1L_TLWCbZMwbi1XP2Q@mail.gmail.com
1 parent a70e01d commit c3333db

File tree

1 file changed

+6
-3
lines changed

1 file changed

+6
-3
lines changed

src/port/pg_strong_random.c

+6-3
Original file line numberDiff line numberDiff line change
@@ -50,17 +50,20 @@
5050

5151
#ifdef USE_OPENSSL
5252

53+
#include <openssl/opensslv.h>
5354
#include <openssl/rand.h>
5455

5556
void
5657
pg_strong_random_init(void)
5758
{
59+
#if (OPENSSL_VERSION_NUMBER < 0x10101000L)
5860
/*
59-
* Make sure processes do not share OpenSSL randomness state. This is no
60-
* longer required in OpenSSL 1.1.1 and later versions, but until we drop
61-
* support for version < 1.1.1 we need to do this.
61+
* Make sure processes do not share OpenSSL randomness state. This is not
62+
* required on LibreSSL and no longer required in OpenSSL 1.1.1 and later
63+
* versions.
6264
*/
6365
RAND_poll();
66+
#endif
6467
}
6568

6669
bool

0 commit comments

Comments
 (0)