Re: Couldn't obtain random bytes in sshd - problem in RAND_poll?

Wed, 06 Aug 2008 08:45:20 -0700 

David Schwartz wrote:


Try launching your test program automatically on boot up at the saem time
you launch ssh or whatever application is failing. I bet '/dev/urandom' will
fail then.


The program had no problems running with simultaneous
od -x /dev/random, that was blocking because it sucked
all the entropy available, running in another shell...

cat /proc/sys/kernel/random/entropy_avail gives 17 etc...

Well, I started another sshd under strace, I am sucking
the entropy with od -x /dev/random and am waiting for
the crash. I got two:

1) one sshd child instance where the sshd daemon says
"PRNG not seeded" (which translates to RAND_status not 1),
but the strace looks all normal :(

[pid  4711] open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
[pid  4711] fstat64(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
[pid  4711] poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 10) = 1
[pid  4711] read(3, 
"cc\262\322C\\\226T\235/\37\352\356\234\260P(\177\35\214"..., 32) = 32
[pid  4711] close(3)                    = 0
[pid  4711] getuid32()                  = 0
[pid  4711] time(NULL)                  = 1218033332
(all of these are clearly the RAND_poll)

and then it goes to call time, open /etc/localtime etc.
preparing to log the error.

How can _this_ happen? The RAND_poll in ssleay_rand_status
_was_ called and provided ENTROPY_NEEDED (32) bytes. The loop
exited with n >= ENTROPY_NEEDED, so the
RAND_add(tmpbuf,sizeof tmpbuf,(double)n); was called...



2) Could not obtain random bytes

This is the parent sshd and it does not do _anything_ with
the /dev/urandom at the time of the crash. A sshd child
process exits, parent sshd does a few closes and proceeds
to "Cannot obtain random bytes". That means that RAND_bytes
returned <= 0. In ssleay_rand_bytes there is
  ok = (entropy >= ENTROPY_NEEDED);
and then I don't see anything that could set the ok back
to true. Is another ok = (entropy >= ENTROPY_NEEDED);
missing somewhere after all the stirring etc?



Well, enough for today - I am no expert in ssl, I am just
trying to find what is happening here...

Regards
--
                                     Stano
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to