$HOME/.rnd will never be a good source of entropy. ok beck

23 files changed, 2 insertions, 392 deletions

diff --git a/src/lib/libssl/src/apps/app_rand.c b/src/lib/libssl/src/apps/app_rand.c
deleted file mode 100644
index d6cdd6e01b..0000000000
--- a/src/lib/libssl/src/apps/app_rand.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/* apps/app_rand.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#define NON_MAIN
-#include "apps.h"
-#undef NON_MAIN
-#include <openssl/bio.h>
-#include <openssl/rand.h>
-
-
-static int seeded = 0;
-
-int
-app_RAND_load_file(const char *file, BIO * bio_e, int dont_warn)
-{
-        int consider_randfile = (file == NULL);
-        char buffer[200];
-
-
-        if (file == NULL)
-                file = RAND_file_name(buffer, sizeof buffer);
-        if (file == NULL || !RAND_load_file(file, -1)) {
-                if (RAND_status() == 0) {
-                        if (!dont_warn) {
-                                BIO_printf(bio_e, "unable to load 'random state'\n");
-                                BIO_printf(bio_e, "This means that the random number generator has not been seeded\n");
-                                BIO_printf(bio_e, "with much random data.\n");
-                                if (consider_randfile) {        /* explanation does not
-                                                                 * apply when a file is
-                                                                 * explicitly named */
-                                        BIO_printf(bio_e, "Consider setting the RANDFILE environment variable to point at a file that\n");
-                                        BIO_printf(bio_e, "'random' data can be kept in (the file will be overwritten).\n");
-                                }
-                        }
-                        return 0;
-                }
-        }
-        seeded = 1;
-        return 1;
-}
-
-long
-app_RAND_load_files(char *name)
-{
-        char *p, *n;
-        int last;
-        long tot = 0;
-
-        for (;;) {
-                last = 0;
-                for (p = name;
-                    ((*p != '\0') && (*p != ':')); p++);
-                if (*p == '\0')
-                        last = 1;
-                *p = '\0';
-                n = name;
-                name = p + 1;
-                if (*n == '\0')
-                        break;
-
-                tot += RAND_load_file(n, -1);
-                if (last)
-                        break;
-        }
-        if (tot > 512)
-                app_RAND_allow_write_file();
-        return (tot);
-}
-
-int
-app_RAND_write_file(const char *file, BIO * bio_e)
-{
-        char buffer[200];
-
-        if (!seeded)
-                /*
-                 * If we did not manage to read the seed file, we should not
-                 * write a low-entropy seed file back -- it would suppress a
-                 * crucial warning the next time we want to use it.
-                 */
-                return 0;
-
-        if (file == NULL)
-                file = RAND_file_name(buffer, sizeof buffer);
-        if (file == NULL || !RAND_write_file(file)) {
-                BIO_printf(bio_e, "unable to write 'random state'\n");
-                return 0;
-        }
-        return 1;
-}
-
-void
-app_RAND_allow_write_file(void)
-{
-        seeded = 1;
-}
diff --git a/src/lib/libssl/src/apps/apps.h b/src/lib/libssl/src/apps/apps.h
index 077d766a49..55015024e9 100644
--- a/src/lib/libssl/src/apps/apps.h
+++ b/src/lib/libssl/src/apps/apps.h
@@ -126,14 +126,6 @@
 #endif
 #include <openssl/ossl_typ.h>
 
-int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
-int app_RAND_write_file(const char *file, BIO *bio_e);
-/* When `file' is NULL, use defaults.
- * `bio_e' is for error messages. */
-void app_RAND_allow_write_file(void);
-long app_RAND_load_files(char *file); /* `file' is a list of files to read,
-                                       * separated by ':'. The string is destroyed! */
-
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c
index 1d75018732..c582549b15 100644
--- a/src/lib/libssl/src/apps/ca.c
+++ b/src/lib/libssl/src/apps/ca.c
@@ -311,7 +311,6 @@ ca_main(int argc, char **argv)
 #undef BSIZE
 #define BSIZE 256
         char buf[3][BSIZE];
-        char *randfile = NULL;
 #ifndef OPENSSL_NO_ENGINE
         char *engine = NULL;
 #endif
@@ -598,11 +597,6 @@ ca_main(int argc, char **argv)
                         goto err;
                 }
         }
-        randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
-        if (randfile == NULL)
-                ERR_clear_error();
-        app_RAND_load_file(randfile, bio_err, 0);
-
         f = NCONF_get_string(conf, section, STRING_MASK);
         if (!f)
                 ERR_clear_error();
@@ -1363,7 +1357,6 @@ err:
 
         if (ret)
                 ERR_print_errors(bio_err);
-        app_RAND_write_file(randfile, bio_err);
         if (free_key && key)
                 free(key);
         BN_free(serial);
diff --git a/src/lib/libssl/src/apps/cms.c b/src/lib/libssl/src/apps/cms.c
index d9694a4192..0ece401ce3 100644
--- a/src/lib/libssl/src/apps/cms.c
+++ b/src/lib/libssl/src/apps/cms.c
@@ -128,7 +128,6 @@ cms_main(int argc, char **argv)
         char *CAfile = NULL, *CApath = NULL;
         char *passargin = NULL, *passin = NULL;
         char *inrand = NULL;
-        int need_rand = 0;
         const EVP_MD *sign_md = NULL;
         int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
         int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
@@ -331,7 +330,6 @@ cms_main(int argc, char **argv)
                                 goto argerr;
                         args++;
                         inrand = *args;
-                        need_rand = 1;
                 }
 #ifndef OPENSSL_NO_ENGINE
                 else if (!strcmp(*args, "-engine")) {
@@ -489,7 +487,6 @@ cms_main(int argc, char **argv)
                 }
                 signerfile = NULL;
                 keyfile = NULL;
-                need_rand = 1;
         } else if (operation == SMIME_DECRYPT) {
                 if (!recipfile && !keyfile && !secret_key && !pwri_pass) {
                         BIO_printf(bio_err, "No recipient certificate or key specified\n");
@@ -500,7 +497,6 @@ cms_main(int argc, char **argv)
                         BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
                         badarg = 1;
                 }
-                need_rand = 1;
         } else if (!operation)
                 badarg = 1;
 
@@ -578,12 +574,6 @@ argerr:
                 BIO_printf(bio_err, "Error getting password\n");
                 goto end;
         }
-        if (need_rand) {
-                app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-                if (inrand != NULL)
-                        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                            app_RAND_load_files(inrand));
-        }
         ret = 2;
 
         if (!(operation & SMIME_SIGNERS))
@@ -979,8 +969,6 @@ argerr:
 end:
         if (ret)
                 ERR_print_errors(bio_err);
-        if (need_rand)
-                app_RAND_write_file(NULL, bio_err);
         sk_X509_pop_free(encerts, X509_free);
         sk_X509_pop_free(other, X509_free);
         if (vpm)
diff --git a/src/lib/libssl/src/apps/dgst.c b/src/lib/libssl/src/apps/dgst.c
index 09105399ff..e4741855dc 100644
--- a/src/lib/libssl/src/apps/dgst.c
+++ b/src/lib/libssl/src/apps/dgst.c
@@ -292,8 +292,6 @@ dgst_main(int argc, char **argv)
                 else
                         out_bin = 0;
         }
-        if (randfile)
-                app_RAND_load_file(randfile, bio_err, 0);
 
         if (outfile) {
                 if (out_bin)
diff --git a/src/lib/libssl/src/apps/dhparam.c b/src/lib/libssl/src/apps/dhparam.c
index 7679a891fd..8ca71f5e5d 100644
--- a/src/lib/libssl/src/apps/dhparam.c
+++ b/src/lib/libssl/src/apps/dhparam.c
@@ -283,13 +283,6 @@ bad:
 
                 BN_GENCB cb;
                 BN_GENCB_set(&cb, dh_cb, bio_err);
-                if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
-                        BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n");
-                }
-                if (inrand != NULL)
-                        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                            app_RAND_load_files(inrand));
-
 #ifndef OPENSSL_NO_DSA
                 if (dsaparam) {
                         DSA *dsa = DSA_new();
@@ -319,8 +312,6 @@ bad:
                                 goto end;
                         }
                 }
-
-                app_RAND_write_file(NULL, bio_err);
         } else {
 
                 in = BIO_new(BIO_s_file());
diff --git a/src/lib/libssl/src/apps/dsaparam.c b/src/lib/libssl/src/apps/dsaparam.c
index 4b4f98fec6..af34b24f8b 100644
--- a/src/lib/libssl/src/apps/dsaparam.c
+++ b/src/lib/libssl/src/apps/dsaparam.c
@@ -117,7 +117,6 @@ dsaparam_main(int argc, char **argv)
         int informat, outformat, noout = 0, C = 0, ret = 1;
         char *infile, *outfile, *prog, *inrand = NULL;
         int numbits = -1, num, genkey = 0;
-        int need_rand = 0;
 #ifndef OPENSSL_NO_ENGINE
         char *engine = NULL;
 #endif
@@ -180,18 +179,15 @@ dsaparam_main(int argc, char **argv)
                         C = 1;
                 else if (strcmp(*argv, "-genkey") == 0) {
                         genkey = 1;
-                        need_rand = 1;
                 } else if (strcmp(*argv, "-rand") == 0) {
                         if (--argc < 1)
                                 goto bad;
                         inrand = *(++argv);
-                        need_rand = 1;
                 } else if (strcmp(*argv, "-noout") == 0)
                         noout = 1;
                 else if (sscanf(*argv, "%d", &num) == 1) {
                         /* generate a key */
                         numbits = num;
-                        need_rand = 1;
                 } else {
                         BIO_printf(bio_err, "unknown option %s\n", *argv);
                         badops = 1;
@@ -252,16 +248,9 @@ bad:
         setup_engine(bio_err, engine, 0);
 #endif
 
-        if (need_rand) {
-                app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-                if (inrand != NULL)
-                        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                            app_RAND_load_files(inrand));
-        }
         if (numbits > 0) {
                 BN_GENCB cb;
                 BN_GENCB_set(&cb, dsa_cb, bio_err);
-                assert(need_rand);
                 dsa = DSA_new();
                 if (!dsa) {
                         BIO_printf(bio_err, "Error allocating DSA object\n");
@@ -381,7 +370,6 @@ bad:
         if (genkey) {
                 DSA *dsakey;
 
-                assert(need_rand);
                 if ((dsakey = DSAparams_dup(dsa)) == NULL)
                         goto end;
                 if (!DSA_generate_key(dsakey)) {
@@ -400,8 +388,6 @@ bad:
                 }
                 DSA_free(dsakey);
         }
-        if (need_rand)
-                app_RAND_write_file(NULL, bio_err);
         ret = 0;
 
 end:
diff --git a/src/lib/libssl/src/apps/ecparam.c b/src/lib/libssl/src/apps/ecparam.c
index fee53257a9..6d97aa5576 100644
--- a/src/lib/libssl/src/apps/ecparam.c
+++ b/src/lib/libssl/src/apps/ecparam.c
@@ -124,7 +124,7 @@ ecparam_main(int argc, char **argv)
         int new_asn1_flag = 0;
         char *curve_name = NULL, *inrand = NULL;
         int list_curves = 0, no_seed = 0, check = 0, badops = 0, text = 0,
-         i, need_rand = 0, genkey = 0;
+         i, genkey = 0;
         char *infile = NULL, *outfile = NULL, *prog;
         BIO *in = NULL, *out = NULL;
         int informat, outformat, noout = 0, C = 0, ret = 1;
@@ -208,12 +208,10 @@ ecparam_main(int argc, char **argv)
                         noout = 1;
                 else if (strcmp(*argv, "-genkey") == 0) {
                         genkey = 1;
-                        need_rand = 1;
                 } else if (strcmp(*argv, "-rand") == 0) {
                         if (--argc < 1)
                                 goto bad;
                         inrand = *(++argv);
-                        need_rand = 1;
                 } else if (strcmp(*argv, "-engine") == 0) {
                         if (--argc < 1)
                                 goto bad;
@@ -551,20 +549,12 @@ bad:
                         goto end;
                 }
         }
-        if (need_rand) {
-                app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-                if (inrand != NULL)
-                        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                            app_RAND_load_files(inrand));
-        }
         if (genkey) {
                 EC_KEY *eckey = EC_KEY_new();
 
                 if (eckey == NULL)
                         goto end;
 
-                assert(need_rand);
-
                 if (EC_KEY_set_group(eckey, group) == 0)
                         goto end;
 
@@ -585,10 +575,6 @@ bad:
                 }
                 EC_KEY_free(eckey);
         }
-        if (need_rand)
-                app_RAND_write_file(NULL, bio_err);
-
-        ret = 0;
 end:
         if (ec_p)
                 BN_free(ec_p);
diff --git a/src/lib/libssl/src/apps/gendh.c b/src/lib/libssl/src/apps/gendh.c
index 925b6e4120..c09e5923a5 100644
--- a/src/lib/libssl/src/apps/gendh.c
+++ b/src/lib/libssl/src/apps/gendh.c
@@ -176,21 +176,12 @@ bad:
                 }
         }
 
-        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
-                BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n");
-        }
-        if (inrand != NULL)
-                BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                    app_RAND_load_files(inrand));
-
         BIO_printf(bio_err, "Generating DH parameters, %d bit long safe prime, generator %d\n", num, g);
         BIO_printf(bio_err, "This is going to take a long time\n");
 
         if (((dh = DH_new()) == NULL) || !DH_generate_parameters_ex(dh, num, g, &cb))
                 goto end;
 
-        app_RAND_write_file(NULL, bio_err);
-
         if (!PEM_write_bio_DHparams(out, dh))
                 goto end;
         ret = 0;
diff --git a/src/lib/libssl/src/apps/gendsa.c b/src/lib/libssl/src/apps/gendsa.c
index 9bfeb4c16b..bcc11a2e62 100644
--- a/src/lib/libssl/src/apps/gendsa.c
+++ b/src/lib/libssl/src/apps/gendsa.c
@@ -228,20 +228,11 @@ bad:
                 }
         }
 
-        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
-                BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n");
-        }
-        if (inrand != NULL)
-                BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                    app_RAND_load_files(inrand));
-
         BIO_printf(bio_err, "Generating DSA key, %d bits\n",
             BN_num_bits(dsa->p));
         if (!DSA_generate_key(dsa))
                 goto end;
 
-        app_RAND_write_file(NULL, bio_err);
-
         if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
                 goto end;
         ret = 0;
diff --git a/src/lib/libssl/src/apps/genrsa.c b/src/lib/libssl/src/apps/genrsa.c
index fb879acad5..5b5fbc6fa9 100644
--- a/src/lib/libssl/src/apps/genrsa.c
+++ b/src/lib/libssl/src/apps/genrsa.c
@@ -237,14 +237,6 @@ bad:
                 }
         }
 
-        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL &&
-            !RAND_status()) {
-                BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n");
-        }
-        if (inrand != NULL)
-                BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                    app_RAND_load_files(inrand));
-
         BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
             num);
 #ifdef OPENSSL_NO_ENGINE
@@ -258,8 +250,6 @@ bad:
         if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
                 goto err;
 
-        app_RAND_write_file(NULL, bio_err);
-
         /*
          * We need to do the following for when the base number size is <
          * long, esp windows 3.1 :-(.
diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c
index fc61be467b..933fded99a 100644
--- a/src/lib/libssl/src/apps/pkcs12.c
+++ b/src/lib/libssl/src/apps/pkcs12.c
@@ -410,12 +410,6 @@ pkcs12_main(int argc, char **argv)
                 mpass = macpass;
         }
 
-        if (export_cert || inrand) {
-                app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-                if (inrand != NULL)
-                        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                            app_RAND_load_files(inrand));
-        }
         ERR_load_crypto_strings();
 
