Opened 8 years ago

Closed 7 years ago

#218 closed Bug / Defect (wontfix)

Some known(?) issue with support for new PolarSSL 1.1 RNG when using chroot

Reported by: MaxMuster Owned by: Gert Döring
Priority: minor Milestone: release 2.3.3
Component: Generic / unclassified Version: OpenVPN 2.3-beta / 2.3-RC (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger


Hi all,
not sure if there is a solution for this issue or if it really is a "bug". I just tried new 2.3-alpha2 and my "working" config didn't work any more (Failed to initialize random generator).

I could track this down with strace to this point:

gettimeofday({1341432964, 382404}, NULL) = 0
gettimeofday({1341432964, 383111}, NULL) = 0
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
gettimeofday({1341432964, 385687}, NULL) = 0
write(1, "Wed Jul  4 22:16:04 2012 Failed "..., 63Wed Jul  4 22:16:04 2012 Failed to initialize random generator
) = 63
gettimeofday({1341432964, 389110}, NULL) = 0
write(1, "Wed Jul  4 22:16:04 2012 Exiting"..., 52Wed Jul  4 22:16:04 2012 Exiting due to fatal error
) = 52

So the "problem" is an inaccessible /dev/urandom. It works, if I remove the "chroot /tmp/openvpn" from my config.

Is it possible to do the initialization before the "chroot" takes place?


Change History (5)

comment:1 Changed 7 years ago by Samuli Seppänen

Is this reproducible only on polarssl? Can this be reproduced on latest Git master and the version of polarssl it requires?

comment:2 Changed 7 years ago by Gert Döring

Cc: Steffan Karger added
Milestone: release 2.3.3

It would be good to have working polarssl+chroot. CC:ing syzzer, he's the one that can test it most easily I'd say.

comment:3 Changed 7 years ago by David Sommerseth

In the meantime, just a quick workaround. As root, create the urandom file inside your chroot. That should work just fine in this case.

[root@host: ~]# mkdir /tmp/openvpn/dev
[root@host: ~]# mknod /tmp/openvpn/dev/urandom c 1 9

This presumes the urandom device file has the major:minor codes 1:9. This can be double checked like this:

[root@host: ~]# stat /dev/urandom | grep Device
Device: 5h/5d Inode: 1033 Links: 1 Device type: 1,9

Look at the "Device type" field, that's the info you want.

Other than that, without having checked any code, I believe this is a PolarSSL issue where it opens the /dev/urandom file after OpenVPN has completed chroot(). IIRC, OpenSSL opens the random file during initialisation and keeps it open after any chroot() calls, which means this is a PolarSSL issue only. I mostly use chroot in my setups, and I've never needed /dev/urandom inside the chroot with OpenSSL.

comment:4 Changed 7 years ago by Gert Döring

Owner: set to Gert Döring
Status: newassigned

Ultra-brief summary from IRC meeting: "this is the way PolarSSL works", that is, reopening /dev/urandom every time randomness is needed.

We can't fix it in OpenVPN, but we can document that. Agreed to do so.

comment:5 Changed 7 years ago by Gert Döring

Resolution: wontfix
Status: assignedclosed

documented in openvpn.8

commit b238a1f2d4b2cdcfc844689b33fd3ac43ed31c1c (master)
commit 2600680ec2fd3cc27d7222154a637995fd90330f (release/2.3)

Note: See TracTickets for help on using tickets.