From f1377bdeed3ca7268c6a5d3fa171a09df7be9064 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 27 Sep 2005 19:50:25 +1000 Subject: - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid calls, since they can't possibly fail. ok djm@ --- entropy.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'entropy.c') diff --git a/entropy.c b/entropy.c index 410bbb927..7f4a30783 100644 --- a/entropy.c +++ b/entropy.c @@ -45,7 +45,7 @@ * XXX: we should tell the child how many bytes we need. */ -RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $"); +RCSID("$Id: entropy.c,v 1.50 2005/09/27 09:50:25 dtucker Exp $"); #ifndef OPENSSL_PRNG_ONLY #define RANDOM_SEED_SIZE 48 @@ -145,10 +145,8 @@ init_rng(void) "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); #ifndef OPENSSL_PRNG_ONLY - if ((original_uid = getuid()) == -1) - fatal("getuid: %s", strerror(errno)); - if ((original_euid = geteuid()) == -1) - fatal("geteuid: %s", strerror(errno)); + original_uid = getuid(); + original_euid = geteuid(); #endif } -- cgit v1.2.3 From c6f8219e0d4ee1f64fb7b4da88523c951a03c68a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 27 Sep 2005 22:46:32 +1000 Subject: - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed process when sshd relies on ssh-random-helper. Should result in faster logins on systems without a real random device or prngd. ok djm@ --- ChangeLog | 5 ++++- entropy.c | 32 +++++++++++++++++++++++++++++++- entropy.h | 7 ++++++- sshd.c | 14 ++++++++++++-- 4 files changed, 53 insertions(+), 5 deletions(-) (limited to 'entropy.c') diff --git a/ChangeLog b/ChangeLog index 428718dd6..9265b7a38 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20050927 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid calls, since they can't possibly fail. ok djm@ + - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed + process when sshd relies on ssh-random-helper. Should result in faster + logins on systems without a real random device or prngd. ok djm@ 20050924 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove @@ -3017,4 +3020,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3895 2005/09/27 09:50:25 dtucker Exp $ +$Id: ChangeLog,v 1.3896 2005/09/27 12:46:32 dtucker Exp $ diff --git a/entropy.c b/entropy.c index 7f4a30783..ff97415a9 100644 --- a/entropy.c +++ b/entropy.c @@ -26,6 +26,7 @@ #include #include +#include #include "ssh.h" #include "misc.h" @@ -33,6 +34,8 @@ #include "atomicio.h" #include "pathnames.h" #include "log.h" +#include "buffer.h" +#include "bufaux.h" /* * Portable OpenSSH PRNG seeding: @@ -45,7 +48,7 @@ * XXX: we should tell the child how many bytes we need. */ -RCSID("$Id: entropy.c,v 1.50 2005/09/27 09:50:25 dtucker Exp $"); +RCSID("$Id: entropy.c,v 1.51 2005/09/27 12:46:32 dtucker Exp $"); #ifndef OPENSSL_PRNG_ONLY #define RANDOM_SEED_SIZE 48 @@ -150,3 +153,30 @@ init_rng(void) #endif } +#ifndef OPENSSL_PRNG_ONLY +void +rexec_send_rng_seed(Buffer *m) +{ + u_char buf[RANDOM_SEED_SIZE]; + + if (RAND_bytes(buf, sizeof(buf)) <= 0) { + error("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); + buffer_put_string(m, "", 0); + } else + buffer_put_string(m, buf, sizeof(buf)); +} + +void +rexec_recv_rng_seed(Buffer *m) +{ + char *buf; + u_int len; + + buf = buffer_get_string_ret(m, &len); + if (buf != NULL) { + debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len); + RAND_add(buf, len, len); + } +} +#endif diff --git a/entropy.h b/entropy.h index 5f63c1f1f..ec1ebcc57 100644 --- a/entropy.h +++ b/entropy.h @@ -22,12 +22,17 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */ #ifndef _RANDOMS_H #define _RANDOMS_H +#include "buffer.h" + void seed_rng(void); void init_rng(void); +void rexec_send_rng_seed(Buffer *); +void rexec_recv_rng_seed(Buffer *); + #endif /* _RANDOMS_H */ diff --git a/sshd.c b/sshd.c index 92aa9bbd2..e9125a229 100644 --- a/sshd.c +++ b/sshd.c @@ -800,6 +800,7 @@ send_rexec_state(int fd, Buffer *conf) * bignum iqmp " * bignum p " * bignum q " + * string rngseed (only if OpenSSL is not self-seeded) */ buffer_init(&m); buffer_put_cstring(&m, buffer_ptr(conf)); @@ -816,6 +817,10 @@ send_rexec_state(int fd, Buffer *conf) } else buffer_put_int(&m, 0); +#ifndef OPENSSL_PRNG_ONLY + rexec_send_rng_seed(&m); +#endif + if (ssh_msg_send(fd, 0, &m) == -1) fatal("%s: ssh_msg_send failed", __func__); @@ -858,6 +863,11 @@ recv_rexec_state(int fd, Buffer *conf) rsa_generate_additional_parameters( sensitive_data.server_key->rsa); } + +#ifndef OPENSSL_PRNG_ONLY + rexec_recv_rng_seed(&m); +#endif + buffer_free(&m); debug3("%s: done", __func__); @@ -1051,8 +1061,6 @@ main(int ac, char **av) drop_cray_privs(); #endif - seed_rng(); - sensitive_data.server_key = NULL; sensitive_data.ssh1_host_key = NULL; sensitive_data.have_ssh1_key = 0; @@ -1071,6 +1079,8 @@ main(int ac, char **av) if (!rexec_flag) buffer_free(&cfg); + seed_rng(); + /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); -- cgit v1.2.3 From 46e7ba5d53b13787f56402910e0b8e8f5c2248b3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 28 Sep 2005 08:26:30 +1000 Subject: - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency --- ChangeLog | 5 ++++- entropy.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'entropy.c') diff --git a/ChangeLog b/ChangeLog index 9265b7a38..2c238370a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20050928 + - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency. + 20050927 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid calls, since they can't possibly fail. ok djm@ @@ -3020,4 +3023,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3896 2005/09/27 12:46:32 dtucker Exp $ +$Id: ChangeLog,v 1.3897 2005/09/27 22:26:30 dtucker Exp $ diff --git a/entropy.c b/entropy.c index ff97415a9..e5b45b0b6 100644 --- a/entropy.c +++ b/entropy.c @@ -48,7 +48,7 @@ * XXX: we should tell the child how many bytes we need. */ -RCSID("$Id: entropy.c,v 1.51 2005/09/27 12:46:32 dtucker Exp $"); +RCSID("$Id: entropy.c,v 1.52 2005/09/27 22:26:30 dtucker Exp $"); #ifndef OPENSSL_PRNG_ONLY #define RANDOM_SEED_SIZE 48 @@ -170,7 +170,7 @@ rexec_send_rng_seed(Buffer *m) void rexec_recv_rng_seed(Buffer *m) { - char *buf; + u_char *buf; u_int len; buf = buffer_get_string_ret(m, &len); -- cgit v1.2.3