diff options
-rw-r--r-- | configure.ac | 15 | ||||
-rw-r--r-- | entropy.c | 35 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.c | 23 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.h | 22 | ||||
-rw-r--r-- | regress/unittests/sshkey/tests.c | 5 | ||||
-rw-r--r-- | regress/unittests/test_helper/test_helper.c | 5 | ||||
-rw-r--r-- | scp.c | 2 | ||||
-rw-r--r-- | sftp-server-main.c | 2 | ||||
-rw-r--r-- | sftp.c | 2 | ||||
-rw-r--r-- | ssh-add.c | 4 | ||||
-rw-r--r-- | ssh-agent.c | 4 | ||||
-rw-r--r-- | ssh-keygen.c | 7 | ||||
-rw-r--r-- | ssh-keysign.c | 9 | ||||
-rw-r--r-- | ssh.c | 9 | ||||
-rw-r--r-- | ssh_api.c | 4 | ||||
-rw-r--r-- | sshd.c | 8 |
16 files changed, 63 insertions, 93 deletions
diff --git a/configure.ac b/configure.ac index 3f7fe2cd0..5a9b3ff11 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -2671,8 +2671,8 @@ if test "x$openssl" = "xyes" ; then | |||
2671 | 2671 | ||
2672 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | 2672 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) |
2673 | AC_LINK_IFELSE( | 2673 | AC_LINK_IFELSE( |
2674 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | 2674 | [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], |
2675 | [[ OpenSSL_add_all_algorithms(); ]])], | 2675 | [[ ERR_load_crypto_strings(); ]])], |
2676 | [ | 2676 | [ |
2677 | AC_MSG_RESULT([yes]) | 2677 | AC_MSG_RESULT([yes]) |
2678 | ], | 2678 | ], |
@@ -2682,8 +2682,8 @@ if test "x$openssl" = "xyes" ; then | |||
2682 | LIBS="$LIBS -ldl" | 2682 | LIBS="$LIBS -ldl" |
2683 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | 2683 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) |
2684 | AC_LINK_IFELSE( | 2684 | AC_LINK_IFELSE( |
2685 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | 2685 | [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], |
2686 | [[ OpenSSL_add_all_algorithms(); ]])], | 2686 | [[ ERR_load_crypto_strings(); ]])], |
2687 | [ | 2687 | [ |
2688 | AC_MSG_RESULT([yes]) | 2688 | AC_MSG_RESULT([yes]) |
2689 | ], | 2689 | ], |
@@ -2698,15 +2698,16 @@ if test "x$openssl" = "xyes" ; then | |||
2698 | AC_CHECK_FUNCS([ \ | 2698 | AC_CHECK_FUNCS([ \ |
2699 | BN_is_prime_ex \ | 2699 | BN_is_prime_ex \ |
2700 | DSA_generate_parameters_ex \ | 2700 | DSA_generate_parameters_ex \ |
2701 | EVP_DigestInit_ex \ | 2701 | EVP_CIPHER_CTX_ctrl \ |
2702 | EVP_DigestFinal_ex \ | 2702 | EVP_DigestFinal_ex \ |
2703 | EVP_MD_CTX_init \ | 2703 | EVP_DigestInit_ex \ |
2704 | EVP_MD_CTX_cleanup \ | 2704 | EVP_MD_CTX_cleanup \ |
2705 | EVP_MD_CTX_copy_ex \ | 2705 | EVP_MD_CTX_copy_ex \ |
2706 | EVP_MD_CTX_init \ | ||
2706 | HMAC_CTX_init \ | 2707 | HMAC_CTX_init \ |
2708 | OpenSSL_add_all_algorithms \ | ||
2707 | RSA_generate_key_ex \ | 2709 | RSA_generate_key_ex \ |
2708 | RSA_get_default_method \ | 2710 | RSA_get_default_method \ |
2709 | EVP_CIPHER_CTX_ctrl \ | ||
2710 | ]) | 2711 | ]) |
2711 | # LibreSSL/OpenSSL 1.1x API | 2712 | # LibreSSL/OpenSSL 1.1x API |
2712 | AC_CHECK_FUNCS([ \ | 2713 | AC_CHECK_FUNCS([ \ |
@@ -56,6 +56,8 @@ | |||
56 | #include "sshbuf.h" | 56 | #include "sshbuf.h" |
57 | #include "ssherr.h" | 57 | #include "ssherr.h" |
58 | 58 | ||
59 | #define RANDOM_SEED_SIZE 48 | ||
60 | |||
59 | /* | 61 | /* |
60 | * Portable OpenSSH PRNG seeding: | 62 | * Portable OpenSSH PRNG seeding: |
61 | * If OpenSSL has not "internally seeded" itself (e.g. pulled data from | 63 | * If OpenSSL has not "internally seeded" itself (e.g. pulled data from |
@@ -64,8 +66,6 @@ | |||
