diff options
author | Darren Tucker <dtucker@zip.com.au> | 2005-09-27 22:46:32 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2005-09-27 22:46:32 +1000 |
commit | c6f8219e0d4ee1f64fb7b4da88523c951a03c68a (patch) | |
tree | d861d4cbccee17f7de7c864e1d26634c0174741d | |
parent | f1377bdeed3ca7268c6a5d3fa171a09df7be9064 (diff) |
- (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
process when sshd relies on ssh-random-helper. Should result in faster
logins on systems without a real random device or prngd. ok djm@
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | entropy.c | 32 | ||||
-rw-r--r-- | entropy.h | 7 | ||||
-rw-r--r-- | sshd.c | 14 |
4 files changed, 53 insertions, 5 deletions
@@ -1,6 +1,9 @@ | |||
1 | 20050927 | 1 | 20050927 |
2 | - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid | 2 | - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid |
3 | calls, since they can't possibly fail. ok djm@ | 3 | calls, since they can't possibly fail. ok djm@ |
4 | - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed | ||
5 | process when sshd relies on ssh-random-helper. Should result in faster | ||
6 | logins on systems without a real random device or prngd. ok djm@ | ||
4 | 7 | ||
5 | 20050924 | 8 | 20050924 |
6 | - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove | 9 | - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove |
@@ -3017,4 +3020,4 @@ | |||
3017 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 3020 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
3018 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 3021 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
3019 | 3022 | ||
3020 | $Id: ChangeLog,v 1.3895 2005/09/27 09:50:25 dtucker Exp $ | 3023 | $Id: ChangeLog,v 1.3896 2005/09/27 12:46:32 dtucker Exp $ |
@@ -26,6 +26,7 @@ | |||
26 | 26 | ||
27 | #include <openssl/rand.h> | 27 | #include <openssl/rand.h> |
28 | #include <openssl/crypto.h> | 28 | #include <openssl/crypto.h> |
29 | #include <openssl/err.h> | ||
29 | 30 | ||
30 | #include "ssh.h" | 31 | #include "ssh.h" |
31 | #include "misc.h" | 32 | #include "misc.h" |
@@ -33,6 +34,8 @@ | |||
33 | #include "atomicio.h" | 34 | #include "atomicio.h" |
34 | #include "pathnames.h" | 35 | #include "pathnames.h" |
35 | #include "log.h" | 36 | #include "log.h" |
37 | #include "buffer.h" | ||
38 | #include "bufaux.h" | ||
36 | 39 | ||
37 | /* | 40 | /* |
38 | * Portable OpenSSH PRNG seeding: | 41 | * Portable OpenSSH PRNG seeding: |
@@ -45,7 +48,7 @@ | |||
45 | * XXX: we should tell the child how many bytes we need. | 48 | * XXX: we should tell the child how many bytes we need. |
46 | */ | 49 | */ |
47 | 50 | ||
48 | RCSID("$Id: entropy.c,v 1.50 2005/09/27 09:50:25 dtucker Exp $"); | 51 | RCSID("$Id: entropy.c,v 1.51 2005/09/27 12:46:32 dtucker Exp $"); |
49 | 52 | ||
50 | #ifndef OPENSSL_PRNG_ONLY | 53 | #ifndef OPENSSL_PRNG_ONLY |
51 | #define RANDOM_SEED_SIZE 48 | 54 | #define RANDOM_SEED_SIZE 48 |
@@ -150,3 +153,30 @@ init_rng(void) | |||
150 | #endif | 153 | #endif |
151 | } | 154 | } |
152 | 155 | ||
156 | #ifndef OPENSSL_PRNG_ONLY | ||
157 | void | ||
158 | rexec_send_rng_seed(Buffer *m) | ||
159 | { | ||
160 | u_char buf[RANDOM_SEED_SIZE]; | ||
161 | |||
162 | if (RAND_bytes(buf, sizeof(buf)) <= 0) { | ||
163 | error("Couldn't obtain random bytes (error %ld)", | ||
164 | ERR_get_error()); | ||
165 | buffer_put_string(m, "", 0); | ||
166 | } else | ||
167 | buffer_put_string(m, buf, sizeof(buf)); | ||
