diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | INSTALL | 11 | ||||
-rw-r--r-- | acconfig.h | 9 | ||||
-rw-r--r-- | configure.in | 43 | ||||
-rw-r--r-- | entropy.c | 75 |
5 files changed, 99 insertions, 45 deletions
@@ -2,6 +2,10 @@ | |||
2 | - Remove make-ssh-known-hosts.pl, ssh-keyscan is better. | 2 | - Remove make-ssh-known-hosts.pl, ssh-keyscan is better. |
3 | - Document PAM ChallengeResponseAuthentication in sshd.8 | 3 | - Document PAM ChallengeResponseAuthentication in sshd.8 |
4 | - Disable and comment ChallengeResponseAuthentication in sshd_config | 4 | - Disable and comment ChallengeResponseAuthentication in sshd_config |
5 | - Allow PRNGd entropy collection from localhost TCP socket. Replace | ||
6 | "--with-egd-pool" configure option with "--with-prngd-socket" and | ||
7 | "--with-prngd-port" options. Debugged and improved by Lutz Jaenicke | ||
8 | <Lutz.Jaenicke@aet.TU-Cottbus.DE> | ||
5 | 9 | ||
6 | 20010301 | 10 | 20010301 |
7 | - (djm) Properly add -lcrypt if needed. | 11 | - (djm) Properly add -lcrypt if needed. |
@@ -4180,4 +4184,4 @@ | |||
4180 | - Wrote replacements for strlcpy and mkdtemp | 4184 | - Wrote replacements for strlcpy and mkdtemp |
4181 | - Released 1.0pre1 | 4185 | - Released 1.0pre1 |
4182 | 4186 | ||
4183 | $Id: ChangeLog,v 1.847 2001/03/03 13:16:20 djm Exp $ | 4187 | $Id: ChangeLog,v 1.848 2001/03/03 13:29:20 djm Exp $ |
@@ -119,8 +119,13 @@ headers, for this to work. | |||
119 | random numbers (the default is /dev/urandom). Unless you are absolutely | 119 | random numbers (the default is /dev/urandom). Unless you are absolutely |
120 | sure of what you are doing, it is best to leave this alone. | 120 | sure of what you are doing, it is best to leave this alone. |
121 | 121 | ||
122 | --with-egd-pool=/some/file allows you to enable EGD or PRNGD support | 122 | --with-prngd-socket=/some/file allows you to enable EGD or PRNGD |
123 | and to specify a EGD pool socket. Use this if your Unix lacks | 123 | support and to specify a PRNGd socket. Use this if your Unix lacks |
124 | /dev/random and you don't want to use OpenSSH's builtin entropy | ||
125 | collection support. | ||
126 | |||
127 | --with-prngd-port=portnum allows you to enable EGD or PRNGD support | ||
128 | and to specify a EGD localhost TCP port. Use this if your Unix lacks | ||
124 | /dev/random and you don't want to use OpenSSH's builtin entropy | 129 | /dev/random and you don't want to use OpenSSH's builtin entropy |
125 | collection support. | 130 | collection support. |
126 | 131 | ||
@@ -217,4 +222,4 @@ Please refer to the "reporting bugs" section of the webpage at | |||
217 | http://www.openssh.com/ | 222 | http://www.openssh.com/ |
218 | 223 | ||
219 | 224 | ||
220 | $Id: INSTALL,v 1.41 2001/02/18 01:58:24 djm Exp $ | 225 | $Id: INSTALL,v 1.42 2001/03/03 13:29:21 djm Exp $ |
diff --git a/acconfig.h b/acconfig.h index a43435868..db53d1696 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: acconfig.h,v 1.105 2001/02/26 21:39:07 djm Exp $ */ | 1 | /* $Id: acconfig.h,v 1.106 2001/03/03 13:29:21 djm Exp $ */ |
2 | 2 | ||
3 | #ifndef _CONFIG_H | 3 | #ifndef _CONFIG_H |
4 | #define _CONFIG_H | 4 | #define _CONFIG_H |
@@ -89,8 +89,11 @@ | |||
89 | /* Location of random number pool */ | 89 | /* Location of random number pool */ |
90 | #undef RANDOM_POOL | 90 | #undef RANDOM_POOL |
91 | 91 | ||
92 | /* Location of EGD random number socket */ | 92 | /* Location of PRNGD/EGD random number socket */ |
93 | #undef EGD_SOCKET | 93 | #undef PRNGD_SOCKET |
94 | |||
95 | /* Port number of PRNGD/EGD random number socket */ | ||
96 | #undef PRNGD_PORT | ||
94 | 97 | ||
95 | /* Builtin PRNG command timeout */ | 98 | /* Builtin PRNG command timeout */ |
96 | #undef ENTROPY_TIMEOUT_MSEC | 99 | #undef ENTROPY_TIMEOUT_MSEC |
