Thread: psql+openssl+uniware7
Hi all, While testing postgresql with openssl on Unixware, I had this problem that psql alaways replied "PRGN not seeded". That because psql does'nt not seed it in anyway. That's all right on systems that have /dev/urandom (or whatever is ok for openssl) The hack is simple: install prngd then add -DEGD='"/var/run/prngd-pool"' to CFLAGS in src/makefiles/unixware'CFLAGS then add #ifdef EDGRAND_egd(EGD); #endif if src/interfaces/libpq/fe-connect.c near line 965 (#ifdef USE_SSL) This done, openssl is doing all right. I'm sorry I don't have a clue how to make a clean patch. I guess real patch would involve configure testing for /dev/?random then all "standard places" according to openssl for prng sockets then isse eventually RAND_egd. Thanks you for your attention. -- Olivier PRENANT Tel: +33-5-61-50-97-00 (Work) Quartier d'Harraud Turrou +33-5-61-50-97-01 (Fax) 31190 AUTERIVE +33-6-07-63-80-64 (GSM) FRANCE Email: ohp@pyrenet.fr ------------------------------------------------------------------------------ Make your life a dream, make your dream a reality. (St Exupery)
Olivier PRENANT writes: > I'm sorry I don't have a clue how to make a clean patch. I guess > real patch would involve configure testing for /dev/?random then all > "standard places" according to openssl for prng sockets then isse > eventually RAND_egd. Shouldn't this be handled by the OpenSSL configuration? -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
On Thu, 21 Jun 2001, Peter Eisentraut wrote: > Olivier PRENANT writes: > > > I'm sorry I don't have a clue how to make a clean patch. I guess > > real patch would involve configure testing for /dev/?random then all > > "standard places" according to openssl for prng sockets then isse > > eventually RAND_egd. > > Shouldn't this be handled by the OpenSSL configuration? Not yet, opensl-0.9.7 will detect egd. Until then, client has to seed prng. > > -- Olivier PRENANT Tel: +33-5-61-50-97-00 (Work) Quartier d'Harraud Turrou +33-5-61-50-97-01 (Fax) 31190 AUTERIVE +33-6-07-63-80-64 (GSM) FRANCE Email: ohp@pyrenet.fr ------------------------------------------------------------------------------ Make your life a dream, make your dream a reality. (St Exupery)
Olivier PRENANT <ohp@pyrenet.fr> writes: >> Shouldn't this be handled by the OpenSSL configuration? > Not yet, opensl-0.9.7 will detect egd. Until then, client has to seed > prng. I think we shouldn't patch our code to work around an openssl bug that will go away soon anyway. regards, tom lane
I was afraid you would say that. As a user of postgresql for many years, one thing I love is that it's multi-platform. Unfortunatly, not all platforms have /dev/urandom. here is part of openssl doc (RAND_add.pod) OpenSSL makes sure that the PRNG state is unique for each thread. On systems that provide C</dev/urandom>, the randomness device is used to seed the PRNG transparently. However, on all other systems, the application is responsible for seeding the PRNG by calling RAND_add(), L<RAND_egd(3)|RAND_egd(3)> or L<RAND_load_file(3)|RAND_load_file(3)>. It clearly states that THE APPLICATION (psql) is responsible for seedinf the PRNG. ISTM, saying it's a bug of openssl when it's IN THE DOC seems a bit "unnice". Even openssh (widely used) seeds PRNG itself. I'm not trying to start a war, I love Postgresql too much for that, but just say, I'll TRY to come up with a patch. Regards, On Fri, 22 Jun 2001, Tom Lane wrote: > Olivier PRENANT <ohp@pyrenet.fr> writes: > >> Shouldn't this be handled by the OpenSSL configuration? > > > Not yet, opensl-0.9.7 will detect egd. Until then, client has to seed > > prng. > > I think we shouldn't patch our code to work around an openssl bug that > will go away soon anyway. > > regards, tom lane > -- Olivier PRENANT Tel: +33-5-61-50-97-00 (Work) Quartier d'Harraud Turrou +33-5-61-50-97-01 (Fax) 31190 AUTERIVE +33-6-07-63-80-64 (GSM) FRANCE Email: ohp@pyrenet.fr ------------------------------------------------------------------------------ Make your life a dream, make your dream a reality. (St Exupery)
Olivier PRENANT writes: > It clearly states that THE APPLICATION (psql) is responsible for seedinf > the PRNG. ISTM, saying it's a bug of openssl when it's IN THE DOC seems a > bit "unnice". Might be better if libpq would handle this. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
On Sat, 23 Jun 2001, Peter Eisentraut wrote: > Olivier PRENANT writes: > > > It clearly states that THE APPLICATION (psql) is responsible for seedinf > > the PRNG. ISTM, saying it's a bug of openssl when it's IN THE DOC seems a > > bit "unnice". > > Might be better if libpq would handle this. I can't agree more. That's why I changes fe-connect.c (it works ok) The only thing if to write a propper patch!! Regards, > > -- Olivier PRENANT Tel: +33-5-61-50-97-00 (Work) Quartier d'Harraud Turrou +33-5-61-50-97-01 (Fax) 31190 AUTERIVE +33-6-07-63-80-64 (GSM) FRANCE Email: ohp@pyrenet.fr ------------------------------------------------------------------------------ Make your life a dream, make your dream a reality. (St Exupery)