diff options
author | Damien Miller <djm@mindrot.org> | 2000-05-02 09:56:41 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-05-02 09:56:41 +1000 |
commit | 0437b33e54fd72060d17908d6abf96bfabaacad2 (patch) | |
tree | f4fe0e394d30b915b5647c8c6d48c86b43337c96 | |
parent | 6f83b8e34d3dc8227d7cf39989c5966abde2305e (diff) |
- Add Andre Lucas' <andre.lucas@dial.pipex.com> patch to read entropy
gathering commands from a text file
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | Makefile.in | 8 | ||||
-rw-r--r-- | acconfig.h | 17 | ||||
-rw-r--r-- | aclocal.m4 | 15 | ||||
-rw-r--r-- | configure.in | 83 | ||||
-rw-r--r-- | entropy.c | 207 | ||||
-rw-r--r-- | log-server.c | 4 | ||||
-rw-r--r-- | ssh.h | 5 | ||||
-rw-r--r-- | ssh_prng_cmds.in | 50 |
9 files changed, 245 insertions, 146 deletions
@@ -14,6 +14,8 @@ | |||
14 | - unlink pid file, ok niels@ | 14 | - unlink pid file, ok niels@ |
15 | [auth2.c] | 15 | [auth2.c] |
16 | - Add missing #ifdefs; ok - markus | 16 | - Add missing #ifdefs; ok - markus |
17 | - Add Andre Lucas' <andre.lucas@dial.pipex.com> patch to read entropy | ||
18 | gathering commands from a text file | ||
17 | - Release 2.0.0beta1 | 19 | - Release 2.0.0beta1 |
18 | 20 | ||
19 | 20000501 | 21 | 20000501 |
diff --git a/Makefile.in b/Makefile.in index d5e3fde6c..646201c04 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -29,6 +29,8 @@ INSTALL=@INSTALL@ | |||
29 | PERL=@PERL@ | 29 | PERL=@PERL@ |
30 | LDFLAGS=-L. @LDFLAGS@ | 30 | LDFLAGS=-L. @LDFLAGS@ |
31 | 31 | ||
32 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | ||
33 | |||
32 | TARGETS=ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) | 34 | TARGETS=ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) |
33 | 35 | ||
34 | LIBOBJS= atomicio.o authfd.o authfile.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fake-getaddrinfo.o fake-getnameinfo.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o | 36 | LIBOBJS= atomicio.o authfd.o authfile.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fake-getaddrinfo.o fake-getnameinfo.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o |
@@ -80,7 +82,7 @@ $(MANPAGES) $(CONFIGFILES):: | |||
80 | 82 | ||
81 | clean: | 83 | clean: |
82 | rm -f *.o *.a $(TARGETS) config.status config.cache config.log | 84 | rm -f *.o *.a $(TARGETS) config.status config.cache config.log |
83 | rm -f *.out core | 85 | rm -f *.out ssh_prng_cmds core |
84 | 86 | ||
85 | distclean: clean | 87 | distclean: clean |
86 | rm -f Makefile config.h core *~ | 88 | rm -f Makefile config.h core *~ |
@@ -125,6 +127,9 @@ install: manpages $(TARGETS) | |||
125 | $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ | 127 | $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ |
126 | $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ | 128 | $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ |
127 | fi | 129 | fi |
130 | if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ | ||
131 | $(INSTALL) -m 644 ssh_prng_cmds $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ | ||
132 | fi | ||
128 | 133 | ||
129 | host-key: ssh-keygen | 134 | host-key: ssh-keygen |
