summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c42
1 files changed, 23 insertions, 19 deletions
diff --git a/sshd.c b/sshd.c
index d7e812000..ce4a493ef 100644
--- a/sshd.c
+++ b/sshd.c
@@ -499,9 +499,29 @@ demote_sensitive_data(void)
499} 499}
500 500
501static void 501static void
502privsep_preauth_child(void) 502reseed_prngs(void)
503{ 503{
504 u_int32_t rnd[256]; 504 u_int32_t rnd[256];
505
506#ifdef WITH_OPENSSL
507 RAND_poll();
508#endif
509 arc4random_stir(); /* noop on recent arc4random() implementations */
510 arc4random_buf(rnd, sizeof(rnd)); /* let arc4random notice PID change */
511
512#ifdef WITH_OPENSSL
513 RAND_seed(rnd, sizeof(rnd));
514 /* give libcrypto a chance to notice the PID change */
515 if ((RAND_bytes((u_char *)rnd, 1)) != 1)
516 fatal("%s: RAND_bytes failed", __func__);
517#endif
518
519 explicit_bzero(rnd, sizeof(rnd));
520}
521
522static void
523privsep_preauth_child(void)
524{
505 gid_t gidset[1]; 525 gid_t gidset[1];
506 526
507 /* Enable challenge-response authentication for privilege separation */ 527 /* Enable challenge-response authentication for privilege separation */
@@ -513,14 +533,7 @@ privsep_preauth_child(void)
513 ssh_gssapi_prepare_supported_oids(); 533 ssh_gssapi_prepare_supported_oids();
514#endif 534#endif
515 535
516 arc4random_stir(); 536 reseed_prngs();
517 arc4random_buf(rnd, sizeof(rnd));
518#ifdef WITH_OPENSSL
519 RAND_seed(rnd, sizeof(rnd));
520 if ((RAND_bytes((u_char *)rnd, 1)) != 1)
521 fatal("%s: RAND_bytes failed", __func__);
522#endif
523 explicit_bzero(rnd, sizeof(rnd));
524 537
525 /* Demote the private keys to public keys. */ 538 /* Demote the private keys to public keys. */
526 demote_sensitive_data(); 539 demote_sensitive_data();
@@ -616,8 +629,6 @@ privsep_preauth(Authctxt *authctxt)
616static void 629static void
617privsep_postauth(Authctxt *authctxt) 630privsep_postauth(Authctxt *authctxt)
618{ 631{
619 u_int32_t rnd[256];
620
621#ifdef DISABLE_FD_PASSING 632#ifdef DISABLE_FD_PASSING
622 if (1) { 633 if (1) {
623#else 634#else
@@ -651,14 +662,7 @@ privsep_postauth(Authctxt *authctxt)
651 /* Demote the private keys to public keys. */ 662 /* Demote the private keys to public keys. */
652 demote_sensitive_data(); 663 demote_sensitive_data();
653 664
654 arc4random_stir(); 665 reseed_prngs();
655 arc4random_buf(rnd, sizeof(rnd));
656#ifdef WITH_OPENSSL
657 RAND_seed(rnd, sizeof(rnd));
658 if ((RAND_bytes((u_char *)rnd, 1)) != 1)
659 fatal("%s: RAND_bytes failed", __func__);
660#endif
661 explicit_bzero(rnd, sizeof(rnd));
662 666
663 /* Drop privileges */ 667 /* Drop privileges */
664 do_setusercontext(authctxt->pw); 668 do_setusercontext(authctxt->pw);