summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--INSTALL11
-rw-r--r--acconfig.h9
-rw-r--r--configure.in43
-rw-r--r--entropy.c75
5 files changed, 99 insertions, 45 deletions
diff --git a/ChangeLog b/ChangeLog
index 71da4c457..7313e0a47 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,10 @@
2 - Remove make-ssh-known-hosts.pl, ssh-keyscan is better. 2 - Remove make-ssh-known-hosts.pl, ssh-keyscan is better.
3 - Document PAM ChallengeResponseAuthentication in sshd.8 3 - Document PAM ChallengeResponseAuthentication in sshd.8
4 - Disable and comment ChallengeResponseAuthentication in sshd_config 4 - Disable and comment ChallengeResponseAuthentication in sshd_config
5 - Allow PRNGd entropy collection from localhost TCP socket. Replace
6 "--with-egd-pool" configure option with "--with-prngd-socket" and
7 "--with-prngd-port" options. Debugged and improved by Lutz Jaenicke
8 <Lutz.Jaenicke@aet.TU-Cottbus.DE>
5 9
620010301 1020010301
7 - (djm) Properly add -lcrypt if needed. 11 - (djm) Properly add -lcrypt if needed.
@@ -4180,4 +4184,4 @@
4180 - Wrote replacements for strlcpy and mkdtemp 4184 - Wrote replacements for strlcpy and mkdtemp
4181 - Released 1.0pre1 4185 - Released 1.0pre1
4182 4186
4183$Id: ChangeLog,v 1.847 2001/03/03 13:16:20 djm Exp $ 4187$Id: ChangeLog,v 1.848 2001/03/03 13:29:20 djm Exp $
diff --git a/INSTALL b/INSTALL
index 47b071e1a..6778a2881 100644
--- a/INSTALL
+++ b/INSTALL
@@ -119,8 +119,13 @@ headers, for this to work.
119random numbers (the default is /dev/urandom). Unless you are absolutely 119random numbers (the default is /dev/urandom). Unless you are absolutely
120sure of what you are doing, it is best to leave this alone. 120sure of what you are doing, it is best to leave this alone.
121 121
122--with-egd-pool=/some/file allows you to enable EGD or PRNGD support 122--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
123and to specify a EGD pool socket. Use this if your Unix lacks 123support and to specify a PRNGd socket. Use this if your Unix lacks
124/dev/random and you don't want to use OpenSSH's builtin entropy
125collection support.
126
127--with-prngd-port=portnum allows you to enable EGD or PRNGD support
128and to specify a EGD localhost TCP port. Use this if your Unix lacks
124/dev/random and you don't want to use OpenSSH's builtin entropy 129/dev/random and you don't want to use OpenSSH's builtin entropy
125collection support. 130collection support.
126 131
@@ -217,4 +222,4 @@ Please refer to the "reporting bugs" section of the webpage at
217http://www.openssh.com/ 222http://www.openssh.com/
218 223
219 224
220$Id: INSTALL,v 1.41 2001/02/18 01:58:24 djm Exp $ 225$Id: INSTALL,v 1.42 2001/03/03 13:29:21 djm Exp $
diff --git a/acconfig.h b/acconfig.h
index a43435868..db53d1696 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
1/* $Id: acconfig.h,v 1.105 2001/02/26 21:39:07 djm Exp $ */ 1/* $Id: acconfig.h,v 1.106 2001/03/03 13:29:21 djm Exp $ */
2 2
3#ifndef _CONFIG_H 3#ifndef _CONFIG_H
4#define _CONFIG_H 4#define _CONFIG_H
@@ -89,8 +89,11 @@
89/* Location of random number pool */ 89/* Location of random number pool */
90#undef RANDOM_POOL 90#undef RANDOM_POOL
91 91
92/* Location of EGD random number socket */ 92/* Location of PRNGD/EGD random number socket */
93#undef EGD_SOCKET 93#undef PRNGD_SOCKET
94
