openssl 9.3 and openssl 3.1

Nathan Wagner nw at hydaspes.if.org
Sun Mar 19 14:01:55 AEDT 2023


On Sun, Mar 19, 2023 at 12:57:23PM +1100, Darren Tucker wrote:
> On Sun, 19 Mar 2023 at 12:25, Nathan Wagner <nw at hydaspes.if.org> wrote:

> Does the OpenSSL self-test ("make tests") pass?   Does its basic RNG
> function work (eg "openssl rand -base64 9")?  And if "openssl rand"
> doesn't work, if you strace it what is it trying to do?

make tests pass, and openssl rand -base64 9 produces output that looks
like base64.

> > Compile openssh with /dev/urandom as the prngd-socket?
> 
> No, the prngd socket interface works differently to /dev/random.

Interesting.  I compiled ssh to use /dev/urandom as the socket,
and it appears to work.  Obviously there could be strange bugs.

> You might be able to get this to compile, but if the RNG seeding in
> your OpenSSL build is broken

I don't think it is.  I think the openssh test isn't correct, at least
not for openssl 3.1.  I did find a post to linuxquestions in 2014 that
had the same or similar problem.  That obviously wasn't openssl 3.1.

> I would be concerned about what else might be broken in it, possibly
> in some subtle way.  I would be looking at fixing your OpenSSL.

Any idea how?  I think RAND_status() would need to be changed.

-- 
nw


More information about the openssh-unix-dev mailing list