bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-21 12:01 UTC
[Bug 1701] New: FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Summary: FIPS-140-2 requires call to RAND_cleanup() before the
program using RAND exits
Product: Portable OpenSSH
Version: 5.3p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Miscellaneous
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: jchadima at redhat.com
There is the mandatory call RAND_cleanup() before the exit of the
program that uses RAND for the fips-140-2 compliance.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-21 12:05 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 --- Comment #1 from jchadima at redhat.com 2010-01-21 23:05:10 EST --- Created an attachment (id=1781) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1781) Patch solving the problem This is the patch which initilaizing the random device, ensure the call to RAND_cleanup at the exit of the program. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-26 00:37 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2010-03-26
11:37:57 EST ---
Is RAND_cleanup() signal-safe? (I suspect not, and if it's not then
this potentially opens a signal race vulnerability in sshd, which is
the reason why all use of atexit was removed from OpenSSH previously.)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-06 06:47 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Tomas Mraz <t8m at centrum.cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |t8m at centrum.cz
--- Comment #3 from Tomas Mraz <t8m at centrum.cz> 2010-04-06 16:47:25 EST
---
RAND_cleanup() is not signal safe if the rand generator is supplied by
an engine which would be released by the call (no other references than
the generator). But this is irrelevant anyway as the functions
registered with atexit() are called only in exit() calls and not in the
default signal handler termination or in _exit().
If openssh called exit() in signal handler it would be a security
problem anyway as this is signal handler unsafe call itself.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-06 09:35 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701 --- Comment #4 from jchadima at redhat.com 2010-04-06 19:35:17 EST --- Created an attachment (id=1828) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1828) Alternate patch using cleanup_exit -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-05 15:52 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Petr Cerny [:hrosik] <pcerny at suse.cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1828|application/octet-stream |text/plain
mime type| |
Attachment #1828|0 |1
is patch| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-05 15:53 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Petr Cerny [:hrosik] <pcerny at suse.cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pcerny at suse.cz
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-25 05:30 UTC
[Bug 1701] FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits
https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Jan F. Chadima <jfch at jagda.eu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jfch at jagda.eu
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.