64 | */ | 66 | */ |
65 | #ifndef OPENSSL_PRNG_ONLY | 67 | #ifndef OPENSSL_PRNG_ONLY |
66 | 68 | ||
67 | #define RANDOM_SEED_SIZE 48 | ||
68 | |||
69 | /* | 69 | /* |
70 | * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon | 70 | * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon |
71 | * listening either on 'tcp_port', or via Unix domain socket at * | 71 | * listening either on 'tcp_port', or via Unix domain socket at * |
@@ -216,9 +216,11 @@ rexec_recv_rng_seed(struct sshbuf *m) | |||
216 | void | 216 | void |
217 | seed_rng(void) | 217 | seed_rng(void) |
218 | { | 218 | { |
219 | #ifndef OPENSSL_PRNG_ONLY | ||
220 | unsigned char buf[RANDOM_SEED_SIZE]; | 219 | unsigned char buf[RANDOM_SEED_SIZE]; |
221 | #endif | 220 | |
221 | /* Initialise libcrypto */ | ||
222 | ssh_libcrypto_init(); | ||
223 | |||
222 | if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, | 224 | if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, |
223 | OpenSSL_version_num())) | 225 | OpenSSL_version_num())) |
224 | fatal("OpenSSL version mismatch. Built against %lx, you " | 226 | fatal("OpenSSL version mismatch. Built against %lx, you " |
@@ -226,27 +228,34 @@ seed_rng(void) | |||
226 | OpenSSL_version_num()); | 228 | OpenSSL_version_num()); |
227 | 229 | ||
228 | #ifndef OPENSSL_PRNG_ONLY | 230 | #ifndef OPENSSL_PRNG_ONLY |
229 | if (RAND_status() == 1) { | 231 | if (RAND_status() == 1) |
230 | debug3("RNG is ready, skipping seeding"); | 232 | debug3("RNG is ready, skipping seeding"); |
231 | return; | 233 | else { |
234 | if (seed_from_prngd(buf, sizeof(buf)) == -1) | ||
235 | fatal("Could not obtain seed from PRNGd"); | ||
236 | RAND_add(buf, sizeof(buf), sizeof(buf)); | ||
232 | } | 237 | } |
233 | |||
234 | if (seed_from_prngd(buf, sizeof(buf)) == -1) | ||
235 | fatal("Could not obtain seed from PRNGd"); | ||
236 | RAND_add(buf, sizeof(buf), sizeof(buf)); | ||
237 | memset(buf, '\0', sizeof(buf)); | ||
238 | |||
239 | #endif /* OPENSSL_PRNG_ONLY */ | 238 | #endif /* OPENSSL_PRNG_ONLY */ |
239 | |||
240 | if (RAND_status() != 1) | 240 | if (RAND_status() != 1) |
241 | fatal("PRNG is not seeded"); | 241 | fatal("PRNG is not seeded"); |
242 | |||
243 | /* Ensure arc4random() is primed */ | ||
244 | arc4random_buf(buf, sizeof(buf)); | ||
245 | explicit_bzero(buf, sizeof(buf)); | ||
242 | } | 246 | } |
243 | 247 | ||
244 | #else /* WITH_OPENSSL */ | 248 | #else /* WITH_OPENSSL */ |
245 | 249 | ||
246 | /* Handled in arc4random() */ | 250 | /* Acutal initialisation is handled in arc4random() */ |
247 | void | 251 | void |
248 | seed_rng(void) | 252 | seed_rng(void) |
249 | { | 253 | { |
254 | unsigned char buf[RANDOM_SEED_SIZE]; | ||
255 | |||
256 | /* Ensure arc4random() is primed */ | ||
257 | arc4random_buf(buf, sizeof(buf)); | ||
258 | explicit_bzero(buf, sizeof(buf)); | ||
250 | } | 259 | } |
251 | 260 | ||
252 | #endif /* WITH_OPENSSL */ | 261 | #endif /* WITH_OPENSSL */ |
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 5ade8f0ba..d8c00ebcb 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c | |||
@@ -66,26 +66,31 @@ ssh_compatible_openssl(long headerver, long libver) | |||
66 | return 0; | 66 | return 0; |
67 | } | 67 | } |
68 | 68 | ||
69 | #ifdef USE_OPENSSL_ENGINE | ||
70 | void | 69 | void |
71 | ssh_OpenSSL_add_all_algorithms(void) | 70 | ssh_libcrypto_init(void) |
72 | { | 71 | { |
72 | #if defined(HAVE_OPENSSL_ADD_ALL_ALGORITHMS) | ||
73 | OpenSSL_add_all_algorithms(); | 73 | OpenSSL_add_all_algorithms(); |