diff --git a/configure.in b/configure.in index 69db290c4..de3a2fb8f 100644 --- a/configure.in +++ b/configure.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.in,v 1.260 2001/02/28 22:16:12 djm Exp $ | 1 | # $Id: configure.in,v 1.261 2001/03/03 13:29:21 djm Exp $ |
2 | 2 | ||
3 | AC_INIT(ssh.c) | 3 | AC_INIT(ssh.c) |
4 | 4 | ||
@@ -1266,13 +1266,24 @@ AC_ARG_WITH(random, | |||
1266 | ] | 1266 | ] |
1267 | ) | 1267 | ) |
1268 | 1268 | ||
1269 | # Check for EGD pool file | 1269 | # Check for PRNGD/EGD pool file |
1270 | AC_ARG_WITH(egd-pool, | 1270 | AC_ARG_WITH(prngd-port, |
1271 | [ --with-egd-pool=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], | 1271 | [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], |
1272 | [ | ||
1273 | if test ! -z "$withval" -a "x$withval" != "xno" ; then | ||
1274 | PRNGD_PORT="$withval" | ||
1275 | AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) | ||
1276 | fi | ||
1277 | ] | ||
1278 | ) | ||
1279 | |||
1280 | # Check for PRNGD/EGD pool file | ||
1281 | AC_ARG_WITH(prngd-socket, | ||
1282 | [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], | ||
1272 | [ | 1283 | [ |
1273 | if test "x$withval" != "xno" ; then | 1284 | if test "x$withval" != "xno" ; then |
1274 | EGD_SOCKET="$withval"; | 1285 | PRNGD_SOCKET="$withval" |
1275 | AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") | 1286 | AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") |
1276 | fi | 1287 | fi |
1277 | ], | 1288 | ], |
1278 | [ | 1289 | [ |
@@ -1280,15 +1291,15 @@ AC_ARG_WITH(egd-pool, | |||
1280 | if test -z "$RANDOM_POOL" ; then | 1291 | if test -z "$RANDOM_POOL" ; then |
1281 | AC_MSG_CHECKING(for PRNGD/EGD socket) | 1292 | AC_MSG_CHECKING(for PRNGD/EGD socket) |
1282 | # Insert other locations here | 1293 | # Insert other locations here |
1283 | for egdsock in /var/run/egd-pool /etc/entropy; do | 1294 | for sock in /var/run/egd-pool /etc/entropy; do |
1284 | if test -r $egdsock && $TEST_MINUS_S_SH -c "test -S $egdsock -o -p $egdsock" ; then | 1295 | if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then |
1285 | EGD_SOCKET="$egdsock" | 1296 | PRNGD_SOCKET="$sock" |
1286 | AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") | 1297 | AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") |
1287 | break; | 1298 | break; |
1288 | fi | 1299 | fi |
1289 | done | 1300 | done |
1290 | if test ! -z "$EGD_SOCKET" ; then | 1301 | if test ! -z "$PRNGD_SOCKET" ; then |
1291 | AC_MSG_RESULT($EGD_SOCKET) | 1302 | AC_MSG_RESULT($PRNGD_SOCKET) |
1292 | else | 1303 | else |
1293 | AC_MSG_RESULT(not found) | 1304 | AC_MSG_RESULT(not found) |
1294 | fi | 1305 | fi |
@@ -1300,7 +1311,7 @@ AC_ARG_WITH(egd-pool, | |||
1300 | # detect pathnames for entropy gathering commands, if we need them | 1311 | # detect pathnames for entropy gathering commands, if we need them |
1301 | INSTALL_SSH_PRNG_CMDS="" | 1312 | INSTALL_SSH_PRNG_CMDS="" |
1302 | rm -f prng_commands | 1313 | rm -f prng_commands |
1303 | if (test -z "$RANDOM_POOL" && test -z "$EGD_SOCKET") ; then | 1314 | if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then |
1304 | # Use these commands to collect entropy | 1315 | # Use these commands to collect entropy |
1305 | OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) | 1316 | OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) |
1306 | OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) | 1317 | OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) |
@@ -1749,8 +1760,10 @@ fi | |||
1749 | if test ! -z "$RANDOM_POOL" ; then | 1760 | if test ! -z "$RANDOM_POOL" ; then |
1750 | RAND_MSG="Device ($RANDOM_POOL)" | 1761 | RAND_MSG="Device ($RANDOM_POOL)" |
1751 | else | 1762 | else |
1752 | if test ! -z "$EGD_SOCKET" ; then | 1763 | if test ! -z "$PRNGD_PORT" ; then |
