ssh-keygen reports a fatal error while trying to update the comment field of an RSA1 key. The error reported is "Couldn't obtain random bytes (error 604389476)" This happens because somewhere between 3.0.2p1 and 3.1p1 (the two versions I examined), the calls to the init_rng() and seed_rng() in the main function got moved from near the beginning of the function to after where all the options are processed. The function do_change_comment() handles the comment changing and is called during option processing. do_change_comment() calls a function save the key file, which uses the random number generator, which has not been initialized or seeded and therefore the random number generator reports an error. The simplest fix, in my opinion, is to move the calls to init_rng() and seed_rng () back to the beginning of the main function so the random number generator is always ready to be used. Since this program is not often called, the performance impact is negligible.
the error is not seen in current i believe due to the fix to arc4random() to call seed_rng() correctly. is there a way we can reduce the diff in terms of moving function calls around due to delaying RNG seeding? http://www.eviladmin.org/cgi-bin/cvsweb.cgi/ssh-keygen.c.diff?r1=1.87&r2=1.88 http://www.eviladmin.org/cgi-bin/cvsweb.cgi/ssh-keygen.c.diff?r1=1.91&r2=1.92
We can just put the call to seed_rng() above all the actions. That is safe and "future-proof" at the cost of some extraneous processing for some options which don't need it. Alternately we can just move the chance comment call to below the seed_rng call
fixed: - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
Mass change of RESOLVED bugs to CLOSED