130 | ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N '' | 135 | ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N '' |
@@ -132,6 +137,7 @@ host-key: ssh-keygen | |||
132 | uninstallall: uninstall | 137 | uninstallall: uninstall |
133 | -rm -f $(DESTDIR)$(sysconfdir)/ssh_config | 138 | -rm -f $(DESTDIR)$(sysconfdir)/ssh_config |
134 | -rm -f $(DESTDIR)$(sysconfdir)/sshd_config | 139 | -rm -f $(DESTDIR)$(sysconfdir)/sshd_config |
140 | -rm -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds | ||
135 | -rmdir $(DESTDIR)$(sysconfdir) | 141 | -rmdir $(DESTDIR)$(sysconfdir) |
136 | -rmdir $(DESTDIR)$(bindir) | 142 | -rmdir $(DESTDIR)$(bindir) |
137 | -rmdir $(DESTDIR)$(sbindir) | 143 | -rmdir $(DESTDIR)$(sbindir) |
diff --git a/acconfig.h b/acconfig.h index d07fd4fe7..99e70d17b 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -153,23 +153,6 @@ | |||
153 | /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ | 153 | /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ |
154 | #undef IPV4_IN_IPV6 | 154 | #undef IPV4_IN_IPV6 |
155 | 155 | ||
156 | /* Programs used in entropy collection */ | ||
157 | #undef PROG_LS | ||
158 | #undef PROG_NETSTAT | ||
159 | #undef PROG_ARP | ||
160 | #undef PROG_IFCONFIG | ||
161 | #undef PROG_PS | ||
162 | #undef PROG_W | ||
163 | #undef PROG_WHO | ||
164 | #undef PROG_LAST | ||
165 | #undef PROG_LASTLOG | ||
166 | #undef PROG_DF | ||
167 | #undef PROG_VMSTAT | ||
168 | #undef PROG_UPTIME | ||
169 | #undef PROG_IPCS | ||
170 | #undef PROG_TAIL | ||
171 | |||
172 | |||
173 | @BOTTOM@ | 156 | @BOTTOM@ |
174 | 157 | ||
175 | /* ******************* Shouldn't need to edit below this line ************** */ | 158 | /* ******************* Shouldn't need to edit below this line ************** */ |
diff --git a/aclocal.m4 b/aclocal.m4 new file mode 100644 index 000000000..65783346b --- /dev/null +++ b/aclocal.m4 | |||
@@ -0,0 +1,15 @@ | |||
1 | dnl $Id: aclocal.m4,v 1.1 2000/05/01 23:57:51 damien Exp $ | ||
2 | dnl | ||
3 | dnl OpenSSH-specific autoconf macros | ||
4 | dnl | ||
5 | |||
6 | dnl AC_PATH_ENTROPY_PROG(variablename, command): | ||
7 | dnl Tidiness function, sets 'undef' if not found, and does the AC_SUBST | ||
8 | AC_DEFUN(AC_PATH_ENTROPY_PROG, [ | ||
9 | AC_PATH_PROG([$1], [$2]) | ||
10 | if test -z "[$]$1" ; then | ||
11 | $1="undef" | ||
12 | fi | ||
13 | AC_SUBST([$1]) | ||
14 | ]) | ||
15 | |||
diff --git a/configure.in b/configure.in index 8046fa3e1..be2a63df1 100644 --- a/configure.in +++ b/configure.in | |||
@@ -637,66 +637,31 @@ AC_ARG_WITH(egd-pool, | |||
637 | ] | 637 | ] |
638 | ) | 638 | ) |
639 | 639 | ||
640 | # detect pathnames for entropy gathering commands, if we need them | ||
641 | INSTALL_SSH_PRNG_CMDS="" | ||
642 | rm -f prng_commands | ||
640 | if test -z "$RANDOM_POOL" -a -z "$EGD_SOCKET" ; then | 643 | if test -z "$RANDOM_POOL" -a -z "$EGD_SOCKET" ; then |
641 | # Use these commands to collect entropy | 644 | # Use these commands to collect entropy |
642 | AC_PATH_PROG(PROG_LS, ls) | 645 | AC_PATH_ENTROPY_PROG(PROG_LS, ls) |
643 | AC_PATH_PROG(PROG_NETSTAT, netstat) | 646 | AC_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) |