95/* Port number of PRNGD/EGD random number socket */
96#undef PRNGD_PORT
94 97
95/* Builtin PRNG command timeout */ 98/* Builtin PRNG command timeout */
96#undef ENTROPY_TIMEOUT_MSEC 99#undef ENTROPY_TIMEOUT_MSEC
diff --git a/configure.in b/configure.in
index 69db290c4..de3a2fb8f 100644
--- a/configure.in
+++ b/configure.in
@@ -1,4 +1,4 @@
1# $Id: configure.in,v 1.260 2001/02/28 22:16:12 djm Exp $ 1# $Id: configure.in,v 1.261 2001/03/03 13:29:21 djm Exp $
2 2
3AC_INIT(ssh.c) 3AC_INIT(ssh.c)
4 4
@@ -1266,13 +1266,24 @@ AC_ARG_WITH(random,
1266 ] 1266 ]
1267) 1267)
1268 1268
1269# Check for EGD pool file 1269# Check for PRNGD/EGD pool file
1270AC_ARG_WITH(egd-pool, 1270AC_ARG_WITH(prngd-port,
1271 [ --with-egd-pool=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], 1271 [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT],
1272 [
1273 if test ! -z "$withval" -a "x$withval" != "xno" ; then
1274 PRNGD_PORT="$withval"
1275 AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
1276 fi
1277 ]
1278)
1279
1280# Check for PRNGD/EGD pool file
1281AC_ARG_WITH(prngd-socket,
1282 [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
1272 [ 1283 [
1273 if test "x$withval" != "xno" ; then 1284 if test "x$withval" != "xno" ; then
1274 EGD_SOCKET="$withval"; 1285 PRNGD_SOCKET="$withval"
1275 AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") 1286 AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
1276 fi 1287 fi
1277 ], 1288 ],
1278 [ 1289 [
@@ -1280,15 +1291,15 @@ AC_ARG_WITH(egd-pool,
1280 if test -z "$RANDOM_POOL" ; then 1291 if test -z "$RANDOM_POOL" ; then
1281 AC_MSG_CHECKING(for PRNGD/EGD socket) 1292 AC_MSG_CHECKING(for PRNGD/EGD socket)
1282 # Insert other locations here 1293 # Insert other locations here
1283 for egdsock in /var/run/egd-pool /etc/entropy; do 1294 for sock in /var/run/egd-pool /etc/entropy; do
1284 if test -r $egdsock && $TEST_MINUS_S_SH -c "test -S $egdsock -o -p $egdsock" ; then 1295 if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
1285 EGD_SOCKET="$egdsock" 1296 PRNGD_SOCKET="$sock"
1286 AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") 1297 AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
1287 break; 1298 break;
1288 fi 1299 fi
1289 done 1300 done
1290 if test ! -z "$EGD_SOCKET" ; then 1301 if test ! -z "$PRNGD_SOCKET" ; then
1291 AC_MSG_RESULT($EGD_SOCKET) 1302 AC_MSG_RESULT($PRNGD_SOCKET)
1292 else 1303 else
1293 AC_MSG_RESULT(not found) 1304 AC_MSG_RESULT(not found)
1294 fi 1305 fi
@@ -1300,7 +1311,7 @@ AC_ARG_WITH(egd-pool,
1300# detect pathnames for entropy gathering commands, if we need them 1311# detect pathnames for entropy gathering commands, if we need them
1301INSTALL_SSH_PRNG_CMDS="" 1312INSTALL_SSH_PRNG_CMDS=""
1302rm -f prng_commands 1313rm -f prng_commands
1303if (test -z "$RANDOM_POOL" && test -z "$EGD_SOCKET") ; then 1314if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
1304 # Use these commands to collect entropy 1315 # Use these commands to collect entropy
1305 OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) 1316 OSSH_PATH_ENTROPY_PROG(PROG_LS, ls)
1306 OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) 1317 OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat)
@@ -1749,8 +1760,10 @@ fi
1749if test ! -z "$RANDOM_POOL" ; then 1760if test ! -z "$RANDOM_POOL" ; then
