There is the mandatory call RAND_cleanup() before the exit of the program that uses RAND for the fips-140-2 compliance.
Created attachment 1781 [details] Patch solving the problem This is the patch which initilaizing the random device, ensure the call to RAND_cleanup at the exit of the program.
Is RAND_cleanup() signal-safe? (I suspect not, and if it's not then this potentially opens a signal race vulnerability in sshd, which is the reason why all use of atexit was removed from OpenSSH previously.)
RAND_cleanup() is not signal safe if the rand generator is supplied by an engine which would be released by the call (no other references than the generator). But this is irrelevant anyway as the functions registered with atexit() are called only in exit() calls and not in the default signal handler termination or in _exit(). If openssh called exit() in signal handler it would be a security problem anyway as this is signal handler unsafe call itself.
Created attachment 1828 [details] Alternate patch using cleanup_exit