644 | AC_PATH_PROG(PROG_ARP, arp) | 647 | AC_PATH_ENTROPY_PROG(PROG_ARP, arp) |
645 | AC_PATH_PROG(PROG_IFCONFIG, ifconfig) | 648 | AC_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) |
646 | AC_PATH_PROG(PROG_PS, ps) | 649 | AC_PATH_ENTROPY_PROG(PROG_PS, ps) |
647 | AC_PATH_PROG(PROG_W, w) | 650 | AC_PATH_ENTROPY_PROG(PROG_W, w) |
648 | AC_PATH_PROG(PROG_WHO, who) | 651 | AC_PATH_ENTROPY_PROG(PROG_WHO, who) |
649 | AC_PATH_PROG(PROG_LAST, last) | 652 | AC_PATH_ENTROPY_PROG(PROG_LAST, last) |
650 | AC_PATH_PROG(PROG_LASTLOG, lastlog) | 653 | AC_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) |
651 | AC_PATH_PROG(PROG_DF, df) | 654 | AC_PATH_ENTROPY_PROG(PROG_DF, df) |
652 | AC_PATH_PROG(PROG_VMSTAT, vmstat) | 655 | AC_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) |
653 | AC_PATH_PROG(PROG_UPTIME, uptime) | 656 | AC_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) |
654 | AC_PATH_PROG(PROG_IPCS, ipcs) | 657 | AC_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) |
655 | AC_PATH_PROG(PROG_TAIL, tail) | 658 | AC_PATH_ENTROPY_PROG(PROG_TAIL, tail) |
656 | AC_PATH_PROG(PROG_LS, ls) | 659 | AC_PATH_ENTROPY_PROG(PROG_LS, ls) |
657 | if test ! -z "$PROG_LS" ; then | 660 | |
658 | AC_DEFINE_UNQUOTED(PROG_LS, "$PROG_LS") | 661 | INSTALL_SSH_PRNG_CMDS="yes" |
659 | fi | ||
660 | if test ! -z "$PROG_NETSTAT" ; then | ||
661 | AC_DEFINE_UNQUOTED(PROG_NETSTAT, "$PROG_NETSTAT") | ||
662 | fi | ||
663 | if test ! -z "$PROG_ARP" ; then | ||
664 | AC_DEFINE_UNQUOTED(PROG_ARP, "$PROG_ARP") | ||
665 | fi | ||
666 | if test ! -z "$PROG_IFCONFIG" ; then | ||
667 | AC_DEFINE_UNQUOTED(PROG_IFCONFIG, "$PROG_IFCONFIG") | ||
668 | fi | ||
669 | if test ! -z "$PROG_PS" ; then | ||
670 | AC_DEFINE_UNQUOTED(PROG_PS, "$PROG_PS") | ||
671 | fi | ||
672 | if test ! -z "$PROG_W" ; then | ||
673 | AC_DEFINE_UNQUOTED(PROG_W, "$PROG_W") | ||
674 | fi | ||
675 | if test ! -z "$PROG_WHO" ; then | ||
676 | AC_DEFINE_UNQUOTED(PROG_WHO, "$PROG_WHO") | ||
677 | fi | ||
678 | if test ! -z "$PROG_LAST" ; then | ||
679 | AC_DEFINE_UNQUOTED(PROG_LAST, "$PROG_LAST") | ||
680 | fi | ||
681 | if test ! -z "$PROG_LASTLOG" ; then | ||
682 | AC_DEFINE_UNQUOTED(PROG_LASTLOG, "$PROG_LASTLOG") | ||
683 | fi | ||
684 | if test ! -z "$PROG_DF" ; then | ||
685 | AC_DEFINE_UNQUOTED(PROG_DF, "$PROG_DF") | ||
686 | fi | ||
687 | if test ! -z "$PROG_VMSTAT" ; then | ||
688 | AC_DEFINE_UNQUOTED(PROG_VMSTAT, "$PROG_VMSTAT") | ||
689 | fi | ||
690 | if test ! -z "$PROG_UPTIME" ; then | ||
691 | AC_DEFINE_UNQUOTED(PROG_UPTIME, "$PROG_UPTIME") | ||
692 | fi | ||
693 | if test ! -z "$PROG_UPTIME" ; then | ||
694 | AC_DEFINE_UNQUOTED(PROG_UPTIME, "$PROG_UPTIME") | ||
695 | fi | ||
696 | if test ! -z "$PROG_TAIL" ; then | ||
697 | AC_DEFINE_UNQUOTED(PROG_TAIL, "$PROG_TAIL") | ||
698 | fi | ||
699 | fi | 662 | fi |
663 | AC_SUBST(INSTALL_SSH_PRNG_CMDS) | ||
664 | |||
700 | 665 | ||
701 | AC_ARG_WITH(catman, | 666 | AC_ARG_WITH(catman, |
702 | [ --with-catman=man|cat Install preformatted manpages[no]], | 667 | [ --with-catman=man|cat Install preformatted manpages[no]], |
@@ -932,4 +897,6 @@ if test ! -z "$blibpath" ; then | |||
