openssl 9.3 and openssl 3.1

Darren Tucker dtucker at dtucker.net
Sun Mar 19 15:25:11 AEDT 2023


On Sun, 19 Mar 2023 at 14:07, Nathan Wagner <nw at hydaspes.if.org> wrote:
> On Sun, Mar 19, 2023 at 12:57:23PM +1100, Darren Tucker wrote:
[...]
> > No, the prngd socket interface works differently to /dev/random.
>
> Interesting.  I compiled ssh to use /dev/urandom as the socket,
> and it appears to work.  Obviously there could be strange bugs.

That is interesting.  The prngd interface is "connect to Unix domain
socket, send a byte with the number of random bytes you want and read
that number of bytes back."  I thought the connect(2) would fail, but
if can connect to a device node, the random device will ignore the
count byte and the final read should work OK.

[...]
> > I would be concerned about what else might be broken in it, possibly
> > in some subtle way.  I would be looking at fixing your OpenSSL.
>
> Any idea how?  I think RAND_status() would need to be changed.

Did the OpenSSH RAND_status test program fail at runtime, or did it
fail to compile for some reason?  That should be in config.log.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list