pi-hole
diff --git a/‎.github/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎.github/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/config/password.c‎
Lines changed: 2 additions & 10 deletions b/‎src/config/password.c‎
Lines changed: 2 additions & 10 deletions
diff --git a/‎src/daemon.c‎
Lines changed: 0 additions & 4 deletions b/‎src/daemon.c‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎src/main.c‎
Lines changed: 0 additions & 3 deletions b/‎src/main.c‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎src/webserver/civetweb/mod_mbedtls.inl‎
Lines changed: 17 additions & 3 deletions b/‎src/webserver/civetweb/mod_mbedtls.inl‎
Lines changed: 17 additions & 3 deletions
@@ -1,4 +1,4 @@
-FROM ghcr.io/pi-hole/ftl-build:v2.13
+FROM ghcr.io/pi-hole/ftl-build:v2.15
 
 WORKDIR /app
 
 
@@ -124,16 +124,8 @@ bool get_secure_randomness(uint8_t *buffer, const size_t length)
 		result = getrandom_fallback(buffer, length, 0);
 		if(result < 0 || result < (ssize_t)length)
 		{
-			log_debug(DEBUG_API, "Fallback failed, trying internal DRBG generator");
-			generator = "internal DRBG";
-			result = drbg_random(buffer, length);
-			if(result < 0)
-			{
-				// Warning will be printed by drbg_random()
-				return false;
-			}
-
-			log_debug(DEBUG_API, "Internal DRBG generator successfully used");
+			log_err("Unable to get secure randomness from fallback generator");
+			return false;
 		}
 		else
 			log_debug(DEBUG_API, "Fallback to /dev/urandom successful");
 
@@ -437,10 +437,6 @@ void cleanup(const int ret)
 	log_debug(DEBUG_ANY, "Terminating: Closing memory database");
 	close_memory_database();
 
-	// De-initialize the random number generator and entropy collector
-	log_debug(DEBUG_ANY, "Terminating: Freeing entropy collector");
-	destroy_entropy();
-
 	// Free environment variables
 	log_debug(DEBUG_ANY, "Terminating: Freeing environment variables");
 	freeEnvVars();
 
@@ -64,9 +64,6 @@ int main (int argc, char *argv[])
 	log_info("########## FTL started on %s! ##########", hostname());
 	log_FTL_version(false);
 
-	// Initialize entropy and random number generator
-	init_entropy();
-
 	// Catch signals not handled by dnsmasq
 	// We configure real-time signals later (after dnsmasq has forked)
 	handle_signals();
 
@@ -1,8 +1,10 @@
 #if defined(USE_MBEDTLS) // USE_MBEDTLS used with NO_SSL
 
-#include "mbedtls/ctr_drbg.h"
 #include "mbedtls/debug.h"
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
 #include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#endif
 #include "mbedtls/error.h"
 
 #if MBEDTLS_VERSION_NUMBER >= 0x03000000
@@ -26,8 +28,10 @@ typedef mbedtls_ssl_context SSL;
 typedef struct {
 	mbedtls_ssl_config conf;         /* SSL configuration */
 	mbedtls_x509_crt cert;           /* Certificate */
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
 	mbedtls_ctr_drbg_context ctr;    /* Counter random generator state */
 	mbedtls_entropy_context entropy; /* Entropy context */
+#endif
 	mbedtls_pk_context pkey;         /* Private key */
 } SSL_CTX;
 
@@ -125,7 +129,9 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt, const char *cipherlist)
 	}
 
 	DEBUG_TRACE("%s", "Initializing MbedTLS SSL");
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
 	mbedtls_entropy_init(&ctx->entropy);
+#endif
 
 	conf = &ctx->conf;
 	mbedtls_ssl_config_init(conf);
@@ -152,7 +158,9 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt, const char *cipherlist)
 
 	/* Initialize TLS key and cert */
 	mbedtls_pk_init(&ctx->pkey);
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
 	mbedtls_ctr_drbg_init(&ctx->ctr);
+#endif
 	mbedtls_x509_crt_init(&ctx->cert);
 
 #ifdef MBEDTLS_PSA_CRYPTO_C
@@ -168,6 +176,7 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt, const char *cipherlist)
 	}
 #endif
 
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
 	rc = mbedtls_ctr_drbg_seed(&ctx->ctr,
 	                           mbedtls_entropy_func,
 	                           &ctx->entropy,
@@ -177,8 +186,9 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt, const char *cipherlist)
 		DEBUG_TRACE("TLS random seed failed (%i)", rc);
 		return -1;
 	}
+#endif
 
-#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000 && MBEDTLS_VERSION_NUMBER < 0x04000000
 	// mbedtls_pk_parse_keyfile() has changed in mbedTLS 3.0. You now need
 	// to pass a properly seeded, cryptographically secure RNG when calling
 	// these functions. It is used for blinding, a countermeasure against
@@ -209,7 +219,9 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt, const char *cipherlist)
 		return -1;
 	}
 
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000 && MBEDTLS_VERSION_NUMBER < 0x04000000
 	mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &ctx->ctr);
+#endif
 
 	/* Set auth mode if peer cert should be verified */
 	mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
@@ -237,10 +249,12 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt, const char *cipherlist)
 void
 mbed_sslctx_uninit(SSL_CTX *ctx)
 {
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
 	mbedtls_ctr_drbg_free(&ctx->ctr);
+	mbedtls_entropy_free(&ctx->entropy);
+#endif
 	mbedtls_pk_free(&ctx->pkey);
 	mbedtls_x509_crt_free(&ctx->cert);
-	mbedtls_entropy_free(&ctx->entropy);
 	mbedtls_ssl_config_free(&ctx->conf);
 }
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM ghcr.io/pi-hole/ftl-build:v2.13`
	`1`	`+FROM ghcr.io/pi-hole/ftl-build:v2.15`
`2`	`2`
`3`	`3`	`WORKDIR /app`
`4`	`4`