The author of EGD (Brian Warner) sent the following to the OpenSSH list a few
weeks ago when someone there had a similar problem. It was hanging because
it was out of entropy. If you run EGD with the --debug-gather switch you can
check for the "ran out of sources" that is referred to below.
BTW, there was a huge security bug in EGD 0.6 (no new entropy was ever
introduced) and you should upgrade if you are using EGD. If you don't
want to upgrade due to this hanging problem, let me know and I can tell you
what to change in 0.6 to fix the bug until 0.7 is fixed.
brian (carrier)
Brian Warner wrote:
> Yup. There's a bug in select() handling in egd-0.7 that is exposed on recent
> versions of Solaris (and possibly Irix). The symptom is the "ran out of
> sources" message. (in short, select()ing for readability and exception-ability
> will sometimes return both when an fd is at EOF, so you must try reading first
> before believing the exception).
>
> I've got a patched version of egd.pl up for test at
> <ftp://ftp.lothar.com/linux/egd.pl.1.46> that all are welcome to try. Feedback
> is most welcome. I'm especially interested in hearing about whether clients
> who terminate early (killed mid-transaction) cause the daemon to get confused,
> since that feels like the most likely bug that could result from shuffling
> those two blocks of code.
>
On Mon, May 08, 2000 at 03:17:48PM -0500, Phillip Porch wrote:
> I have the 0.7 version of egd.pl installed and running with
>
> egd.pl /dev/entropy
>
> The self tests work fine.
>
> I set the RANDFILE to the /dev/entropy after compiling openssl (CVS
> version as of 5/7/00.)
>
> I have no problems with:
>
> openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365
> -config openssl.cnf
>
> I have no problems with:
>
> openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 360
> -config openssl.cnf
>
> The problem arises when I try and sign the certificate generated above
> with:
>
> openssl x509 -x509toreq -in newreq.pem -signkey newereq.pem -out tmp.pem
>
> The program just sits and never returns. I did a little debugging with
> scotruss which showed the program opening /dev/entropy and sleeping.
>
> open("/dev/entropy", 0x0, 0x1b6) = ... (sleeping)
>
> I then created a .rnd file by: ls -l | md5 > .rnd
>
> and set RANDFILE to be the .rnd file and the signing of the key works
> fine.
>
> So in summary, there appears to be a problem with the x509 -signkey
> routine when the randomfile is the egd pipe.
>
> Any suggestions on helping track this down further?
>
> --
> Phillip P. Porch <[EMAIL PROTECTED]> NIC:PP1573 finger for
> http://www.theporch.com UTM - 16 514548E 3994397N PGP key
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
