Opened 12 years ago
Closed 10 years ago
#218 closed Bug / Defect (wontfix)
Some known(?) issue with support for new PolarSSL 1.1 RNG when using chroot
| Reported by: | MaxMuster | Owned by: | Gert Döring |
|---|---|---|---|
| Priority: | minor | Milestone: | release 2.3.3 |
| Component: | Generic / unclassified | Version: | OpenVPN 2.3-beta / 2.3-RC (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Steffan Karger |
Description
Hi all,
not sure if there is a solution for this issue or if it really is a "bug". I just tried new 2.3-alpha2 and my "working" config didn't work any more (Failed to initialize random generator).
I could track this down with strace to this point:
gettimeofday({1341432964, 382404}, NULL) = 0
gettimeofday({1341432964, 383111}, NULL) = 0
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
gettimeofday({1341432964, 385687}, NULL) = 0
write(1, "Wed Jul 4 22:16:04 2012 Failed "..., 63Wed Jul 4 22:16:04 2012 Failed to initialize random generator
) = 63
gettimeofday({1341432964, 389110}, NULL) = 0
write(1, "Wed Jul 4 22:16:04 2012 Exiting"..., 52Wed Jul 4 22:16:04 2012 Exiting due to fatal error
) = 52
So the "problem" is an inaccessible /dev/urandom. It works, if I remove the "chroot /tmp/openvpn" from my config.
Is it possible to do the initialization before the "chroot" takes place?
Thanks!
Change History (5)
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
| Cc: | Steffan Karger added |
|---|---|
| Milestone: | → release 2.3.3 |
It would be good to have working polarssl+chroot. CC:ing syzzer, he's the one that can test it most easily I'd say.
comment:3 Changed 10 years ago by
In the meantime, just a quick workaround. As root, create the urandom file inside your chroot. That should work just fine in this case.
[root@host: ~]# mkdir /tmp/openvpn/dev
[root@host: ~]# mknod /tmp/openvpn/dev/urandom c 1 9
This presumes the urandom device file has the major:minor codes 1:9. This can be double checked like this:
[root@host: ~]# stat /dev/urandom | grep Device
Device: 5h/5d Inode: 1033 Links: 1 Device type: 1,9
Look at the "Device type" field, that's the info you want.
Other than that, without having checked any code, I believe this is a PolarSSL issue where it opens the /dev/urandom file after OpenVPN has completed chroot(). IIRC, OpenSSL opens the random file during initialisation and keeps it open after any chroot() calls, which means this is a PolarSSL issue only. I mostly use chroot in my setups, and I've never needed /dev/urandom inside the chroot with OpenSSL.
comment:4 Changed 10 years ago by
| Owner: | set to Gert Döring |
|---|---|
| Status: | new → assigned |
Ultra-brief summary from IRC meeting: "this is the way PolarSSL works", that is, reopening /dev/urandom every time randomness is needed.
We can't fix it in OpenVPN, but we can document that. Agreed to do so.
comment:5 Changed 10 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
documented in openvpn.8
commit b238a1f2d4b2cdcfc844689b33fd3ac43ed31c1c (master)
commit 2600680ec2fd3cc27d7222154a637995fd90330f (release/2.3)
Is this reproducible only on polarssl? Can this be reproduced on latest Git master and the version of polarssl it requires?