168 | } | ||
169 | |||
170 | void | ||
171 | rexec_recv_rng_seed(Buffer *m) | ||
172 | { | ||
173 | char *buf; | ||
174 | u_int len; | ||
175 | |||
176 | buf = buffer_get_string_ret(m, &len); | ||
177 | if (buf != NULL) { | ||
178 | debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len); | ||
179 | RAND_add(buf, len, len); | ||
180 | } | ||
181 | } | ||
182 | #endif | ||
@@ -22,12 +22,17 @@ | |||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
23 | */ | 23 | */ |
24 | 24 | ||
25 | /* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ | 25 | /* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */ |
26 | 26 | ||
27 | #ifndef _RANDOMS_H | 27 | #ifndef _RANDOMS_H |
28 | #define _RANDOMS_H | 28 | #define _RANDOMS_H |
29 | 29 | ||
30 | #include "buffer.h" | ||
31 | |||
30 | void seed_rng(void); | 32 | void seed_rng(void); |
31 | void init_rng(void); | 33 | void init_rng(void); |
32 | 34 | ||
35 | void rexec_send_rng_seed(Buffer *); | ||
36 | void rexec_recv_rng_seed(Buffer *); | ||
37 | |||
33 | #endif /* _RANDOMS_H */ | 38 | #endif /* _RANDOMS_H */ |
@@ -800,6 +800,7 @@ send_rexec_state(int fd, Buffer *conf) | |||
800 | * bignum iqmp " | 800 | * bignum iqmp " |
801 | * bignum p " | 801 | * bignum p " |
802 | * bignum q " | 802 | * bignum q " |
803 | * string rngseed (only if OpenSSL is not self-seeded) | ||
803 | */ | 804 | */ |
804 | buffer_init(&m); | 805 | buffer_init(&m); |
805 | buffer_put_cstring(&m, buffer_ptr(conf)); | 806 | buffer_put_cstring(&m, buffer_ptr(conf)); |
@@ -816,6 +817,10 @@ send_rexec_state(int fd, Buffer *conf) | |||
816 | } else | 817 | } else |
817 | buffer_put_int(&m, 0); | 818 | buffer_put_int(&m, 0); |
818 | 819 | ||
820 | #ifndef OPENSSL_PRNG_ONLY | ||
821 | rexec_send_rng_seed(&m); | ||
822 | #endif | ||
823 | |||
819 | if (ssh_msg_send(fd, 0, &m) == -1) | 824 | if (ssh_msg_send(fd, 0, &m) == -1) |
820 | fatal("%s: ssh_msg_send failed", __func__); | 825 | fatal("%s: ssh_msg_send failed", __func__); |
821 | 826 | ||
@@ -858,6 +863,11 @@ recv_rexec_state(int fd, Buffer *conf) | |||
858 | rsa_generate_additional_parameters( | 863 | rsa_generate_additional_parameters( |
859 | sensitive_data.server_key->rsa); | 864 | sensitive_data.server_key->rsa); |
860 | } | 865 | } |
866 | |||
867 | #ifndef OPENSSL_PRNG_ONLY | ||
868 | rexec_recv_rng_seed(&m); | ||
869 | #endif | ||
870 | |||
861 | buffer_free(&m); | 871 | buffer_free(&m); |
862 | 872 | ||
863 | debug3("%s: done", __func__); | 873 | debug3("%s: done", __func__); |
@@ -1051,8 +1061,6 @@ main(int ac, char **av) | |||
1051 | drop_cray_privs(); | 1061 | drop_cray_privs(); |
1052 | #endif | 1062 | #endif |
1053 | 1063 | ||
1054 | seed_rng(); | ||
1055 | |||
1056 | sensitive_data.server_key = NULL; | 1064 | sensitive_data.server_key = NULL; |
1057 | sensitive_data.ssh1_host_key = NULL; | 1065 | sensitive_data.ssh1_host_key = NULL; |
1058 | sensitive_data.have_ssh1_key = 0; | 1066 | sensitive_data.have_ssh1_key = 0; |
@@ -1071,6 +1079,8 @@ main(int ac, char **av) | |||
1071 | if (!rexec_flag) | 1079 | if (!rexec_flag) |
1072 | buffer_free(&cfg); | 1080 | buffer_free(&cfg); |
1073 | 1081 | ||
1082 | seed_rng(); | ||
1083 | |||
1074 | /* Fill in default values for those options not explicitly set. */ | 1084 | /* Fill in default values for those options not explicitly set. */ |
1075 | fill_default_server_options(&options); | 1085 | fill_default_server_options(&options); |
1076 | 1086 | ||