932 | AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) | 897 | AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) |
933 | fi | 898 | fi |
934 | 899 | ||
935 | AC_OUTPUT(Makefile) | 900 | AC_OUTPUT(Makefile ssh_prng_cmds) |
901 | |||
902 | |||
@@ -35,7 +35,7 @@ | |||
35 | #include <openssl/rand.h> | 35 | #include <openssl/rand.h> |
36 | #include <openssl/sha.h> | 36 | #include <openssl/sha.h> |
37 | 37 | ||
38 | RCSID("$Id: entropy.c,v 1.7 2000/05/01 14:03:56 damien Exp $"); | 38 | RCSID("$Id: entropy.c,v 1.8 2000/05/01 23:56:41 damien Exp $"); |
39 | 39 | ||
40 | #ifdef EGD_SOCKET | 40 | #ifdef EGD_SOCKET |
41 | #ifndef offsetof | 41 | #ifndef offsetof |
@@ -111,8 +111,6 @@ void get_random_bytes(unsigned char *buf, int len) | |||
111 | * FIXME: proper entropy estimations. All current values are guesses | 111 | * FIXME: proper entropy estimations. All current values are guesses |
112 | * FIXME: (ATL) do estimates at compile time? | 112 | * FIXME: (ATL) do estimates at compile time? |
113 | * FIXME: More entropy sources | 113 | * FIXME: More entropy sources |
114 | * FIXME: (ATL) bring in entropy sources from file | ||
115 | * FIXME: (ATL) add heuristic to increase the timeout if needed | ||
116 | */ | 114 | */ |
117 | 115 | ||
118 | /* slow command timeouts (all in milliseconds) */ | 116 | /* slow command timeouts (all in milliseconds) */ |
@@ -120,7 +118,8 @@ void get_random_bytes(unsigned char *buf, int len) | |||
120 | static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC; | 118 | static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC; |
121 | 119 | ||
122 | static int prng_seed_loaded = 0; | 120 | static int prng_seed_loaded = 0; |
123 | static int prng_seed_saved = 0; | 121 | static int prng_seed_saved = 0; |
122 | static int prng_commands_loaded = 0; | ||
124 | 123 | ||
125 | typedef struct | 124 | typedef struct |
126 | { | 125 | { |
@@ -131,9 +130,9 @@ typedef struct | |||
131 | /* Increases by factor of two each timeout */ | 130 | /* Increases by factor of two each timeout */ |
132 | unsigned int sticky_badness; | 131 | unsigned int sticky_badness; |
133 | /* Path to executable */ | 132 | /* Path to executable */ |
134 | const char *path; | 133 | char *path; |
135 | /* argv to pass to executable */ | 134 | /* argv to pass to executable */ |
136 | const char *args[5]; | 135 | char *args[5]; |
137 | } entropy_source_t; | 136 | } entropy_source_t; |
138 | 137 | ||
139 | double stir_from_system(void); | 138 | double stir_from_system(void); |
@@ -143,67 +142,10 @@ double stir_clock(double entropy_estimate); | |||
143 | double stir_rusage(int who, double entropy_estimate); | 142 | double stir_rusage(int who, double entropy_estimate); |
144 | double hash_output_from_command(entropy_source_t *src, char *hash); | 143 | double hash_output_from_command(entropy_source_t *src, char *hash); |
145 | 144 | ||
146 | entropy_source_t entropy_sources[] = { | 145 | /* this is initialised from a file, by prng_read_commands() */ |
147 | #ifdef PROG_LS | 146 | entropy_source_t *entropy_sources = NULL; |