1753 | RAND_MSG="EGD/PRNGD ($EGD_SOCKET)" | 1764 | RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" |
1765 | elif test ! -z "$PRNGD_SOCKET" ; then | ||
1766 | RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" | ||
1754 | else | 1767 | else |
1755 | RAND_MSG="Builtin (timeout $entropy_timeout)" | 1768 | RAND_MSG="Builtin (timeout $entropy_timeout)" |
1756 | BUILTIN_RNG=1 | 1769 | BUILTIN_RNG=1 |
@@ -40,7 +40,7 @@ | |||
40 | #include "pathnames.h" | 40 | #include "pathnames.h" |
41 | #include "log.h" | 41 | #include "log.h" |
42 | 42 | ||
43 | RCSID("$Id: entropy.c,v 1.34 2001/02/27 00:00:52 djm Exp $"); | 43 | RCSID("$Id: entropy.c,v 1.35 2001/03/03 13:29:21 djm Exp $"); |
44 | 44 | ||
45 | #ifndef offsetof | 45 | #ifndef offsetof |
46 | # define offsetof(type, member) ((size_t) &((type *)0)->member) | 46 | # define offsetof(type, member) ((size_t) &((type *)0)->member) |
@@ -75,47 +75,76 @@ void check_openssl_version(void) | |||
75 | "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); | 75 | "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); |
76 | } | 76 | } |
77 | 77 | ||
78 | #if defined(PRNGD_SOCKET) || defined(PRNGD_PORT) | ||
79 | # define USE_PRNGD | ||
80 | #endif | ||
78 | 81 | ||
79 | #if defined(EGD_SOCKET) || defined(RANDOM_POOL) | 82 | #if defined(USE_PRNGD) || defined(RANDOM_POOL) |
80 | 83 | ||
81 | #ifdef EGD_SOCKET | 84 | #ifdef USE_PRNGD |
82 | /* Collect entropy from EGD */ | 85 | /* Collect entropy from PRNGD/EGD */ |
83 | int get_random_bytes(unsigned char *buf, int len) | 86 | int get_random_bytes(unsigned char *buf, int len) |
84 | { | 87 | { |
85 | int fd; | 88 | int fd; |
86 | char msg[2]; | 89 | char msg[2]; |
90 | #ifdef PRNGD_PORT | ||
91 | struct sockaddr_in addr; | ||
92 | #else | ||
87 | struct sockaddr_un addr; | 93 | struct sockaddr_un addr; |
94 | #endif | ||
88 | int addr_len, rval, errors; | 95 | int addr_len, rval, errors; |
89 | mysig_t old_sigpipe; | 96 | mysig_t old_sigpipe; |
90 | 97 | ||
98 | memset(&addr, '\0', sizeof(addr)); | ||
99 | |||
100 | #ifdef PRNGD_PORT | ||
101 | addr.sin_family = AF_INET; | ||
102 | addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); | ||
103 | addr.sin_port = htons(PRNGD_PORT); | ||
104 | addr_len = sizeof(struct sockaddr_in); | ||
105 | #else /* use IP socket PRNGD_SOCKET instead */ | ||
91 | /* Sanity checks */ | 106 | /* Sanity checks */ |
92 | if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) | 107 | if (sizeof(PRNGD_SOCKET) > sizeof(addr.sun_path)) |
93 | fatal("Random pool path is too long"); | 108 | fatal("Random pool path is too long"); |
94 | if (len > 255) | 109 | if (len > 255) |
95 | fatal("Too many bytes to read from EGD"); | 110 | fatal("Too many bytes to read from PRNGD"); |
96 | 111 | ||
97 | memset(&addr, '\0', sizeof(addr)); | ||
98 | addr.sun_family = AF_UNIX; | 112 | addr.sun_family = AF_UNIX; |
99 | strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); | 113 | strlcpy(addr.sun_path, PRNGD_SOCKET, sizeof(addr.sun_path)); |
100 | addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); | 114 | addr_len = offsetof(struct sockaddr_un, sun_path) + |
115 | sizeof(PRNGD_SOCKET); | ||
116 | #endif | ||
101 | 117 | ||
102 | old_sigpipe = mysignal(SIGPIPE, SIG_IGN); | 118 | old_sigpipe = mysignal(SIGPIPE, SIG_IGN); |
103 | 119 | ||
104 | errors = rval = 0; | 120 | errors = rval = 0; |
105 | reopen: | 121 | reopen: |
106 | fd = socket(AF_UNIX, SOCK_STREAM, 0); | 122 | #ifdef PRNGD_PORT |
123 | fd = socket(addr.sin_family, SOCK_STREAM, 0); | ||
124 | if (fd == -1) { | ||
125 | error("Couldn't create AF_INET socket: %s", strerror(errno)); | ||
126 | goto done; | ||
127 | } | ||
128 | #else | ||
129 | fd = socket(addr.sun_family, SOCK_STREAM, 0); | ||
107 | if (fd == -1) { | 130 | if (fd == -1) { |