74 | #elif defined(HAVE_OPENSSL_INIT_CRYPTO) && \ | ||
75 | defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \ | ||
76 | defined(OPENSSL_INIT_ADD_ALL_DIGESTS) | ||
77 | OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | | ||
78 | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); | ||
79 | #endif | ||
74 | 80 | ||
81 | #ifdef USE_OPENSSL_ENGINE | ||
75 | /* Enable use of crypto hardware */ | 82 | /* Enable use of crypto hardware */ |
76 | ENGINE_load_builtin_engines(); | 83 | ENGINE_load_builtin_engines(); |
77 | ENGINE_register_all_complete(); | 84 | ENGINE_register_all_complete(); |
78 | 85 | ||
79 | #if defined(HAVE_OPENSSL_INIT_CRYPTO) && \ | 86 | /* Load the libcrypto config file to pick up engines defined there */ |
80 | defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \ | 87 | # if defined(HAVE_OPENSSL_INIT_CRYPTO) && defined(OPENSSL_INIT_LOAD_CONFIG) |
81 | defined(OPENSSL_INIT_ADD_ALL_DIGESTS) && \ | ||
82 | defined(OPENSSL_INIT_LOAD_CONFIG) | ||
83 | OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | | 88 | OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | |
84 | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG, NULL); | 89 | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG, NULL); |
85 | #else | 90 | # else |
86 | OPENSSL_config(NULL); | 91 | OPENSSL_config(NULL); |
87 | #endif | 92 | # endif |
93 | #endif /* USE_OPENSSL_ENGINE */ | ||
88 | } | 94 | } |
89 | #endif | ||
90 | 95 | ||
91 | #endif /* WITH_OPENSSL */ | 96 | #endif /* WITH_OPENSSL */ |
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index b87ce59e7..917bc6f7c 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -31,6 +31,7 @@ | |||
31 | #include <openssl/dh.h> | 31 | #include <openssl/dh.h> |
32 | 32 | ||
33 | int ssh_compatible_openssl(long, long); | 33 | int ssh_compatible_openssl(long, long); |
34 | void ssh_libcrypto_init(void); | ||
34 | 35 | ||
35 | #if (OPENSSL_VERSION_NUMBER < 0x1000100fL) | 36 | #if (OPENSSL_VERSION_NUMBER < 0x1000100fL) |
36 | # error OpenSSL 1.0.1 or greater is required | 37 | # error OpenSSL 1.0.1 or greater is required |
@@ -92,27 +93,6 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); | |||
92 | # endif | 93 | # endif |
93 | #endif | 94 | #endif |
94 | 95 | ||
95 | /* | ||
96 | * We overload some of the OpenSSL crypto functions with ssh_* equivalents | ||
97 | * to automatically handle OpenSSL engine initialisation. | ||
98 | * | ||
99 | * In order for the compat library to call the real functions, it must | ||
100 | * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and | ||
101 | * implement the ssh_* equivalents. | ||
102 | */ | ||
103 | #ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS | ||
104 | |||
105 | # ifdef USE_OPENSSL_ENGINE | ||
106 | # ifdef OpenSSL_add_all_algorithms | ||
107 | # undef OpenSSL_add_all_algorithms | ||
108 | # endif | ||
109 | # define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() | ||
110 | # endif | ||
111 | |||
112 | void ssh_OpenSSL_add_all_algorithms(void); | ||
113 | |||
114 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ | ||
115 | |||
116 | /* LibreSSL/OpenSSL 1.1x API compat */ | 96 | /* LibreSSL/OpenSSL 1.1x API compat */ |
117 | #ifndef HAVE_DSA_GET0_PQG | 97 | #ifndef HAVE_DSA_GET0_PQG |
118 | void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, | 98 | void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, |