1750 RAND_MSG="Device ($RANDOM_POOL)" 1761 RAND_MSG="Device ($RANDOM_POOL)"
1751else 1762else
1752 if test ! -z "$EGD_SOCKET" ; then 1763 if test ! -z "$PRNGD_PORT" ; then
1753 RAND_MSG="EGD/PRNGD ($EGD_SOCKET)" 1764 RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)"
1765 elif test ! -z "$PRNGD_SOCKET" ; then
1766 RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)"
1754 else 1767 else
1755 RAND_MSG="Builtin (timeout $entropy_timeout)" 1768 RAND_MSG="Builtin (timeout $entropy_timeout)"
1756 BUILTIN_RNG=1 1769 BUILTIN_RNG=1
diff --git a/entropy.c b/entropy.c
index 3b0893b3e..665f77324 100644
--- a/entropy.c
+++ b/entropy.c
@@ -40,7 +40,7 @@
40#include "pathnames.h" 40#include "pathnames.h"
41#include "log.h" 41#include "log.h"
42 42
43RCSID("$Id: entropy.c,v 1.34 2001/02/27 00:00:52 djm Exp $"); 43RCSID("$Id: entropy.c,v 1.35 2001/03/03 13:29:21 djm Exp $");
44 44
45#ifndef offsetof 45#ifndef offsetof
46# define offsetof(type, member) ((size_t) &((type *)0)->member) 46# define offsetof(type, member) ((size_t) &((type *)0)->member)
@@ -75,47 +75,76 @@ void check_openssl_version(void)
75 "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); 75 "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
76} 76}
77 77
78#if defined(PRNGD_SOCKET) || defined(PRNGD_PORT)
79# define USE_PRNGD
80#endif
78 81
79#if defined(EGD_SOCKET) || defined(RANDOM_POOL) 82#if defined(USE_PRNGD) || defined(RANDOM_POOL)
80 83
81#ifdef EGD_SOCKET 84#ifdef USE_PRNGD
82/* Collect entropy from EGD */ 85/* Collect entropy from PRNGD/EGD */
83int get_random_bytes(unsigned char *buf, int len) 86int get_random_bytes(unsigned char *buf, int len)
84{ 87{
85 int fd; 88 int fd;
86 char msg[2]; 89 char msg[2];
90#ifdef PRNGD_PORT
91 struct sockaddr_in addr;
92#else
87 struct sockaddr_un addr; 93 struct sockaddr_un addr;
94#endif
88 int addr_len, rval, errors; 95 int addr_len, rval, errors;
89 mysig_t old_sigpipe; 96 mysig_t old_sigpipe;
90 97
98 memset(&addr, '\0', sizeof(addr));
99
100#ifdef PRNGD_PORT
101 addr.sin_family = AF_INET;
102 addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
103 addr.sin_port = htons(PRNGD_PORT);
104 addr_len = sizeof(struct sockaddr_in);
105#else /* use IP socket PRNGD_SOCKET instead */
91 /* Sanity checks */ 106 /* Sanity checks */
92 if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) 107 if (sizeof(PRNGD_SOCKET) > sizeof(addr.sun_path))
93 fatal("Random pool path is too long"); 108 fatal("Random pool path is too long");
94 if (len > 255) 109 if (len > 255)
95 fatal("Too many bytes to read from EGD"); 110 fatal("Too many bytes to read from PRNGD");
96 111
97 memset(&addr, '\0', sizeof(addr));
98 addr.sun_family = AF_UNIX; 112 addr.sun_family = AF_UNIX;
99 strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); 113 strlcpy(addr.sun_path, PRNGD_SOCKET, sizeof(addr.sun_path));
100 addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); 114 addr_len = offsetof(struct sockaddr_un, sun_path) +
115 sizeof(PRNGD_SOCKET);
116#endif
101 117
102 old_sigpipe = mysignal(SIGPIPE, SIG_IGN); 118 old_sigpipe = mysignal(SIGPIPE, SIG_IGN);
103 119
104 errors = rval = 0; 120 errors = rval = 0;
105reopen: 121reopen:
106 fd = socket(AF_UNIX, SOCK_STREAM, 0); 122#ifdef PRNGD_PORT
123 fd = socket(addr.sin_family, SOCK_STREAM, 0);
124 if (fd == -1) {