108 | error("Couldn't create AF_UNIX socket: %s", strerror(errno)); | 131 | error("Couldn't create AF_UNIX socket: %s", strerror(errno)); |
109 | goto done; | 132 | goto done; |
110 | } | 133 | } |
134 | #endif | ||
111 | 135 | ||
112 | if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { | 136 | if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { |
113 | error("Couldn't connect to EGD socket \"%s\": %s", | 137 | #ifdef PRNGD_PORT |
114 | addr.sun_path, strerror(errno)); | 138 | error("Couldn't connect to PRNGD port %d: %s", |
139 | PRNGD_PORT, strerror(errno)); | ||
140 | #else | ||
141 | error("Couldn't connect to PRNGD socket \"%s\": %s", | ||
142 | addr.sun_path, strerror(errno)); | ||
143 | #endif | ||
115 | goto done; | 144 | goto done; |
116 | } | 145 | } |
117 | 146 | ||
118 | /* Send blocking read request to EGD */ | 147 | /* Send blocking read request to PRNGD */ |
119 | msg[0] = 0x02; | 148 | msg[0] = 0x02; |
120 | msg[1] = len; | 149 | msg[1] = len; |
121 | 150 | ||
@@ -125,8 +154,8 @@ reopen: | |||
125 | errors++; | 154 | errors++; |
126 | goto reopen; | 155 | goto reopen; |
127 | } | 156 | } |
128 | error("Couldn't write to EGD socket \"%s\": %s", | 157 | error("Couldn't write to PRNGD socket: %s", |
129 | EGD_SOCKET, strerror(errno)); | 158 | strerror(errno)); |
130 | goto done; | 159 | goto done; |
131 | } | 160 | } |
132 | 161 | ||
@@ -136,8 +165,8 @@ reopen: | |||
136 | errors++; | 165 | errors++; |
137 | goto reopen; | 166 | goto reopen; |
138 | } | 167 | } |
139 | error("Couldn't read from EGD socket \"%s\": %s", | 168 | error("Couldn't read from PRNGD socket: %s", |
140 | EGD_SOCKET, strerror(errno)); | 169 | strerror(errno)); |
141 | goto done; | 170 | goto done; |
142 | } | 171 | } |
143 | 172 | ||
@@ -148,7 +177,7 @@ done: | |||
148 | close(fd); | 177 | close(fd); |
149 | return(rval); | 178 | return(rval); |
150 | } | 179 | } |
151 | #else /* !EGD_SOCKET */ | 180 | #else /* !USE_PRNGD */ |
152 | #ifdef RANDOM_POOL | 181 | #ifdef RANDOM_POOL |
153 | /* Collect entropy from /dev/urandom or pipe */ | 182 | /* Collect entropy from /dev/urandom or pipe */ |
154 | int get_random_bytes(unsigned char *buf, int len) | 183 | int get_random_bytes(unsigned char *buf, int len) |
@@ -174,16 +203,16 @@ int get_random_bytes(unsigned char *buf, int len) | |||
174 | return(1); | 203 | return(1); |
175 | } | 204 | } |
176 | #endif /* RANDOM_POOL */ | 205 | #endif /* RANDOM_POOL */ |
177 | #endif /* EGD_SOCKET */ | 206 | #endif /* USE_PRNGD */ |
178 | 207 | ||
179 | /* | 208 | /* |
180 | * Seed OpenSSL's random number pool from Kernel random number generator | 209 | * Seed OpenSSL's random number pool from Kernel random number generator |
181 | * or EGD | 210 | * or PRNGD/EGD |
182 | */ | 211 | */ |
183 | void | 212 | void |
184 | seed_rng(void) | 213 | seed_rng(void) |
185 | { | 214 | { |
186 | char buf[32]; | 215 | unsigned char buf[32]; |
187 | 216 | ||
188 | debug("Seeding random number generator"); | 217 | debug("Seeding random number generator"); |
189 | 218 | ||
@@ -202,7 +231,7 @@ void init_rng(void) | |||
202 | check_openssl_version(); | 231 | check_openssl_version(); |
203 | } | 232 | } |
204 | 233 | ||
205 | #else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ | 234 | #else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ |
206 | 235 | ||
207 | /* | 236 | /* |
208 | * FIXME: proper entropy estimations. All current values are guesses | 237 | * FIXME: proper entropy estimations. All current values are guesses |
@@ -877,4 +906,4 @@ void init_rng(void) | |||
877 | prng_initialised = 1; | 906 | prng_initialised = 1; |
878 | } | 907 | } |
879 | 908 | ||
880 | #endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ | 909 | #endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ |