From f267dd0a8da280d2a803b61c9a309fe51d60d95a Mon Sep 17 00:00:00 2001
From: Max Romanov <max.romanov@nginx.com>
Date: Wed, 24 Mar 2021 11:43:31 +0300
Subject: [PATCH] Workaround for an OpenSSL bug about not closing /dev/*random.

This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and
/dev/urandom files remain open after all listening sockets were removed:

 - https://github.com/openssl/openssl/issues/7419
---
 src/nxt_openssl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 3c0212f7..835ca8b2 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -8,6 +8,7 @@
 #include <openssl/ssl.h>
 #include <openssl/conf.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 
 
 typedef struct {
@@ -355,6 +356,11 @@ fail:
 
     SSL_CTX_free(ctx);
 
+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
+     && OPENSSL_VERSION_NUMBER < 0x1010101fL)
+    RAND_keep_random_devices_open(0);
+#endif
+
     return NXT_ERROR;
 }
 
@@ -442,6 +448,11 @@ static void
 nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf)
 {
     SSL_CTX_free(conf->ctx);
+
+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
+     && OPENSSL_VERSION_NUMBER < 0x1010101fL)
+    RAND_keep_random_devices_open(0);
+#endif
 }