diff --git a/regress/unittests/sshkey/tests.c b/regress/unittests/sshkey/tests.c index 13f265cdb..78aa9223d 100644 --- a/regress/unittests/sshkey/tests.c +++ b/regress/unittests/sshkey/tests.c | |||
@@ -7,8 +7,6 @@ | |||
7 | 7 | ||
8 | #include "includes.h" | 8 | #include "includes.h" |
9 | 9 | ||
10 | #include <openssl/evp.h> | ||
11 | |||
12 | #include "../test_helper/test_helper.h" | 10 | #include "../test_helper/test_helper.h" |
13 | 11 | ||
14 | void sshkey_tests(void); | 12 | void sshkey_tests(void); |
@@ -18,9 +16,6 @@ void sshkey_fuzz_tests(void); | |||
18 | void | 16 | void |
19 | tests(void) | 17 | tests(void) |
20 | { | 18 | { |
21 | OpenSSL_add_all_algorithms(); | ||
22 | ERR_load_CRYPTO_strings(); | ||
23 | |||
24 | sshkey_tests(); | 19 | sshkey_tests(); |
25 | sshkey_file_tests(); | 20 | sshkey_file_tests(); |
26 | sshkey_fuzz_tests(); | 21 | sshkey_fuzz_tests(); |
diff --git a/regress/unittests/test_helper/test_helper.c b/regress/unittests/test_helper/test_helper.c index cd08b5778..6b4f343a8 100644 --- a/regress/unittests/test_helper/test_helper.c +++ b/regress/unittests/test_helper/test_helper.c | |||
@@ -35,11 +35,13 @@ | |||
35 | #include <signal.h> | 35 | #include <signal.h> |
36 | 36 | ||
37 | #include <openssl/bn.h> | 37 | #include <openssl/bn.h> |
38 | #include <openssl/err.h> | ||
38 | 39 | ||
39 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) | 40 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) |
40 | # include <vis.h> | 41 | # include <vis.h> |
41 | #endif | 42 | #endif |
42 | 43 | ||
44 | #include "entropy.h" | ||
43 | #include "test_helper.h" | 45 | #include "test_helper.h" |
44 | #include "atomicio.h" | 46 | #include "atomicio.h" |
45 | 47 | ||
@@ -123,6 +125,9 @@ main(int argc, char **argv) | |||
123 | { | 125 | { |
124 | int ch; | 126 | int ch; |
125 | 127 | ||
128 | seed_rng(); | ||
129 | ERR_load_CRYPTO_strings(); | ||
130 | |||
126 | /* Handle systems without __progname */ | 131 | /* Handle systems without __progname */ |
127 | if (__progname == NULL) { | 132 | if (__progname == NULL) { |
128 | __progname = strrchr(argv[0], '/'); | 133 | __progname = strrchr(argv[0], '/'); |
@@ -400,6 +400,8 @@ main(int argc, char **argv) | |||
400 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 400 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
401 | sanitise_stdfd(); | 401 | sanitise_stdfd(); |
402 | 402 | ||
403 | seed_rng(); | ||
404 | |||
403 | msetlocale(); | 405 | msetlocale(); |
404 | 406 | ||
405 | /* Copy argv, because we modify it */ | 407 | /* Copy argv, because we modify it */ |
diff --git a/sftp-server-main.c b/sftp-server-main.c index c6ccd623e..6230d897d 100644 --- a/sftp-server-main.c +++ b/sftp-server-main.c | |||
@@ -43,6 +43,8 @@ main(int argc, char **argv) | |||
43 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 43 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
44 | sanitise_stdfd(); | 44 | sanitise_stdfd(); |
45 | 45 | ||
46 | seed_rng(); | ||
47 | |||
46 | if ((user_pw = getpwuid(getuid())) == NULL) { | 48 | if ((user_pw = getpwuid(getuid())) == NULL) { |
47 | fprintf(stderr, "No user found for uid %lu\n", | 49 | fprintf(stderr, "No user found for uid %lu\n", |
48 | (u_long)getuid()); | 50 | (u_long)getuid()); |
@@ -2367,6 +2367,8 @@ main(int argc, char **argv) | |||
2367 | sanitise_stdfd(); | 2367 | sanitise_stdfd(); |
2368 | msetlocale(); | 2368 | msetlocale(); |
2369 | 2369 | ||
2370 | seed_rng(); | ||
2371 | |||
2370 | __progname = ssh_get_progname(argv[0]); | 2372 | __progname = ssh_get_progname(argv[0]); |