148 | { 0.002, 0, 1, PROG_LS, { "ls", "-alni", "/var/log", NULL } }, | 147 | #define MIN_ENTROPY_SOURCES 16 |
149 | { 0.002, 0, 1, PROG_LS, { "ls", "-alni", "/var/adm", NULL } }, | 148 | |
150 | { 0.002, 0, 1, PROG_LS, { "ls", "-alni", "/var/mail", NULL } }, | ||
151 | { 0.002, 0, 1, PROG_LS, { "ls", "-alni", "/var/spool/mail", NULL } }, | ||
152 | { 0.002, 0, 1, PROG_LS, { "ls", "-alni", "/proc", NULL } }, | ||
153 | { 0.002, 0, 1, PROG_LS, { "ls", "-alni", "/tmp", NULL } }, | ||
154 | #endif | ||
155 | #ifdef PROG_NETSTAT | ||
156 | { 0.005, 0, 1, PROG_NETSTAT, { "netstat","-an", NULL, NULL } }, | ||
157 | { 0.010, 0, 1, PROG_NETSTAT, { "netstat","-in", NULL, NULL } }, | ||
158 | { 0.002, 0, 1, PROG_NETSTAT, { "netstat","-rn", NULL, NULL } }, | ||
159 | { 0.002, 0, 1, PROG_NETSTAT, { "netstat","-s", NULL, NULL } }, | ||
160 | #endif | ||
161 | #ifdef PROG_ARP | ||
162 | { 0.002, 0, 1, PROG_ARP, { "arp","-a","-n", NULL } }, | ||
163 | #endif | ||
164 | #ifdef PROG_IFCONFIG | ||
165 | { 0.002, 0, 1, PROG_IFCONFIG, { "ifconfig", "-a", NULL, NULL } }, | ||
166 | #endif | ||
167 | #ifdef PROG_PS | ||
168 | { 0.003, 0, 1, PROG_PS, { "ps", "laxww", NULL, NULL } }, | ||
169 | { 0.003, 0, 1, PROG_PS, { "ps", "-al", NULL, NULL } }, | ||
170 | { 0.003, 0, 1, PROG_PS, { "ps", "-efl", NULL, NULL } }, | ||
171 | #endif | ||
172 | #ifdef PROG_W | ||
173 | { 0.005, 0, 1, PROG_W, { "w", NULL, NULL, NULL } }, | ||
174 | #endif | ||
175 | #ifdef PROG_WHO | ||
176 | { 0.001, 0, 1, PROG_WHO, { "who","-i", NULL, NULL } }, | ||
177 | #endif | ||
178 | #ifdef PROG_LAST | ||
179 | { 0.001, 0, 1, PROG_LAST, { "last", NULL, NULL, NULL } }, | ||
180 | #endif | ||
181 | #ifdef PROG_LASTLOG | ||
182 | { 0.001, 0, 1, PROG_LASTLOG, { "lastlog", NULL, NULL, NULL } }, | ||
183 | #endif | ||
184 | #ifdef PROG_DF | ||
185 | { 0.010, 0, 1, PROG_DF, { "df", NULL, NULL, NULL } }, | ||
186 | { 0.010, 0, 1, PROG_DF, { "df", "-i", NULL, NULL } }, | ||
187 | #endif | ||
188 | #ifdef PROG_VMSTAT | ||
189 | { 0.010, 0, 1, PROG_VMSTAT, { "vmstat", NULL, NULL, NULL } }, | ||
190 | #endif | ||
191 | #ifdef PROG_UPTIME | ||
192 | { 0.001, 0, 1, PROG_UPTIME, { "uptime", NULL, NULL, NULL } }, | ||
193 | #endif | ||
194 | #ifdef PROG_IPCS | ||
195 | { 0.001, 0, 1, PROG_IPCS, { "-a", NULL, NULL, NULL } }, | ||
196 | #endif | ||
197 | #ifdef PROG_TAIL | ||
198 | { 0.001, 0, 1, PROG_TAIL, { "tail", "-200", "/var/log/messages", NULL, NULL } }, | ||
199 | { 0.001, 0, 1, PROG_TAIL, { "tail", "-200", "/var/log/syslog", NULL, NULL } }, | ||
200 | { 0.001, 0, 1, PROG_TAIL, { "tail", "-200", "/var/adm/messages", NULL, NULL } }, | ||
201 | { 0.001, 0, 1, PROG_TAIL, { "tail", "-200", "/var/adm/syslog", NULL, NULL } }, | ||
202 | { 0.001, 0, 1, PROG_TAIL, { "tail", "-200", "/var/log/maillog", NULL, NULL } }, | ||
203 | { 0.001, 0, 1, PROG_TAIL, { "tail", "-200", "/var/adm/maillog", NULL, NULL } }, | ||
204 | #endif | ||
205 | { 0.000, 0, 0, NULL, { NULL, NULL, NULL, NULL, NULL } }, | ||
206 | }; | ||
207 | 149 | ||
208 | double | 150 | double |
209 | stir_from_system(void) | 151 | stir_from_system(void) |
@@ -597,6 +539,131 @@ prng_read_seedfile(void) { | |||
