Thread: psql+openssl+uniware7

psql+openssl+uniware7

From
Olivier PRENANT
Date:
Hi all,

While testing postgresql with openssl on Unixware, I had this problem that
psql alaways replied "PRGN not seeded".

That because psql does'nt not seed it in anyway. That's all right on
systems that have /dev/urandom (or whatever is ok for openssl)

The hack is simple: install prngd then add -DEGD='"/var/run/prngd-pool"'
to
CFLAGS in src/makefiles/unixware'CFLAGS

then add 
#ifdef EDGRAND_egd(EGD);
#endif

if src/interfaces/libpq/fe-connect.c near line  965 (#ifdef USE_SSL)

This done, openssl is doing all right.

I'm sorry I don't have a clue how to make a clean patch. I guess
real patch would involve configure testing for /dev/?random then all
"standard places" according to openssl for prng sockets then isse
eventually RAND_egd.

Thanks you for your attention.

-- 
Olivier PRENANT             Tel:    +33-5-61-50-97-00 (Work)
Quartier d'Harraud Turrou           +33-5-61-50-97-01 (Fax)
31190 AUTERIVE                      +33-6-07-63-80-64 (GSM)
FRANCE                      Email: ohp@pyrenet.fr
------------------------------------------------------------------------------
Make your life a dream, make your dream a reality. (St Exupery)



Re: psql+openssl+uniware7

From
Peter Eisentraut
Date:
Olivier PRENANT writes:

> I'm sorry I don't have a clue how to make a clean patch. I guess
> real patch would involve configure testing for /dev/?random then all
> "standard places" according to openssl for prng sockets then isse
> eventually RAND_egd.

Shouldn't this be handled by the OpenSSL configuration?

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter



Re: psql+openssl+uniware7

From
Olivier PRENANT
Date:
On Thu, 21 Jun 2001, Peter Eisentraut wrote:

> Olivier PRENANT writes:
> 
> > I'm sorry I don't have a clue how to make a clean patch. I guess
> > real patch would involve configure testing for /dev/?random then all
> > "standard places" according to openssl for prng sockets then isse
> > eventually RAND_egd.
> 
> Shouldn't this be handled by the OpenSSL configuration?
Not yet, opensl-0.9.7 will detect egd. Until then, client has to seed
prng.

> 
> 

-- 
Olivier PRENANT             Tel:    +33-5-61-50-97-00 (Work)
Quartier d'Harraud Turrou           +33-5-61-50-97-01 (Fax)
31190 AUTERIVE                      +33-6-07-63-80-64 (GSM)
FRANCE                      Email: ohp@pyrenet.fr
------------------------------------------------------------------------------
Make your life a dream, make your dream a reality. (St Exupery)



Re: psql+openssl+uniware7

From
Tom Lane
Date:
Olivier PRENANT <ohp@pyrenet.fr> writes:
>> Shouldn't this be handled by the OpenSSL configuration?

> Not yet, opensl-0.9.7 will detect egd. Until then, client has to seed
> prng.

I think we shouldn't patch our code to work around an openssl bug that
will go away soon anyway.
        regards, tom lane


Re: psql+openssl+uniware7

From
Olivier PRENANT
Date:
I was afraid you would say that.

As a user of postgresql for many years, one thing I love is that it's
multi-platform.

Unfortunatly, not all platforms have /dev/urandom.

here is part of openssl doc (RAND_add.pod)

OpenSSL makes sure that the PRNG state is unique for each thread. On
systems that provide C</dev/urandom>, the randomness device is used
to seed the PRNG transparently. However, on all other systems, the
application is responsible for seeding the PRNG by calling RAND_add(),
L<RAND_egd(3)|RAND_egd(3)>
or L<RAND_load_file(3)|RAND_load_file(3)>.

It clearly states that THE APPLICATION (psql) is responsible for seedinf
the PRNG. ISTM, saying it's a bug of openssl when it's IN THE DOC seems a
bit "unnice".

Even openssh (widely used) seeds PRNG itself.

I'm not trying to start a war, I love Postgresql too much for that, but
just say, I'll TRY to come up with a patch.

Regards,


On Fri, 22 Jun 2001, Tom Lane wrote:

> Olivier PRENANT <ohp@pyrenet.fr> writes:
> >> Shouldn't this be handled by the OpenSSL configuration?
> 
> > Not yet, opensl-0.9.7 will detect egd. Until then, client has to seed
> > prng.
> 
> I think we shouldn't patch our code to work around an openssl bug that
> will go away soon anyway.
> 
>             regards, tom lane
> 

-- 
Olivier PRENANT             Tel:    +33-5-61-50-97-00 (Work)
Quartier d'Harraud Turrou           +33-5-61-50-97-01 (Fax)
31190 AUTERIVE                      +33-6-07-63-80-64 (GSM)
FRANCE                      Email: ohp@pyrenet.fr
------------------------------------------------------------------------------
Make your life a dream, make your dream a reality. (St Exupery)



Re: psql+openssl+uniware7

From
Peter Eisentraut
Date:
Olivier PRENANT writes:

> It clearly states that THE APPLICATION (psql) is responsible for seedinf
> the PRNG. ISTM, saying it's a bug of openssl when it's IN THE DOC seems a
> bit "unnice".

Might be better if libpq would handle this.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter



Re: psql+openssl+uniware7

From
Olivier PRENANT
Date:
On Sat, 23 Jun 2001, Peter Eisentraut wrote:

> Olivier PRENANT writes:
> 
> > It clearly states that THE APPLICATION (psql) is responsible for seedinf
> > the PRNG. ISTM, saying it's a bug of openssl when it's IN THE DOC seems a
> > bit "unnice".
> 
> Might be better if libpq would handle this.
I can't agree more. That's why I changes fe-connect.c (it works ok) The
only thing if to write a propper patch!!

Regards,
> 
> 

-- 
Olivier PRENANT             Tel:    +33-5-61-50-97-00 (Work)
Quartier d'Harraud Turrou           +33-5-61-50-97-01 (Fax)
31190 AUTERIVE                      +33-6-07-63-80-64 (GSM)
FRANCE                      Email: ohp@pyrenet.fr
------------------------------------------------------------------------------
Make your life a dream, make your dream a reality. (St Exupery)