View Issue Details

IDProjectCategoryView StatusLast Update
0000720Other Unix PortBugpublic2020-09-04 18:28
ReporterSteven LevineAssigned Topsmedley 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOS2/eCSOSOS/2 or eComstationOS Version1.x 2.x or 4.5
Summary0000720: stunnel 5.56 has problems with entropy
DescriptionRunning

[d:\tmp]stunnel version
[ ] Clients allowed=4882
[.] stunnel 5.56 on i386-pc-os2-emx built by Paul Smedley on Aug 19 2020
[.] Compiled/running with OpenSSL 1.1.1g 21 Apr 2020
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

stunnel works as expected until the initial connection is terminated and an new connection is attempted. If the delay between termination and initiation is sufficiently long, the new connection attempt will fail with:

2020.08.29 12:53:14 LOG5[1]: Service [vnc] accepted connection from 127.0.0.1:51731
2020.08.29 12:53:14 LOG5[1]: s_connect: connected 173.60.91.116:15900
2020.08.29 12:53:14 LOG5[1]: Service [vnc] connected remote server from 192.168.10.2:51732
2020.08.29 12:53:14 LOG3[1]: error queue: ssl/statem/statem_clnt.c:1149: error:141E7044:SSL routines:tls_construct_client_hello:internal error
2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:589: error:2406B072:random number generator:RAND_DRBG_generate:in error state
2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:342: error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy
2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:589: error:2406B072:random number generator:RAND_DRBG_generate:in error state
2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:342: error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy
2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:342: error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy
2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:634: error:2406B076:random number generator:RAND_DRBG_generate:reseed error
2020.08.29 12:53:14 LOG3[1]: SSL_connect: crypto/rand/drbg_lib.c:446: error:2406E06E:random number generator:RAND_DRBG_reseed:error retrieving entropy
2020.08.29 12:53:14 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Restarting stunnel allow the connection to be set up correctly.

This might not be an entropy problem specifically. It may just be a reinitializtion problem when starting a new connection. I will need an stunnel/openssl debug build to say more.

TagsNo tags attached.

Activities

psmedley

2020-09-01 19:24

administrator   ~0003529

I suspect this is related to entropy in openssl 1.1.1g. openssl 1.0.2t had rand_os2.c (http://svn.netlabs.org/repos/ports/openssl/trunk/crypto/rand/rand_os2.c)

With 1.1.1g we're running the unix code, which seemed to be working ok but I guess it isn't.

I'll look into adapting rand_os2 into 1.1.1g

psmedley

2020-09-02 09:12

administrator   ~0003530

Confirmed to be an openssl 1.1.1 bug:
openssl rand 10
537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
537102080:error:2406B072:random number generator:RAND_DRBG_generate:in error state:crypto/rand/drbg_lib.c:589:
537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
537102080:error:2406B072:random number generator:RAND_DRBG_generate:in error state:crypto/rand/drbg_lib.c:589:
537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
537102080:error:2406B072:random number generator:RAND_DRBG_generate:in error state:crypto/rand/drbg_lib.c:589:

I've now tweaked crypto/rand/rand_unix.c and get:
openssl rand 10:
f÷®×µXÒ
(with the output changing each time it's run).

Will send a link to a new stunnel shortly

psmedley

2020-09-02 09:15

administrator   ~0003531

Please test with http://smedley.id.au/tmp/stunnel-5.56-os2-20200902.zip

Steven Levine

2020-09-04 14:55

manager   ~0003533

The 20200902 build seems to have resolved the issue.

I wonder if there is any benefit to figuring out what needs to be done to stabilize the unix code. I have to suspect that something is not getting reinitialized between the first and subsequent connection. It's also possible that we have an uninitialized variable and it is just by luck that the first connection works.

psmedley

2020-09-04 15:30

administrator   ~0003534

I'm leaning towards the latter (luck/uninitialised variable). As mentioned 'openssl rand 10' failed with the same error as stunnel with the original code.

I'll share an updated openssl diff when I get a moment.

Issue History

Date Modified Username Field Change
2020-09-01 09:35 Steven Levine New Issue
2020-09-01 19:24 psmedley Note Added: 0003529
2020-09-02 09:12 psmedley Note Added: 0003530
2020-09-02 09:15 psmedley Assigned To => psmedley
2020-09-02 09:15 psmedley Status new => feedback
2020-09-02 09:15 psmedley Note Added: 0003531
2020-09-04 14:55 Steven Levine Note Added: 0003533
2020-09-04 14:55 Steven Levine Status feedback => assigned
2020-09-04 15:30 psmedley Note Added: 0003534
2020-09-04 18:28 psmedley Status assigned => resolved
2020-09-04 18:28 psmedley Resolution open => fixed