597 | RAND_add(&seed, sizeof(seed), 0.0); | 539 | RAND_add(&seed, sizeof(seed), 0.0); |
598 | } | 540 | } |
599 | 541 | ||
542 | |||
543 | /* | ||
544 | * entropy command initialisation functions | ||
545 | */ | ||
546 | #define WHITESPACE " \t\n" | ||
547 | |||
548 | int | ||
549 | prng_read_commands(char *cmdfilename) | ||
550 | { | ||
551 | FILE *f; | ||
552 | char line[1024]; | ||
553 | char cmd[1024], path[256]; | ||
554 | double est; | ||
555 | char *cp; | ||
556 | int linenum; | ||
557 | entropy_source_t *entcmd; | ||
558 | int num_cmds = 64; | ||
559 | int cur_cmd = 0; | ||
560 | |||
561 | f = fopen(cmdfilename, "r"); | ||
562 | if (!f) { | ||
563 | fatal("couldn't read entropy commands file %.100s: %.100s", | ||
564 | cmdfilename, strerror(errno)); | ||
565 | } | ||
566 | |||
567 | linenum = 0; | ||
568 | |||
569 | entcmd = (entropy_source_t *)xmalloc(num_cmds * sizeof(entropy_source_t)); | ||
570 | memset(entcmd, '\0', num_cmds * sizeof(entropy_source_t)); | ||
571 | |||
572 | while (fgets(line, sizeof(line), f)) { | ||
573 | linenum++; | ||
574 | |||
575 | /* skip leading whitespace, test for blank line or comment */ | ||
576 | cp = line + strspn(line, WHITESPACE); | ||
577 | if ((*cp == 0) || (*cp == '#')) | ||
578 | continue; /* done with this line */ | ||
579 | |||
580 | switch (*cp) { | ||
581 | int arg; | ||
582 | char *argv; | ||
583 | |||
584 | case '"': | ||
585 | /* first token, command args (incl. argv[0]) in double quotes */ | ||
586 | cp = strtok(cp, "\""); | ||
587 | if (cp==NULL) { | ||
588 | error("missing or bad command string, %.100s line %d -- ignored", | ||
589 | cmdfilename, linenum); | ||
590 | continue; | ||
591 | } | ||
592 | strncpy(cmd, cp, sizeof(cmd)); | ||
593 | /* second token, full command path */ | ||
594 | if ((cp = strtok(NULL, WHITESPACE)) == NULL) { | ||
595 | error("missing command path, %.100s line %d -- ignored", | ||
596 | cmdfilename, linenum); | ||
597 | continue; | ||
598 | } | ||
599 | if (strncmp("undef", cp, 5)==0) /* did configure mark this as dead? */ | ||
600 | continue; | ||
601 | |||
602 | strncpy(path, cp, sizeof(path)); | ||
603 | /* third token, entropy rate estimate for this command */ | ||
604 | if ( (cp = strtok(NULL, WHITESPACE)) == NULL) { | ||
605 | error("missing entropy estimate, %.100s line %d -- ignored", | ||
606 | cmdfilename, linenum); | ||
607 | continue; | ||
608 | } | ||
609 | est = strtod(cp, &argv);/* FIXME: (ATL) no error checking here */ | ||
610 | |||
611 | /* end of line */ | ||
612 | if ((cp = strtok(NULL, WHITESPACE)) != NULL) { | ||
613 | error("garbage at end of line %d in %.100s -- ignored", | ||
614 | linenum, cmdfilename); | ||
615 | continue; | ||
616 | } | ||
617 | |||
618 | /* split the command args */ | ||
619 | cp = strtok(cmd, WHITESPACE); | ||
620 | arg = 0; argv = NULL; | ||
621 | do { | ||
622 | char *s = (char*)xmalloc(strlen(cp)+1); | ||
623 | strncpy(s, cp, strlen(cp)+1); | ||
624 | entcmd[cur_cmd].args[arg] = s; | ||
625 | arg++; | ||
626 | } while ((arg < 5) && (cp = strtok(NULL, WHITESPACE))); | ||
627 | if (strtok(NULL, WHITESPACE)) | ||
628 | error("ignored extra command elements (max 5), %.100s line %d", | ||
