bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-21 12:01 UTC
[Bug 1701] New: FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Summary: FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits Product: Portable OpenSSH Version: 5.3p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: unassigned-bugs at mindrot.org ReportedBy: jchadima at redhat.com There is the mandatory call RAND_cleanup() before the exit of the program that uses RAND for the fips-140-2 compliance. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-21 12:05 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 --- Comment #1 from jchadima at redhat.com 2010-01-21 23:05:10 EST --- Created an attachment (id=1781) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1781) Patch solving the problem This is the patch which initilaizing the random device, ensure the call to RAND_cleanup at the exit of the program. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-26 00:37 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2010-03-26 11:37:57 EST --- Is RAND_cleanup() signal-safe? (I suspect not, and if it's not then this potentially opens a signal race vulnerability in sshd, which is the reason why all use of atexit was removed from OpenSSH previously.) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-06 06:47 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Tomas Mraz <t8m at centrum.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |t8m at centrum.cz --- Comment #3 from Tomas Mraz <t8m at centrum.cz> 2010-04-06 16:47:25 EST --- RAND_cleanup() is not signal safe if the rand generator is supplied by an engine which would be released by the call (no other references than the generator). But this is irrelevant anyway as the functions registered with atexit() are called only in exit() calls and not in the default signal handler termination or in _exit(). If openssh called exit() in signal handler it would be a security problem anyway as this is signal handler unsafe call itself. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-06 09:35 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 --- Comment #4 from jchadima at redhat.com 2010-04-06 19:35:17 EST --- Created an attachment (id=1828) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1828) Alternate patch using cleanup_exit -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-05 15:52 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Petr Cerny [:hrosik] <pcerny at suse.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1828|application/octet-stream |text/plain mime type| | Attachment #1828|0 |1 is patch| | -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-05 15:53 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Petr Cerny [:hrosik] <pcerny at suse.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pcerny at suse.cz -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-25 05:30 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Jan F. Chadima <jfch at jagda.eu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfch at jagda.eu -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 1647] Implement FIPS 186-3 for DSA keys
- [Bug 1647] Implement FIPS 186-3 for DSA keys
- [Bug 1663] New: Allow to use agent for distribution of public keys.
- [Bug 1974] New: Support for encrypted host keys
- [Bug 2558] New: Add RemoteCommand option to ssh client