Bug 11943

Summary: OpenSSL-1.1.1 RAND_write_file:Cannot open
Product: IPFire Reporter: Erik Kapfer <ummeegge>
Component: opensslAssignee: Erik Kapfer <ummeegge>
Status: CLOSED FIXED QA Contact: Peter Müller <peter.mueller>
Severity: Major Usability    
Priority: - Unknown -    
Version: 2   
Hardware: all   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 11913    

Description Erik Kapfer 2018-12-01 08:14:19 UTC
With the upcoming update to OpenSSL-1.1.1(a) there is a problem with the creation of the .rnd files.

.rnd files are regular present (tested with <=core 125) in:

-rw------- 1 nobody nobody 1024 Sep  1 09:07 /home/nobody/.rnd
-rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd
-rw------- 1 nobody nobody 1024 Sep 22 12:14 /var/tmp/.rnd
-rw------- 1 root root 1024 Jun 25 12:59 /.rnd
-rw------- 1 root root 1024 Nov 19 14:29 /root/.rnd

OpenSSL-1.1.1 do not create this files anymore and only error messages appears for OpenVPN and IPSec but the e.g. the PKI generation worked so far for both but the error message appears.

OpenSSL-1.1.1a seems to address this issue --> https://www.openssl.org/news/changelog.html#x1 and it does create one .rnd file under

-rw------- 1 root root 1024 Dec  1 07:40 /var/tmp/.rnd

which crashes the PKI generation of IPSec while creating a new one (fresh install).

Error message IPSec PKI generation:
OpenSSL hat einen Fehler verursacht: <br>139952797528576:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/var/tmp/.rnd<br>139952797528576:error:24070079:random number generator:RAND_write_file:Cannot open file:crypto/rand/randfile.c:233:Filename=/var/tmp/.rnd 

I think the problem is the permission since '/var/tmp/.rnd' is owned by root but it should be owned by nobody.

Error message OpenVPN PKI generation (didn´t crashed cause no .rnd file is present):
Can't load /var/ipfire/ovpn/ca/.rnd into RNG
140361912357376:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/var/ipfire/ovpn/ca/.rnd

Best,

Erik
Comment 1 Erik Kapfer 2018-12-07 06:19:16 UTC
OpenSSL-1.1.1a fixes the rnd. creation problem so far but leaves nevertheless a problem for the IPSec structure on IPFire.
On OpenVPN the correct Owner/permissions for .rnd are set while the PKI generation

-rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd

. It seems that OpenSSL uses the owner of the parent directory which is nobody in OpenVPN (/var/ipfire/ovpn/ca/) but root for IPSec ( /var/tmp ).

Best,

Erik
Comment 2 Erik Kapfer 2018-12-07 12:25:04 UTC
Potential fix can look like this --> https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=5a8e18bfe7e378a7ef89aa128b43cc966fc76e2c.

Tests looks good.

Erik
Comment 3 Peter Müller 2019-01-02 20:55:53 UTC
Erik, may I assign this to you?

Lacking spare time for OpenSSL at the moment, and it looks like you are more deeply into this.

Thank you!