629 | cmdfilename, linenum); | ||
630 | |||
631 | /* copy the command path and rate estimate */ | ||
632 | entcmd[cur_cmd].path = (char *)xmalloc(strlen(path)+1); | ||
633 | strncpy(entcmd[cur_cmd].path, path, strlen(path)+1); | ||
634 | entcmd[cur_cmd].rate = est; | ||
635 | /* initialise other values */ | ||
636 | entcmd[cur_cmd].sticky_badness = 1; | ||
637 | |||
638 | cur_cmd++; | ||
639 | |||
640 | /* If we've filled the array, reallocate it twice the size */ | ||
641 | /* Do this now because even if this we're on the last command, | ||
642 | we need another slot to mark the last entry */ | ||
643 | if (cur_cmd == num_cmds) { | ||
644 | num_cmds *= 2; | ||
645 | entcmd = xrealloc(entcmd, num_cmds * sizeof(entropy_source_t)); | ||
646 | } | ||
647 | break; | ||
648 | |||
649 | default: | ||
650 | error("bad entropy command, %.100s line %d", cmdfilename, | ||
651 | linenum); | ||
652 | continue; | ||
653 | } | ||
654 | } | ||
655 | |||
656 | /* zero the last entry */ | ||
657 | memset(&entcmd[cur_cmd], '\0', sizeof(entropy_source_t)); | ||
658 | /* trim to size */ | ||
659 | entropy_sources = xrealloc(entcmd, (cur_cmd+1) * sizeof(entropy_source_t)); | ||
660 | |||
661 | debug("loaded %d entropy commands from %.100s", cur_cmd, cmdfilename); | ||
662 | |||
663 | return (cur_cmd >= MIN_ENTROPY_SOURCES); | ||
664 | } | ||
665 | |||
666 | |||
600 | #endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ | 667 | #endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ |
601 | 668 | ||
602 | #if defined(EGD_SOCKET) || defined(RANDOM_POOL) | 669 | #if defined(EGD_SOCKET) || defined(RANDOM_POOL) |
@@ -634,6 +701,12 @@ prng_seed_cleanup(void *junk) | |||
634 | void | 701 | void |
635 | seed_rng(void) | 702 | seed_rng(void) |
636 | { | 703 | { |
704 | if (!prng_commands_loaded) { | ||
705 | if (!prng_read_commands(SSH_PRNG_COMMAND_FILE)) | ||
706 | fatal("PRNG initialisation failed -- exiting."); | ||
707 | prng_commands_loaded = 1; | ||
708 | } | ||
709 | |||
637 | debug("Seeding random number generator."); | 710 | debug("Seeding random number generator."); |
638 | debug("OpenSSL random status is now %i\n", RAND_status()); | 711 | debug("OpenSSL random status is now %i\n", RAND_status()); |
639 | debug("%i bytes from system calls", (int)stir_from_system()); | 712 | debug("%i bytes from system calls", (int)stir_from_system()); |
diff --git a/log-server.c b/log-server.c index 9070b6530..57c7b3715 100644 --- a/log-server.c +++ b/log-server.c | |||
@@ -15,7 +15,7 @@ | |||
15 | */ | 15 | */ |
16 | 16 | ||
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | RCSID("$Id: log-server.c,v 1.9 2000/04/16 01:18:43 damien Exp $"); | 18 | RCSID("$Id: log-server.c,v 1.10 2000/05/01 23:56:42 damien Exp $"); |
19 | 19 | ||
20 | #include <syslog.h> | 20 | #include <syslog.h> |
21 | #include "packet.h" | 21 | #include "packet.h" |
@@ -25,7 +25,7 @@ RCSID("$Id: log-server.c,v 1.9 2000/04/16 01:18:43 damien Exp $"); | |||
25 | #ifdef HAVE___PROGNAME | 25 | #ifdef HAVE___PROGNAME |
26 | extern char *__progname; | 26 | extern char *__progname; |
27 | #else /* HAVE___PROGNAME */ | 27 | #else /* HAVE___PROGNAME */ |
