3 files changed, 44 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index 71fdc4a66..5c9024fc3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,13 @@
 19991119
  - Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
+   (off-by-one error - doesn't appear to be easily exploitable)
  - Merged OpenBSD CVS changes
    - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c]
      more %d vs. %s in fmt-strings
    - [authfd.c]
      Integers should not be printed with %s
+ - EGD uses a socket, not a named pipe. Duh.
+ - Fix includes in fingerprint.c
 
 19991118
  - Merged OpenBSD CVS changes
diff --git a/fingerprint.c b/fingerprint.c
index c319fa230..9a9b63583 100644
--- a/fingerprint.c
+++ b/fingerprint.c
@@ -1,9 +1,15 @@
 #include "includes.h"
-RCSID("$Id: fingerprint.c,v 1.1 1999/11/16 22:49:28 markus Exp $");
+RCSID("$Id: fingerprint.c,v 1.1 1999/11/17 06:29:08 damien Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
+
+#ifdef HAVE_OPENSSL
+#include <openssl/md5.h>
+#endif
+#ifdef HAVE_SSL
 #include <ssl/md5.h>
+#endif
 
 #define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x"
 
diff --git a/helper.c b/helper.c
index 6d77759de..efb7a4631 100644
--- a/helper.c
+++ b/helper.c
@@ -41,6 +41,8 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
 #include <fcntl.h>
 
 #include "rc4.h"
@@ -49,6 +51,10 @@
 #include "config.h"
 #include "helper.h"
 
+#ifndef offsetof
+#define offsetof(type, member) ((size_t) &((type *)0)->member)
+#endif
+
 #ifndef HAVE_ARC4RANDOM
 
 void get_random_bytes(unsigned char *buf, int len);
@@ -80,17 +86,33 @@ void arc4random_stir(void)
 
 void get_random_bytes(unsigned char *buf, int len)
 {
-        int random_pool;
+        static int random_pool;
         int c;
 #ifdef HAVE_EGD
         char egd_message[2] = { 0x02, 0x00 };
-#endif /* HAVE_EGD */
+        struct sockaddr_un addr;
+        int addr_len;
+
+        memset(&addr, '\0', sizeof(addr));
+        addr.sun_family = AF_UNIX;
+        
+        /* FIXME: compile time check? */
+        if (sizeof(RANDOM_POOL) > sizeof(addr.sun_path))
+                fatal("Random pool path is too long");
+        
+        strncpy(addr.sun_path, RANDOM_POOL, sizeof(addr.sun_path - 1));
+        addr.sun_path[sizeof(addr.sun_path - 1)] = '\0';
+        
+        addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(RANDOM_POOL);
+        
+        random_pool = socket(AF_UNIX, SOCK_STREAM, 0);
         
-        random_pool = open(RANDOM_POOL, O_RDONLY);
         if (random_pool == -1)
-                fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
+                fatal("Couldn't create AF_UNIX socket: %s", strerror(errno));
         
-#ifdef HAVE_EGD
+        if (connect(random_pool, (struct sockaddr*)&addr, addr_len) == -1)
+                fatal("Couldn't connect to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno));
+
         if (len > 255)
                 fatal("Too many bytes to read from EGD");
         
@@ -99,6 +121,13 @@ void get_random_bytes(unsigned char *buf, int len)
         c = write(random_pool, egd_message, sizeof(egd_message));
         if (c == -1)
                 fatal("Couldn't write to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno));
+
+#else /* HAVE_EGD */
+
+        random_pool = open(RANDOM_POOL, O_RDONLY);
+        if (random_pool == -1)
+                fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
+
 #endif /* HAVE_EGD */
 
         c = read(random_pool, buf, len);