bugzilla-daemon at mindrot.org
2005-Feb-16 00:24 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #760| |ok?
Flag| |
------- Additional Comments From djm at mindrot.org 2005-02-16 11:24 -------
(From update of attachment 760)
I'd like this patch to go in for the next release.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 01:32 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From dtucker at zip.com.au 2005-02-16 12:32 ------- Created an attachment (id=827) --> (http://bugzilla.mindrot.org/attachment.cgi?id=827&action=view) add a dummy seed_rng to placate HP-UX's linker Since the patch uses strlcpy the linker now must pull in libopenbsd-compat for ssh-rand-helper for platforms that don't have it natively. Unfortunately, it appears that the HP-UX linker wants to resolve all of the external symbols even if they're only used in functions not ultimately used in the binary, and blows up thusly: gcc -o ssh-rand-helper ssh-rand-helper.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lcrypto -lz -lnsl -lxnet -lsec /usr/ccs/bin/ld: Unsatisfied symbols: seed_rng (first referenced in openbsd-compat//libopenbsd-compat.a(bsd-arc4random.o)) (code) The attached patch adds a dummy seed_rng. With this patch and #760 it builds OK. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 01:35 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #760| |ok+
Flag| |
------- Additional Comments From dtucker at zip.com.au 2005-02-16 12:35 -------
(From update of attachment 760)
OK, subject to comment #10.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 01:37 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From djm at mindrot.org 2005-02-16 12:37 ------- (From update of attachment 827) Instead of doing nothing, could you make it spectacularly fprintf(stderr) and exit(1)? If ssh-rand-helper ever somehow starts using arc4random, then it would do so with an unseeded RC4... Otherwise OK ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 01:38 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From dtucker at zip.com.au 2005-02-16 12:38 ------- (From update of attachment 827)> arc4random calls seed_rng so we need a dummy seed_rng.Should also mention it's specifically the arc4random in libopenbsd-compat. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 02:03 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From djm at mindrot.org 2005-02-16 13:03 ------- Yes, that is a good idea. BTW the mkstemp+rename thing is in now, so please commit your linker fix soon. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 02:08 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From dtucker at zip.com.au 2005-02-16 13:08 ------- (In reply to comment #12)> (From update of attachment 827 [edit]) > Instead of doing nothing, could you make it spectacularly fprintf(stderr) and > exit(1)? If ssh-rand-helper ever somehow starts using arc4random, then it > would do so with an unseeded RC4...Unfortunately, it doesn't seem to be that simple. seed_rng() *does* get called right after all the processing but immediately before the output is written (although I don't understand why). If you believe gdb it's called by OpenSSL's CRYPTO_free() but that seems pretty wacky. I put a debug in seed_rng and set a breakpoint on it: #0 seed_rng () at ../../ssh-rand-helper.c:901 #1 0x0000f78c in CRYPTO_free () #2 0x000079d8 in _gettemp ( path=0x7f7e0ec8 "/home/dtucker/.ssh/prng_seed.XXXXX13501", doopen=0x7f7e1348, domkdir=0, slen=0) at ../../../openbsd-compat/mktemp.c:105 #3 0x00007b70 in mkstemp ( path=0x2a10980 <Error reading address 0x2a10980: Bad address>) at ../../../openbsd-compat/mktemp.c:61 #4 0x00005d40 in prng_write_seedfile () at ../../ssh-rand-helper.c:585 #5 0x000067d8 in main (argc=2, argv=0x7f7e0500) at ../../ssh-rand-helper.c:866 Hey, gettemp() *does* call arc4random(), which calls seed_rng() so it looks like I was wrong in blaming the linker. Checking RAND_status() seems to be the right thing to do. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 02:16 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #827 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2005-02-16 13:16 -------
Created an attachment (id=828)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=828&action=view)
provide seed_rng() and document why it's needed
Here's a better patch for seed_rng which I'll commit shortly.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 20:49 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From stephen.berliner at ngc.com 2005-02-17 07:49 ------- (In reply to comment #16)> Created an attachment (id=828)--> (http://bugzilla.mindrot.org/attachment.cgi?id=828&action=view) [edit]> provide seed_rng() and document why it's needed > Here's a better patch for seed_rng which I'll commit shortly.OK. Should I be recompiling a patched versin of ssh-rand-helper. Or am I waiting to see a patched seed_rng. BTW thanks for all of your efforts. I will be passing on all this information to our SA's and Management for review because we should be pathch upgrading our version of ssh when appropriate and I think that may be an issue in this problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-16 22:25 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From dtucker at zip.com.au 2005-02-17 09:25 ------- If you want to use the patches you need only apply #760 and the result should build OK on Solaris 8. (If it doesn't, just apply #828 on top). This may or may not help in your situation. For a real fix, apply Sun patch 112438-03 or install prngd. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-23 11:11 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From dtucker at zip.com.au 2005-02-23 22:11 -------
This is as fixed as we can make it, as mentioned previously the real fix is to
install the Solaris /dev/random patch or prngd.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-23 14:32 UTC
[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
http://bugzilla.mindrot.org/show_bug.cgi?id=968 ------- Additional Comments From stephen.berliner at ngc.com 2005-02-24 01:32 ------- (In reply to comment #19)> This is as fixed as we can make it, as mentioned previously the real fix isto> install the Solaris /dev/random patch or prngd.Thank You. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
- [PATCH] openssl-compat: Test for OpenSSL_add_all_algorithms before using.
- [Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error
- OpenSSH 3.4p1 "PRNG is not seeded"
- FIPS 140-2 OpenSSL(2007) patches