28 | const char *__progname = "sshd"; | 28 | static const char *__progname = "sshd"; |
29 | #endif /* HAVE___PROGNAME */ | 29 | #endif /* HAVE___PROGNAME */ |
30 | 30 | ||
31 | static LogLevel log_level = SYSLOG_LEVEL_INFO; | 31 | static LogLevel log_level = SYSLOG_LEVEL_INFO; |
@@ -13,7 +13,7 @@ | |||
13 | * | 13 | * |
14 | */ | 14 | */ |
15 | 15 | ||
16 | /* RCSID("$Id: ssh.h,v 1.36 2000/04/29 23:30:46 damien Exp $"); */ | 16 | /* RCSID("$Id: ssh.h,v 1.37 2000/05/01 23:56:42 damien Exp $"); */ |
17 | 17 | ||
18 | #ifndef SSH_H | 18 | #ifndef SSH_H |
19 | #define SSH_H | 19 | #define SSH_H |
@@ -129,6 +129,9 @@ | |||
129 | #ifndef SSH_PRNG_SEED_FILE | 129 | #ifndef SSH_PRNG_SEED_FILE |
130 | # define SSH_PRNG_SEED_FILE SSH_USER_DIR"/prng_seed" | 130 | # define SSH_PRNG_SEED_FILE SSH_USER_DIR"/prng_seed" |
131 | #endif /* SSH_PRNG_SEED_FILE */ | 131 | #endif /* SSH_PRNG_SEED_FILE */ |
132 | #ifndef SSH_PRNG_COMMAND_FILE | ||
133 | # define SSH_PRNG_COMMAND_FILE ETCDIR "/ssh_prng_cmds" | ||
134 | #endif /* SSH_PRNG_COMMAND_FILE */ | ||
132 | 135 | ||
133 | /* | 136 | /* |
134 | * Per-user file containing host keys of known hosts. This file need not be | 137 | * Per-user file containing host keys of known hosts. This file need not be |
diff --git a/ssh_prng_cmds.in b/ssh_prng_cmds.in new file mode 100644 index 000000000..16ecb30bb --- /dev/null +++ b/ssh_prng_cmds.in | |||
@@ -0,0 +1,50 @@ | |||
1 | # entropy gathering commands | ||
2 | |||
3 | # Format is: "program-name args" path rate | ||
4 | |||
5 | # The "rate" represents the number of bits of usuable entropy per | ||
6 | # byte of command output. Be conservative. | ||
7 | |||
8 | "ls -alni /var/log" @PROG_LS@ 0.002 | ||
9 | "ls -alni /var/adm" @PROG_LS@ 0.002 | ||
10 | "ls -alni /var/mail" @PROG_LS@ 0.002 | ||
11 | "ls -alni /var/spool/mail" @PROG_LS@ 0.002 | ||
12 | "ls -alni /proc" @PROG_LS@ 0.002 | ||
13 | "ls -alni /tmp" @PROG_LS@ 0.002 | ||
14 | |||
15 | "netstat -an" @PROG_NETSTAT@ 0.005 | ||
16 | "netstat -in" @PROG_NETSTAT@ 0.010 | ||
17 | "netstat -rn" @PROG_NETSTAT@ 0.002 | ||
18 | "netstat -s" @PROG_NETSTAT@ 0.002 | ||
19 | |||
20 | "arp -a -n" @PROG_ARP@ 0.002 | ||
21 | |||
22 | "ifconfig -a" @PROG_IFCONFIG@ 0.002 | ||
23 | |||
24 | "ps laxww" @PROG_PS@ 0.003 | ||
25 | "ps -al" @PROG_PS@ 0.003 | ||
26 | "ps -efl" @PROG_PS@ 0.003 | ||
27 | |||
28 | "w" @PROG_W@ 0.005 | ||
29 | |||
30 | "who -i" @PROG_WHO@ 0.001 | ||
31 | |||
32 | "last" @PROG_LAST@ 0.001 | ||
33 | |||
34 | "lastlog" @PROG_LASTLOG@ 0.001 | ||
35 | |||
36 | "df" @PROG_DF@ 0.010 | ||
37 | "df -i" @PROG_DF@ 0.010 | ||
38 | |||
39 | "vmstat" @PROG_VMSTAT@ 0.010 | ||
40 | "uptime" @PROG_UPTIME@ 0.001 | ||
41 | |||
42 | "ipcs -a" @PROG_IPCS@ 0.001 | ||
43 | |||
44 | "tail -200 /var/log/messages" @PROG_TAIL@ 0.001 | ||
45 | "tail -200 /var/log/syslog" @PROG_TAIL@ 0.001 | ||
46 | "tail -200 /var/adm/messages" @PROG_TAIL@ 0.001 | ||
47 | "tail -200 /var/adm/syslog" @PROG_TAIL@ 0.001 | ||
48 | "tail -200 /var/adm/syslog/syslog.log" @PROG_TAIL@ 0.001 | ||
49 | "tail -200 /var/log/maillog" @PROG_TAIL@ 0.001 | ||
50 | "tail -200 /var/adm/maillog" @PROG_TAIL@ 0.001 | ||