2371 | memset(&args, '\0', sizeof(args)); | 2373 | memset(&args, '\0', sizeof(args)); |
2372 | args.list = NULL; | 2374 | args.list = NULL; |
@@ -544,10 +544,6 @@ main(int argc, char **argv) | |||
544 | __progname = ssh_get_progname(argv[0]); | 544 | __progname = ssh_get_progname(argv[0]); |
545 | seed_rng(); | 545 | seed_rng(); |
546 | 546 | ||
547 | #ifdef WITH_OPENSSL | ||
548 | OpenSSL_add_all_algorithms(); | ||
549 | #endif | ||
550 | |||
551 | setvbuf(stdout, NULL, _IOLBF, 0); | 547 | setvbuf(stdout, NULL, _IOLBF, 0); |
552 | 548 | ||
553 | /* First, get a connection to the authentication agent. */ | 549 | /* First, get a connection to the authentication agent. */ |
diff --git a/ssh-agent.c b/ssh-agent.c index cb552462a..6baebc313 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -1095,10 +1095,6 @@ main(int ac, char **av) | |||
1095 | if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) | 1095 | if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) |
1096 | fatal("%s: getrlimit: %s", __progname, strerror(errno)); | 1096 | fatal("%s: getrlimit: %s", __progname, strerror(errno)); |
1097 | 1097 | ||
1098 | #ifdef WITH_OPENSSL | ||
1099 | OpenSSL_add_all_algorithms(); | ||
1100 | #endif | ||
1101 | |||
1102 | __progname = ssh_get_progname(av[0]); | 1098 | __progname = ssh_get_progname(av[0]); |
1103 | seed_rng(); | 1099 | seed_rng(); |
1104 | 1100 | ||
diff --git a/ssh-keygen.c b/ssh-keygen.c index 416d25be0..a67737350 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -2459,13 +2459,10 @@ main(int argc, char **argv) | |||
2459 | 2459 | ||
2460 | __progname = ssh_get_progname(argv[0]); | 2460 | __progname = ssh_get_progname(argv[0]); |
2461 | 2461 | ||
2462 | #ifdef WITH_OPENSSL | ||
2463 | OpenSSL_add_all_algorithms(); | ||
2464 | #endif | ||
2465 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | ||
2466 | |||
2467 | seed_rng(); | 2462 | seed_rng(); |
2468 | 2463 | ||
2464 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | ||
2465 | |||
2469 | msetlocale(); | 2466 | msetlocale(); |
2470 | 2467 | ||
2471 | /* we need this for the home * directory. */ | 2468 | /* we need this for the home * directory. */ |
diff --git a/ssh-keysign.c b/ssh-keysign.c index bcd1508c0..8f487b8c5 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c | |||
@@ -174,9 +174,6 @@ main(int argc, char **argv) | |||
174 | u_char *signature, *data, rver; | 174 | u_char *signature, *data, rver; |
175 | char *host, *fp; | 175 | char *host, *fp; |
176 | size_t slen, dlen; | 176 | size_t slen, dlen; |
177 | #ifdef WITH_OPENSSL | ||
178 | u_int32_t rnd[256]; | ||
179 | #endif | ||
180 | 177 | ||
181 | ssh_malloc_init(); /* must be called before any mallocs */ | 178 | ssh_malloc_init(); /* must be called before any mallocs */ |
182 | if (pledge("stdio rpath getpw dns id", NULL) != 0) | 179 | if (pledge("stdio rpath getpw dns id", NULL) != 0) |
@@ -224,12 +221,6 @@ main(int argc, char **argv) | |||
224 | if (found == 0) | 221 | if (found == 0) |
225 | fatal("could not open any host key"); | 222 | fatal("could not open any host key"); |
226 | 223 | ||
227 | #ifdef WITH_OPENSSL | ||
228 | OpenSSL_add_all_algorithms(); | ||
229 | arc4random_buf(rnd, sizeof(rnd)); | ||
230 | RAND_seed(rnd, sizeof(rnd)); | ||
231 | #endif | ||
232 | |||
233 | found = 0; | 224 | found = 0; |
234 | for (i = 0; i < NUM_KEYTYPES; i++) { | 225 | for (i = 0; i < NUM_KEYTYPES; i++) { |
235 | keys[i] = NULL; | 226 | keys[i] = NULL; |
