summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--entropy.c32
-rw-r--r--entropy.h7
-rw-r--r--sshd.c14
4 files changed, 53 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 428718dd6..9265b7a38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
120050927 120050927
2 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid 2 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
3 calls, since they can't possibly fail. ok djm@ 3 calls, since they can't possibly fail. ok djm@
4 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
5 process when sshd relies on ssh-random-helper. Should result in faster
6 logins on systems without a real random device or prngd. ok djm@
4 7
520050924 820050924
6 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove 9 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
@@ -3017,4 +3020,4 @@
3017 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 3020 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
3018 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 3021 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
3019 3022
3020$Id: ChangeLog,v 1.3895 2005/09/27 09:50:25 dtucker Exp $ 3023$Id: ChangeLog,v 1.3896 2005/09/27 12:46:32 dtucker Exp $
diff --git a/entropy.c b/entropy.c
index 7f4a30783..ff97415a9 100644
--- a/entropy.c
+++ b/entropy.c
@@ -26,6 +26,7 @@
26 26
27#include <openssl/rand.h> 27#include <openssl/rand.h>
28#include <openssl/crypto.h> 28#include <openssl/crypto.h>
29#include <openssl/err.h>
29 30
30#include "ssh.h" 31#include "ssh.h"
31#include "misc.h" 32#include "misc.h"
@@ -33,6 +34,8 @@
33#include "atomicio.h" 34#include "atomicio.h"
34#include "pathnames.h" 35#include "pathnames.h"
35#include "log.h" 36#include "log.h"
37#include "buffer.h"
38#include "bufaux.h"
36 39
37/* 40/*
38 * Portable OpenSSH PRNG seeding: 41 * Portable OpenSSH PRNG seeding:
@@ -45,7 +48,7 @@
45 * XXX: we should tell the child how many bytes we need. 48 * XXX: we should tell the child how many bytes we need.
46 */ 49 */
47 50
48RCSID("$Id: entropy.c,v 1.50 2005/09/27 09:50:25 dtucker Exp $"); 51RCSID("$Id: entropy.c,v 1.51 2005/09/27 12:46:32 dtucker Exp $");
49 52
50#ifndef OPENSSL_PRNG_ONLY 53#ifndef OPENSSL_PRNG_ONLY
51#define RANDOM_SEED_SIZE 48 54#define RANDOM_SEED_SIZE 48
@@ -150,3 +153,30 @@ init_rng(void)
150#endif 153#endif
151} 154}
152 155
156#ifndef OPENSSL_PRNG_ONLY
157void
158rexec_send_rng_seed(Buffer *m)
159{
160 u_char buf[RANDOM_SEED_SIZE];
161
162 if (RAND_bytes(buf, sizeof(buf)) <= 0) {
163 error("Couldn't obtain random bytes (error %ld)",
164 ERR_get_error());
165 buffer_put_string(m, "", 0);
166 } else
167 buffer_put_string(m, buf, sizeof(buf));
168}
169
170void
171rexec_recv_rng_seed(Buffer *m)
172{
173 char *buf;
174 u_int len;
175
176 buf = buffer_get_string_ret(m, &len);
177 if (buf != NULL) {
178 debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len);
179 RAND_add(buf, len, len);
180 }
181}
182#endif
diff --git a/entropy.h b/entropy.h
index 5f63c1f1f..ec1ebcc57 100644
--- a/entropy.h
+++ b/entropy.h
@@ -22,12 +22,17 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24 24
25/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ 25/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */
26 26
27#ifndef _RANDOMS_H 27#ifndef _RANDOMS_H
28#define _RANDOMS_H 28#define _RANDOMS_H
29 29
30#include "buffer.h"
31
30void seed_rng(void); 32void seed_rng(void);
31void init_rng(void); 33void init_rng(void);
32 34
35void rexec_send_rng_seed(Buffer *);
36void rexec_recv_rng_seed(Buffer *);
37
33#endif /* _RANDOMS_H */ 38#endif /* _RANDOMS_H */
diff --git a/sshd.c b/sshd.c
index 92aa9bbd2..e9125a229 100644
--- a/sshd.c
+++ b/sshd.c
@@ -800,6 +800,7 @@ send_rexec_state(int fd, Buffer *conf)
800 * bignum iqmp " 800 * bignum iqmp "
801 * bignum p " 801 * bignum p "
802 * bignum q " 802 * bignum q "
803 * string rngseed (only if OpenSSL is not self-seeded)
803 */ 804 */
804 buffer_init(&m); 805 buffer_init(&m);
805 buffer_put_cstring(&m, buffer_ptr(conf)); 806 buffer_put_cstring(&m, buffer_ptr(conf));
@@ -816,6 +817,10 @@ send_rexec_state(int fd, Buffer *conf)
816 } else 817 } else
817 buffer_put_int(&m, 0); 818 buffer_put_int(&m, 0);
818 819
820#ifndef OPENSSL_PRNG_ONLY
821 rexec_send_rng_seed(&m);
822#endif
823
819 if (ssh_msg_send(fd, 0, &m) == -1) 824 if (ssh_msg_send(fd, 0, &m) == -1)
820 fatal("%s: ssh_msg_send failed", __func__); 825 fatal("%s: ssh_msg_send failed", __func__);
821 826
@@ -858,6 +863,11 @@ recv_rexec_state(int fd, Buffer *conf)
858 rsa_generate_additional_parameters( 863 rsa_generate_additional_parameters(
859 sensitive_data.server_key->rsa); 864 sensitive_data.server_key->rsa);
860 } 865 }
866
867#ifndef OPENSSL_PRNG_ONLY
868 rexec_recv_rng_seed(&m);
869#endif
870
861 buffer_free(&m); 871 buffer_free(&m);
862 872
863 debug3("%s: done", __func__); 873 debug3("%s: done", __func__);
@@ -1051,8 +1061,6 @@ main(int ac, char **av)
1051 drop_cray_privs(); 1061 drop_cray_privs();
1052#endif 1062#endif
1053 1063
1054 seed_rng();
1055
1056 sensitive_data.server_key = NULL; 1064 sensitive_data.server_key = NULL;
1057 sensitive_data.ssh1_host_key = NULL; 1065 sensitive_data.ssh1_host_key = NULL;
1058 sensitive_data.have_ssh1_key = 0; 1066 sensitive_data.have_ssh1_key = 0;
@@ -1071,6 +1079,8 @@ main(int ac, char **av)
1071 if (!rexec_flag) 1079 if (!rexec_flag)
1072 buffer_free(&cfg); 1080 buffer_free(&cfg);
1073 1081
1082 seed_rng();
1083
1074 /* Fill in default values for those options not explicitly set. */ 1084 /* Fill in default values for those options not explicitly set. */
1075 fill_default_server_options(&options); 1085 fill_default_server_options(&options);
1076 1086
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-27 18:13:56 +0000