 #ifdef CRYPTO_MDEBUG
@@ -705,8 +699,6 @@ export_end:
 end:
         if (p12)
                 PKCS12_free(p12);
-        if (export_cert || inrand)
-                app_RAND_write_file(NULL, bio_err);
 #ifdef CRYPTO_MDEBUG
         CRYPTO_remove_all_info();
 #endif
diff --git a/src/lib/libssl/src/apps/pkcs8.c b/src/lib/libssl/src/apps/pkcs8.c
index a0f0ef9b57..eb36946d48 100644
--- a/src/lib/libssl/src/apps/pkcs8.c
+++ b/src/lib/libssl/src/apps/pkcs8.c
@@ -261,7 +261,6 @@ bad:
                                 if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
                                         goto end;
                         }
-                        app_RAND_load_file(NULL, bio_err, 0);
                         if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
                                     p8pass, strlen(p8pass),
                                     NULL, 0, iter, p8inf))) {
@@ -269,7 +268,6 @@ bad:
                                 ERR_print_errors(bio_err);
                                 goto end;
                         }
-                        app_RAND_write_file(NULL, bio_err);
                         if (outformat == FORMAT_PEM)
                                 PEM_write_bio_PKCS8(out, p8);
                         else if (outformat == FORMAT_ASN1)
diff --git a/src/lib/libssl/src/apps/pkeyutl.c b/src/lib/libssl/src/apps/pkeyutl.c
index 622034292a..64ccd142ce 100644
--- a/src/lib/libssl/src/apps/pkeyutl.c
+++ b/src/lib/libssl/src/apps/pkeyutl.c
@@ -229,8 +229,6 @@ pkeyutl_main(int argc, char **argv)
                 BIO_puts(bio_err, "No signature file specified for verify\n");
                 goto end;
         }
-/* FIXME: seed PRNG only if needed */
-        app_RAND_load_file(NULL, bio_err, 0);
 
         if (pkey_op != EVP_PKEY_OP_DERIVE) {
                 if (infile) {
diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c
index 96d2b4e26c..fa8a65a267 100644
--- a/src/lib/libssl/src/apps/rand.c
+++ b/src/lib/libssl/src/apps/rand.c
@@ -162,11 +162,6 @@ rand_main(int argc, char **argv)
         setup_engine(bio_err, engine, 0);
 #endif
 
-        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-        if (inrand != NULL)
-                BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                    app_RAND_load_files(inrand));
-
         out = BIO_new(BIO_s_file());
         if (out == NULL)
                 goto err;
@@ -206,7 +201,6 @@ rand_main(int argc, char **argv)
                 BIO_puts(out, "\n");
         (void) BIO_flush(out);
 
-        app_RAND_write_file(NULL, bio_err);
         ret = 0;
 
 err:
diff --git a/src/lib/libssl/src/apps/req.c b/src/lib/libssl/src/apps/req.c
index 11ee3d2fea..6f46e82ecd 100644
--- a/src/lib/libssl/src/apps/req.c
+++ b/src/lib/libssl/src/apps/req.c
@@ -549,21 +549,9 @@ bad:
                          * message
                          */
                         goto end;
-                } else {
-                        char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
-                        if (randfile == NULL)
-                                ERR_clear_error();
-                        app_RAND_load_file(randfile, bio_err, 0);
                 }
         }
         if (newreq && (pkey == NULL)) {
-                char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
-                if (randfile == NULL)
-                        ERR_clear_error();
-                app_RAND_load_file(randfile, bio_err, 0);
-                if (inrand)
-                        app_RAND_load_files(inrand);
-
                 if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
                         newkey = DEFAULT_KEY_LENGTH;
                 }
@@ -610,8 +598,6 @@ bad:
                 EVP_PKEY_CTX_free(genctx);
                 genctx = NULL;
 
-                app_RAND_write_file(randfile, bio_err);
-
                 if (keyout == NULL) {
                         keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
                         if (keyout == NULL)
diff --git a/src/lib/libssl/src/apps/rsautl.c b/src/lib/libssl/src/apps/rsautl.c
index 8848a4ac4b..dab8d6f6e3 100644
--- a/src/lib/libssl/src/apps/rsautl.c
+++ b/src/lib/libssl/src/apps/rsautl.c
@@ -200,8 +200,6 @@ rsautl_main(int argc, char **argv)
                 BIO_printf(bio_err, "Error getting password\n");
                 goto end;
         }
-/* FIXME: seed PRNG only if needed */
-        app_RAND_load_file(NULL, bio_err, 0);
 
         switch (key_type) {
         case KEY_PRIVKEY:
diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c
index cbdba2ae52..8c71d6b6ae 100644
--- a/src/lib/libssl/src/apps/s_client.c
+++ b/src/lib/libssl/src/apps/s_client.c
@@ -999,14 +999,6 @@ bad:
                         goto end;
                 }
         }
-        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
-            && !RAND_status()) {
-                BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n");
-        }
-        if (inrand != NULL)
-                BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                    app_RAND_load_files(inrand));
-
         if (bio_c_out == NULL) {
                 if (c_quiet && !c_debug && !c_msg) {
                         bio_c_out = BIO_new(BIO_s_null());
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index a84b822538..3dd22e6b7a 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -1227,14 +1227,6 @@ bad:
                         goto end;
                 }
         }
-        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
-            && !RAND_status()) {
-                BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n");
-        }
-        if (inrand != NULL)
-                BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                    app_RAND_load_files(inrand));
-
         if (bio_s_out == NULL) {
                 if (s_quiet && !s_debug && !s_msg) {
                         bio_s_out = BIO_new(BIO_s_null());
diff --git a/src/lib/libssl/src/apps/smime.c b/src/lib/libssl/src/apps/smime.c
index 4c0e32ccba..1b4a8aa9c2 100644
--- a/src/lib/libssl/src/apps/smime.c
+++ b/src/lib/libssl/src/apps/smime.c
@@ -107,7 +107,6 @@ smime_main(int argc, char **argv)
         char *CAfile = NULL, *CApath = NULL;
         char *passargin = NULL, *passin = NULL;
         char *inrand = NULL;
-        int need_rand = 0;
         int indef = 0;
         const EVP_MD *sign_md = NULL;
         int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
@@ -212,7 +211,6 @@ smime_main(int argc, char **argv)
                                 goto argerr;
                         args++;
                         inrand = *args;
-                        need_rand = 1;
                 }
 #ifndef OPENSSL_NO_ENGINE
                 else if (!strcmp(*args, "-engine")) {
@@ -354,7 +352,6 @@ smime_main(int argc, char **argv)
                 }
                 signerfile = NULL;
                 keyfile = NULL;
-                need_rand = 1;
         } else if (operation == SMIME_DECRYPT) {
                 if (!recipfile && !keyfile) {
                         BIO_printf(bio_err, "No recipient certificate or key specified\n");
@@ -365,7 +362,6 @@ smime_main(int argc, char **argv)
                         BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
                         badarg = 1;
                 }
-                need_rand = 1;
         } else if (!operation)
                 badarg = 1;
 
@@ -441,12 +437,6 @@ argerr:
                 BIO_printf(bio_err, "Error getting password\n");
                 goto end;
         }
-        if (need_rand) {
-                app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-                if (inrand != NULL)
-                        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                            app_RAND_load_files(inrand));
-        }
         ret = 2;
 
         if (!(operation & SMIME_SIGNERS))
@@ -670,8 +660,6 @@ argerr:
         }
         ret = 0;
 end:
-        if (need_rand)
-                app_RAND_write_file(NULL, bio_err);
         if (ret)
                 ERR_print_errors(bio_err);
         sk_X509_pop_free(encerts, X509_free);
diff --git a/src/lib/libssl/src/apps/srp.c b/src/lib/libssl/src/apps/srp.c
index bdd3017251..9c3dcdb1d6 100644
--- a/src/lib/libssl/src/apps/srp.c
+++ b/src/lib/libssl/src/apps/srp.c
@@ -283,7 +283,6 @@ srp_main(int argc, char **argv)
         char **pp;
         int i;
         long errorline = -1;
-        char *randfile = NULL;
 #ifndef OPENSSL_NO_ENGINE
         char *engine = NULL;
 #endif
@@ -446,9 +445,6 @@ srp_main(int argc, char **argv)
                                 goto err;
                         }
                 }
-                if (randfile == NULL && conf)
-                        randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
-
 
                 VERBOSE BIO_printf(bio_err, "trying to read " ENV_DATABASE " in section \"%s\"\n", section);
 
@@ -457,10 +453,7 @@ srp_main(int argc, char **argv)
                         goto err;
                 }
         }
-        if (randfile == NULL)
-                ERR_clear_error();
-        else
-                app_RAND_load_file(randfile, bio_err, 0);
+        ERR_clear_error();
 
         VERBOSE BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n", dbfile);
 
@@ -661,8 +654,6 @@ err:
                 free(tofree);
         if (ret)
                 ERR_print_errors(bio_err);
-        if (randfile)
-                app_RAND_write_file(randfile, bio_err);
         if (conf)
                 NCONF_free(conf);
         if (db)
diff --git a/src/lib/libssl/src/apps/ts.c b/src/lib/libssl/src/apps/ts.c
index 24e34894fd..c271bdb226 100644
--- a/src/lib/libssl/src/apps/ts.c
+++ b/src/lib/libssl/src/apps/ts.c
@@ -262,15 +262,6 @@ ts_main(int argc, char **argv)
                         goto usage;
         }
 
-        /* Seed the random number generator if it is going to be used. */
-        if (mode == CMD_QUERY && !no_nonce) {
-                if (!app_RAND_load_file(NULL, bio_err, 1) && rnd == NULL)
-                        BIO_printf(bio_err, "warning, not much extra random "
-                            "data, consider using the -rand option\n");
-                if (rnd != NULL)
-                        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                            app_RAND_load_files(rnd));
-        }
         /* Get the password if required. */
         if (mode == CMD_REPLY && passin &&
             !app_passwd(bio_err, passin, NULL, &password, NULL)) {
@@ -350,7 +341,6 @@ usage:
             "-untrusted cert_file.pem\n");
 cleanup:
         /* Clean up. */
-        app_RAND_write_file(NULL, bio_err);
         NCONF_free(conf);
         free(password);
         OBJ_cleanup();
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index 84ca493a89..5841a1b80d 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -205,7 +205,6 @@ x509_main(int argc, char **argv)
         const EVP_MD *md_alg, *digest = NULL;
         CONF *extconf = NULL;
         char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
-        int need_rand = 0;
         int checkend = 0, checkoffset = 0;
         unsigned long nmflag = 0, certflag = 0;
 #ifndef OPENSSL_NO_ENGINE
@@ -252,7 +251,6 @@ x509_main(int argc, char **argv)
                         keyformat = str2fmt(*(++argv));
                 } else if (strcmp(*argv, "-req") == 0) {
                         reqfile = 1;
-                        need_rand = 1;
                 } else if (strcmp(*argv, "-CAform") == 0) {
                         if (--argc < 1)
                                 goto bad;
@@ -301,13 +299,11 @@ x509_main(int argc, char **argv)
                                 goto bad;
                         keyfile = *(++argv);
                         sign_flag = ++num;
-                        need_rand = 1;
                 } else if (strcmp(*argv, "-CA") == 0) {
                         if (--argc < 1)
                                 goto bad;
                         CAfile = *(++argv);
                         CA_flag = ++num;
-                        need_rand = 1;
                 } else if (strcmp(*argv, "-CAkey") == 0) {
                         if (--argc < 1)
                                 goto bad;
@@ -464,9 +460,6 @@ bad:
         e = setup_engine(bio_err, engine, 0);
 #endif
 
-        if (need_rand)
-                app_RAND_load_file(NULL, bio_err, 0);
-
         ERR_load_crypto_strings();
 
         if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
@@ -844,7 +837,6 @@ bad:
                                         if (Upkey == NULL)
                                                 goto end;
                                 }
-                                assert(need_rand);
                                 if (!sign(x, Upkey, days, clrext, digest,
                                         extconf, extsect))
                                         goto end;
@@ -858,7 +850,6 @@ bad:
                                         if (CApkey == NULL)
                                                 goto end;
                                 }
-                                assert(need_rand);
                                 if (!x509_certify(ctx, CAfile, digest, x, xca,
                                         CApkey, sigopts,
                                         CAserial, CA_createserial, days, clrext,
@@ -941,8 +932,6 @@ bad:
         }
         ret = 0;
 end:
-        if (need_rand)
-                app_RAND_write_file(NULL, bio_err);
         OBJ_cleanup();
         NCONF_free(extconf);
         BIO_free_all(out);