>Submitter-Id: net
>Originator: Christian Biere
>Confidential: no
>Synopsis: libgcrypt fails to use /dev/random on NetBSD
>Severity: serious
>Priority: medium
>Category: pkg
>Class: sw-bug
>Release: NetBSD 3.99.7
>Environment:
System: NetBSD cyclonus 3.99.7 NetBSD 3.99.7 (STARSCREAM) #4: Sat Aug 13 17:11:37 CEST 2005 bin@cyclonus:/usr/obj/objdir/sys/arch/i386/compile/STARSCREAM i386
Architecture: i386
Machine: i386
>Description:
The configure script of libgcrypt has "/dev/srandom" hardcoded for NetBSD
instead of "/dev/random". This means libgcrypt will try to access a
non-existing device at runtime and fall back to a replacement method to
gather entropy which is likely to be (much) weaker.
>How-To-Repeat:
Compile libgcrypt and note that it reports that no random device was
found:
"checking for random device... no"
It doesn't complain excessively though. configure will print a message
suggesting to use EGD. However, it does not make obvious that the reason
for showing this message is that the expected random device was not found.
I've only noticed this incidently by tracing an application linked
against libgcrypt when I my eyes caught an access attempt to
"/dev/srandom" in the log output.
>Fix:
As a workaround, add a symbolic link /dev/srandom pointing to an existing
/dev/random. This doesn't require recompiling libgcrypt. The attached
patch against libgcrypt 1.2.1 should fix the bug in the configure script.
diff -ur configure.orig configure
--- configure.orig 2005-01-05 14:53:24.000000000 +0100
+++ configure 2005-09-09 01:13:26.000000000 +0200
@@ -2259,14 +2259,14 @@
case "${target}" in
- *-openbsd* | *-netbsd*)
+ *-openbsd* )
# FIXME: Are these the best flags for OpenBSD?
NAME_OF_DEV_RANDOM="/dev/srandom"
NAME_OF_DEV_URANDOM="/dev/urandom"
# DYNLINK_MOD_CFLAGS="-shared -rdynamic $CFLAGS_PIC -Wl,-Bshareable -Wl,-x"
;;
- *-solaris* | *-irix* | *-dec-osf* )
+ *-solaris* | *-irix* | *-dec-osf* | *-netbsd* )
NAME_OF_DEV_RANDOM="/dev/random"
NAME_OF_DEV_URANDOM="/dev/random"
# DYNLINK_MOD_CFLAGS="-shared $CFLAGS_PIC"
diff -ur configure.ac.orig configure.ac
--- configure.ac.orig 2005-01-05 14:52:33.000000000 +0100
+++ configure.ac 2005-09-09 01:10:30.000000000 +0200
@@ -187,14 +187,14 @@
case "${target}" in
- *-openbsd* | *-netbsd*)
+ *-openbsd* )
# FIXME: Are these the best flags for OpenBSD?
NAME_OF_DEV_RANDOM="/dev/srandom"
NAME_OF_DEV_URANDOM="/dev/urandom"
# DYNLINK_MOD_CFLAGS="-shared -rdynamic $CFLAGS_PIC -Wl,-Bshareable -Wl,-x"
;;
- *-solaris* | *-irix* | *-dec-osf* )
+ *-solaris* | *-irix* | *-dec-osf* | *-netbsd* )
NAME_OF_DEV_RANDOM="/dev/random"
NAME_OF_DEV_URANDOM="/dev/random"
# DYNLINK_MOD_CFLAGS="-shared $CFLAGS_PIC"
>Originator: Christian Biere
>Confidential: no
>Synopsis: libgcrypt fails to use /dev/random on NetBSD
>Severity: serious
>Priority: medium
>Category: pkg
>Class: sw-bug
>Release: NetBSD 3.99.7
>Environment:
System: NetBSD cyclonus 3.99.7 NetBSD 3.99.7 (STARSCREAM) #4: Sat Aug 13 17:11:37 CEST 2005 bin@cyclonus:/usr/obj/objdir/sys/arch/i386/compile/STARSCREAM i386
Architecture: i386
Machine: i386
>Description:
The configure script of libgcrypt has "/dev/srandom" hardcoded for NetBSD
instead of "/dev/random". This means libgcrypt will try to access a
non-existing device at runtime and fall back to a replacement method to
gather entropy which is likely to be (much) weaker.
>How-To-Repeat:
Compile libgcrypt and note that it reports that no random device was
found:
"checking for random device... no"
It doesn't complain excessively though. configure will print a message
suggesting to use EGD. However, it does not make obvious that the reason
for showing this message is that the expected random device was not found.
I've only noticed this incidently by tracing an application linked
against libgcrypt when I my eyes caught an access attempt to
"/dev/srandom" in the log output.
>Fix:
As a workaround, add a symbolic link /dev/srandom pointing to an existing
/dev/random. This doesn't require recompiling libgcrypt. The attached
patch against libgcrypt 1.2.1 should fix the bug in the configure script.
diff -ur configure.orig configure
--- configure.orig 2005-01-05 14:53:24.000000000 +0100
+++ configure 2005-09-09 01:13:26.000000000 +0200
@@ -2259,14 +2259,14 @@
case "${target}" in
- *-openbsd* | *-netbsd*)
+ *-openbsd* )
# FIXME: Are these the best flags for OpenBSD?
NAME_OF_DEV_RANDOM="/dev/srandom"
NAME_OF_DEV_URANDOM="/dev/urandom"
# DYNLINK_MOD_CFLAGS="-shared -rdynamic $CFLAGS_PIC -Wl,-Bshareable -Wl,-x"
;;
- *-solaris* | *-irix* | *-dec-osf* )
+ *-solaris* | *-irix* | *-dec-osf* | *-netbsd* )
NAME_OF_DEV_RANDOM="/dev/random"
NAME_OF_DEV_URANDOM="/dev/random"
# DYNLINK_MOD_CFLAGS="-shared $CFLAGS_PIC"
diff -ur configure.ac.orig configure.ac
--- configure.ac.orig 2005-01-05 14:52:33.000000000 +0100
+++ configure.ac 2005-09-09 01:10:30.000000000 +0200
@@ -187,14 +187,14 @@
case "${target}" in
- *-openbsd* | *-netbsd*)
+ *-openbsd* )
# FIXME: Are these the best flags for OpenBSD?
NAME_OF_DEV_RANDOM="/dev/srandom"
NAME_OF_DEV_URANDOM="/dev/urandom"
# DYNLINK_MOD_CFLAGS="-shared -rdynamic $CFLAGS_PIC -Wl,-Bshareable -Wl,-x"
;;
- *-solaris* | *-irix* | *-dec-osf* )
+ *-solaris* | *-irix* | *-dec-osf* | *-netbsd* )
NAME_OF_DEV_RANDOM="/dev/random"
NAME_OF_DEV_URANDOM="/dev/random"
# DYNLINK_MOD_CFLAGS="-shared $CFLAGS_PIC"