125 error("Couldn't create AF_INET socket: %s", strerror(errno));
126 goto done;
127 }
128#else
129 fd = socket(addr.sun_family, SOCK_STREAM, 0);
107 if (fd == -1) { 130 if (fd == -1) {
108 error("Couldn't create AF_UNIX socket: %s", strerror(errno)); 131 error("Couldn't create AF_UNIX socket: %s", strerror(errno));
109 goto done; 132 goto done;
110 } 133 }
134#endif
111 135
112 if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { 136 if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) {
113 error("Couldn't connect to EGD socket \"%s\": %s", 137#ifdef PRNGD_PORT
114 addr.sun_path, strerror(errno)); 138 error("Couldn't connect to PRNGD port %d: %s",
139 PRNGD_PORT, strerror(errno));
140#else
141 error("Couldn't connect to PRNGD socket \"%s\": %s",
142 addr.sun_path, strerror(errno));
143#endif
115 goto done; 144 goto done;
116 } 145 }
117 146
118 /* Send blocking read request to EGD */ 147 /* Send blocking read request to PRNGD */
119 msg[0] = 0x02; 148 msg[0] = 0x02;
120 msg[1] = len; 149 msg[1] = len;
121 150
@@ -125,8 +154,8 @@ reopen:
125 errors++; 154 errors++;
126 goto reopen; 155 goto reopen;
127 } 156 }
128 error("Couldn't write to EGD socket \"%s\": %s", 157 error("Couldn't write to PRNGD socket: %s",
129 EGD_SOCKET, strerror(errno)); 158 strerror(errno));
130 goto done; 159 goto done;
131 } 160 }
132 161
@@ -136,8 +165,8 @@ reopen:
136 errors++; 165 errors++;
137 goto reopen; 166 goto reopen;
138 } 167 }
139 error("Couldn't read from EGD socket \"%s\": %s", 168 error("Couldn't read from PRNGD socket: %s",
140 EGD_SOCKET, strerror(errno)); 169 strerror(errno));
141 goto done; 170 goto done;
142 } 171 }
143 172
@@ -148,7 +177,7 @@ done:
148 close(fd); 177 close(fd);
149 return(rval); 178 return(rval);
150} 179}
151#else /* !EGD_SOCKET */ 180#else /* !USE_PRNGD */
152#ifdef RANDOM_POOL 181#ifdef RANDOM_POOL
153/* Collect entropy from /dev/urandom or pipe */ 182/* Collect entropy from /dev/urandom or pipe */
154int get_random_bytes(unsigned char *buf, int len) 183int get_random_bytes(unsigned char *buf, int len)
@@ -174,16 +203,16 @@ int get_random_bytes(unsigned char *buf, int len)
174 return(1); 203 return(1);
175} 204}
176#endif /* RANDOM_POOL */ 205#endif /* RANDOM_POOL */
177#endif /* EGD_SOCKET */ 206#endif /* USE_PRNGD */
178 207
179/* 208/*
180 * Seed OpenSSL's random number pool from Kernel random number generator 209 * Seed OpenSSL's random number pool from Kernel random number generator
181 * or EGD 210 * or PRNGD/EGD
182 */ 211 */
183void 212void
184seed_rng(void) 213seed_rng(void)
185{ 214{
186 char buf[32]; 215 unsigned char buf[32];
187 216
188 debug("Seeding random number generator"); 217 debug("Seeding random number generator");
189 218
@@ -202,7 +231,7 @@ void init_rng(void)
202 check_openssl_version(); 231 check_openssl_version();
203} 232}
204 233
205#else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ 234#else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */
206 235
207/* 236/*
208 * FIXME: proper entropy estimations. All current values are guesses 237 * FIXME: proper entropy estimations. All current values are guesses
@@ -877,4 +906,4 @@ void init_rng(void)
877 prng_initialised = 1; 906 prng_initialised = 1;
878} 907}
879 908
880#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ 909#endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */