openssh bugs - Jan 2010 - [Bug 1701] New: FIPS-140-2 requires call to RAND_cleanup() before the program using RAND exits

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

           Summary: FIPS-140-2 requires call to RAND_cleanup() before the
                    program using RAND exits
           Product: Portable OpenSSH
           Version: 5.3p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: jchadima at redhat.com


There is the mandatory call RAND_cleanup() before the exit of the
program that uses RAND for the fips-140-2 compliance.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

--- Comment #1 from jchadima at redhat.com 2010-01-21 23:05:10 EST ---
Created an attachment (id=1781)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1781)
Patch solving the problem

This is the patch which initilaizing the random device, ensure the call
to RAND_cleanup at the exit of the program.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2010-03-26
11:37:57 EST ---
Is RAND_cleanup() signal-safe?  (I suspect not, and if it's not then
this potentially opens a signal race vulnerability in sshd, which is
the reason why all use of atexit was removed from OpenSSH previously.)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

Tomas Mraz <t8m at centrum.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |t8m at centrum.cz

--- Comment #3 from Tomas Mraz <t8m at centrum.cz> 2010-04-06 16:47:25 EST
---
RAND_cleanup() is not signal safe if the rand generator is supplied by
an engine which would be released by the call (no other references than
the generator). But this is irrelevant anyway as the functions
registered with atexit() are called only in exit() calls and not in the
default signal handler termination or in _exit().

If openssh called exit() in signal handler it would be a security
problem anyway as this is signal handler unsafe call itself.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

--- Comment #4 from jchadima at redhat.com 2010-04-06 19:35:17 EST ---
Created an attachment (id=1828)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1828)
Alternate patch using cleanup_exit

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

Petr Cerny [:hrosik] <pcerny at suse.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1828|application/octet-stream    |text/plain
          mime type|                            |
   Attachment #1828|0                           |1
           is patch|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

Petr Cerny [:hrosik] <pcerny at suse.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pcerny at suse.cz

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1701

Jan F. Chadima <jfch at jagda.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jfch at jagda.eu

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.