@@ -610,6 +610,8 @@ main(int ac, char **av) | |||
610 | av = saved_av; | 610 | av = saved_av; |
611 | #endif | 611 | #endif |
612 | 612 | ||
613 | seed_rng(); | ||
614 | |||
613 | /* | 615 | /* |
614 | * Discard other fds that are hanging around. These can cause problem | 616 | * Discard other fds that are hanging around. These can cause problem |
615 | * with backgrounded ssh processes started by ControlPersist. | 617 | * with backgrounded ssh processes started by ControlPersist. |
@@ -1036,11 +1038,6 @@ main(int ac, char **av) | |||
1036 | 1038 | ||
1037 | host_arg = xstrdup(host); | 1039 | host_arg = xstrdup(host); |
1038 | 1040 | ||
1039 | #ifdef WITH_OPENSSL | ||
1040 | OpenSSL_add_all_algorithms(); | ||
1041 | ERR_load_crypto_strings(); | ||
1042 | #endif | ||
1043 | |||
1044 | /* Initialize the command to execute on remote host. */ | 1041 | /* Initialize the command to execute on remote host. */ |
1045 | if ((command = sshbuf_new()) == NULL) | 1042 | if ((command = sshbuf_new()) == NULL) |
1046 | fatal("sshbuf_new failed"); | 1043 | fatal("sshbuf_new failed"); |
@@ -1264,8 +1261,6 @@ main(int ac, char **av) | |||
1264 | tty_flag = 0; | 1261 | tty_flag = 0; |
1265 | } | 1262 | } |
1266 | 1263 | ||
1267 | seed_rng(); | ||
1268 | |||
1269 | if (options.user == NULL) | 1264 | if (options.user == NULL) |
1270 | options.user = xstrdup(pw->pw_name); | 1265 | options.user = xstrdup(pw->pw_name); |
1271 | 1266 | ||
@@ -81,9 +81,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params) | |||
81 | int r; | 81 | int r; |
82 | 82 | ||
83 | if (!called) { | 83 | if (!called) { |
84 | #ifdef WITH_OPENSSL | 84 | seed_rng(); |
85 | OpenSSL_add_all_algorithms(); | ||
86 | #endif /* WITH_OPENSSL */ | ||
87 | called = 1; | 85 | called = 1; |
88 | } | 86 | } |
89 | 87 | ||
@@ -1510,6 +1510,8 @@ main(int ac, char **av) | |||
1510 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 1510 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
1511 | sanitise_stdfd(); | 1511 | sanitise_stdfd(); |
1512 | 1512 | ||
1513 | seed_rng(); | ||
1514 | |||
1513 | /* Initialize configuration options to their default values. */ | 1515 | /* Initialize configuration options to their default values. */ |
1514 | initialize_server_options(&options); | 1516 | initialize_server_options(&options); |
1515 | 1517 | ||
@@ -1631,10 +1633,6 @@ main(int ac, char **av) | |||
1631 | else | 1633 | else |
1632 | closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); | 1634 | closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); |
1633 | 1635 | ||
1634 | #ifdef WITH_OPENSSL | ||
1635 | OpenSSL_add_all_algorithms(); | ||
1636 | #endif | ||
1637 | |||
1638 | /* If requested, redirect the logs to the specified logfile. */ | 1636 | /* If requested, redirect the logs to the specified logfile. */ |
1639 | if (logfile != NULL) | 1637 | if (logfile != NULL) |
1640 | log_redirect_stderr_to(logfile); | 1638 | log_redirect_stderr_to(logfile); |
@@ -1677,8 +1675,6 @@ main(int ac, char **av) | |||
1677 | parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, | 1675 | parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, |
1678 | cfg, NULL); | 1676 | cfg, NULL); |
1679 | 1677 | ||
1680 | seed_rng(); | ||
1681 | |||
1682 | /* Fill in default values for those options not explicitly set. */ | 1678 | /* Fill in default values for those options not explicitly set. */ |
1683 | fill_default_server_options(&options); | 1679 | fill_default_server_options(&options); |
1684 | 1680 | ||