similar to: FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random

Hi, Yesterday I tried to replace the system openssl in a gentoo system with libressl. With openssh an interesting issue popped up: * RAND_bytes in libressl calls arc4random * arc4random is a compat function both in openssh and libressl * arc4random from openssh uses RAND_bytes So what's happening is a recursion. arc4random wants to use RAND_bytes and RAND_bytes wants to use arc4random. The

I believe there is a problem with the openbsd-compat/bsd-arc4random.c file. If arc4random () is called without seed_rng having previously been called (eg if you run ssh-keygen -p ) then it does not in fact invoke seed_rng () if it is the first time. Instead it will invoke seed_rng every time BUT the first time. At least that is the way I read the code, and changing it as below allowed me to

Hi. I experimented a bit with collecting entropy from the time it takes for device_attach() to run (in CPU cycles). It seems that those times have enough variation that we can use it for entropy harvesting. It happens even before root is mounted, so pretty early. On the machine I'm testing it, which has minimal kernel plus NIC driver I see 75 device_attach() calls. I'm being very careful

tags 516774 = patch tags 516294 = upstream thanks Hi! Please find attached a diff closing #516774 by adding mkstemp(3), again with a minimalistic pseudo-arc4random(3) behind it. I?ve revisited the code. An mkstemp testsuite from the ?net shows it works, except for not caring how many ?X?en are in the template. Addressing #516294, it allows compiling and linking an mksh from today?s CVS against

I'm trying to understand the rational behind the arc4random() and arc4random_stir() functions in the OpenSSH source tree. On a system that has a good random number generator, say an in kernel /dev/random what extra functionality is this stuff providing ? Would it be acceptable to replace the calls to arc4random() with reading from /dev/random and drop the arc4random_stir() all together ?

https://bugzilla.mindrot.org/show_bug.cgi?id=2168 Bug ID: 2168 Summary: Fails to build after arc4random API change in OpenBSD Product: Portable OpenSSH Version: -current Hardware: All OS: OpenBSD Status: NEW Severity: minor Priority: P5 Component: Build system Assignee:

I am trying to compile OpenSSH 4.0p1 on a new Solaris 10 system using the OpenSSL that comes w/ the OS (0.9.7d) as well as MIT Krb5 1.4.1 (for various reasons we are not using Sun's Krb5 implementation): ./configure --prefix=/usr/local --with-kerberos5=/usr/local/krb5 --with-ssl-dir=/usr/sfw And it looks to be bombing here (adding in random support?): -=- gmake[1]: Entering directory

Hi! I have just played around a little bit with the actual CVS on HP-UX 10.20. - In openbsd-compat/Makefile.in the .c.o default rule is missing: .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< - Linking sftp fails, because seed_rng() cannot be resolved. Actually it is in entropy.c (libssh) and needed by arc4random.c. A similar problem has been discussed several days ago and the problem should

Hi, I have been working on a portable LibreSSL build tree for a little while to test the waters: http://github.com/busterb/libressl Someone noticed an issue with the arc4random implementation that I originally grabbed from libbsd https://github.com/busterb/libressl/issues/1 So, I looked at how OpenSSH handles it, and noticed that it uses the random functions from OpenSSL unconditionally to seed

All, How can I get at the daily snapshots? When I go to the website, www.openssh.com, and follow the Linux link to portable.html and then go to request the daily snapshot from http://bass.directhit.com/openssh_snap/, I get prompted for a user id and password. Needless to say, I ain't got. That's real useful. Use to be, I could get the snapshots from the ftp site. Then things

First error: head file related. Strangely, this code has been there a while, which makes me think that the HAVE_ARC4RANDOM is somehow now showing up as set whereas perhaps it didn't used to be. tfiala at tfiala2:~/lldb/svn/lgs/build$ make make[1]: Entering directory `/mnt/ssd/work/svn/lgs/build/lib/Support' llvm[1]: Compiling Process.cpp for Debug+Asserts build In file included from

Yo All! openssh-SNAP-20010209.tar.gz fails to compile on Slackware. Patch at the end of this message. Here is the error: gcc -o sftp sftp.o sftp-client.o sftp-common.o sftp-int.o log-client.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lcrypt -lz -lnsl -lutil -lcrypto -lwrap openbsd-compat//libopenbsd-compat.a(bsd-arc4random.o): In function

Damien Miller wrote: > > On Tue, 3 Mar 2015, The Doctor wrote: > >> regress/unittests/test_helper/test_helper.c: In function `test_data_file': >> regress/unittests/test_helper/test_helper.c:177: warning: implicit declaration of function `strlcpy' >> regress/unittests/test_helper/test_helper.c: At top level: >>

Dear Sir, I try to install OpenSSH 3.7.1p1 on AIX 4.3.3, but I find the following problem. Would you please give some advices for me? I try to configure the s/w by entering ../configure --prefix=OPENSSH_PATH \ --sysconfdir=OPENSSH_PATH/etc/openssh \ --without-pam \ --without-prngd-socket \ --without-prngd-port \ --with-tcp-wrappers=TCPWRAPPER_PATH \ --with-pid-dir=OPENSSH_PATH/var/run/openssh \

Roger Marquis wrote: > [snip] > >It takes all of 2 seconds to generate a ssh 2 new session on a >500Mhz cpu (causing less than 20% utilization). Considering that >99% of even the most heavily loaded servers have more than enough >cpu for this task I don't really see it as an issue. > >Also, by generating a different key for each session you get better >entropy,

Now that ssh-rand-helper has been segregated into a separate program, I'd like to revisit an old question about its entropy gathering. - would it be desirable to make it possible for ssh-rand-helper to fall back to external commands if PRNGD cannot be reached, instead of choosing one or the other at compile time? - When using PRNGD, the program gets 48 bytes of entropy from PRNGD,

Over the holidays, I intend to finally rid portable OpenSSH of the builtin entropy collection code. Here's what I intend to do: When init_rng is called, we'll check OpenSSL's RAND_status(). If this indicates that their PRNG is already seeded, we'll do nothing. This effectively detects platforms which have /dev/urandom (or similar) configured into OpenSSL. If OpenSSL isn't

I have two machines that we are having problems compiling version 4.3p2. Both machines are Solaris 8 and gcc 3.3.2 openssl 0.9.8a is installed on both machines as well. The first exhibits an error in log.h: In file included from bsd-arc4random.c:18: ../log.h: In function `fatal': ../log.h:56: warning: empty declaration ../log.h:65: error: parse error before "volatile"

When I run a make on the openssh source directory, it starts the compile and then fails with: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include -DHAVE_CONFIG_H -c bsd-arc4random.c In file included from ../openbsd-compat/openbsd-compat.h:35, from ../includes.h:169, from bsd-arc4random.c:25:

ChangeLog 20001230 - (bal) if no MAXHOSTNAMELEN is defined. Default to 64 character defination. Suggested by Christian Kurz <shorty at debain.org> This change causes compiler warnings on UnixWare 7, Solaris 7, others? ... gcc -g -O2 -Wall -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDI R=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\"