diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2005-09-27 22:46:32 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2005-09-27 22:46:32 +1000 |
| commit | c6f8219e0d4ee1f64fb7b4da88523c951a03c68a (patch) | |
| tree | d861d4cbccee17f7de7c864e1d26634c0174741d | |
| parent | f1377bdeed3ca7268c6a5d3fa171a09df7be9064 (diff) | |
- (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
process when sshd relies on ssh-random-helper. Should result in faster
logins on systems without a real random device or prngd. ok djm@
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | entropy.c | 32 | ||||
| -rw-r--r-- | entropy.h | 7 | ||||
| -rw-r--r-- | sshd.c | 14 |
4 files changed, 53 insertions, 5 deletions
@@ -1,6 +1,9 @@ 20050927 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid calls, since they can't possibly fail. ok djm@ + - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed + process when sshd relies on ssh-random-helper. Should result in faster + logins on systems without a real random device or prngd. ok djm@ 20050924 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove @@ -3017,4 +3020,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3895 2005/09/27 09:50:25 dtucker Exp $ +$Id: ChangeLog,v 1.3896 2005/09/27 12:46:32 dtucker Exp $ @@ -26,6 +26,7 @@ #include <openssl/rand.h> #include <openssl/crypto.h> +#include <openssl/err.h> #include "ssh.h" #include "misc.h" @@ -33,6 +34,8 @@ #include "atomicio.h" #include "pathnames.h" #include "log.h" +#include "buffer.h" +#include "bufaux.h" /* * Portable OpenSSH PRNG seeding: @@ -45,7 +48,7 @@ * XXX: we should tell the child how many bytes we need. */ -RCSID("$Id: entropy.c,v 1.50 2005/09/27 09:50:25 dtucker Exp $"); +RCSID("$Id: entropy.c,v 1.51 2005/09/27 12:46:32 dtucker Exp $"); #ifndef OPENSSL_PRNG_ONLY #define RANDOM_SEED_SIZE 48 @@ -150,3 +153,30 @@ init_rng(void) #endif } +#ifndef OPENSSL_PRNG_ONLY +void +rexec_send_rng_seed(Buffer *m) +{ + u_char buf[RANDOM_SEED_SIZE]; + + if (RAND_bytes(buf, sizeof(buf)) <= 0) { + error("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); + buffer_put_string(m, "", 0); + } else + buffer_put_string(m, buf, sizeof(buf)); +} + +void +rexec_recv_rng_seed(Buffer *m) +{ + char *buf; + u_int len; + + buf = buffer_get_string_ret(m, &len); + if (buf != NULL) { + debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len); + RAND_add(buf, len, len); + } +} +#endif @@ -22,12 +22,17 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */ #ifndef _RANDOMS_H #define _RANDOMS_H +#include "buffer.h" + void seed_rng(void); void init_rng(void); +void rexec_send_rng_seed(Buffer *); +void rexec_recv_rng_seed(Buffer *); + #endif /* _RANDOMS_H */ @@ -800,6 +800,7 @@ send_rexec_state(int fd, Buffer *conf) * bignum iqmp " * bignum p " * bignum q " + * string rngseed (only if OpenSSL is not self-seeded) */ buffer_init(&m); buffer_put_cstring(&m, buffer_ptr(conf)); @@ -816,6 +817,10 @@ send_rexec_state(int fd, Buffer *conf) } else buffer_put_int(&m, 0); +#ifndef OPENSSL_PRNG_ONLY + rexec_send_rng_seed(&m); +#endif + if (ssh_msg_send(fd, 0, &m) == -1) fatal("%s: ssh_msg_send failed", __func__); @@ -858,6 +863,11 @@ recv_rexec_state(int fd, Buffer *conf) rsa_generate_additional_parameters( sensitive_data.server_key->rsa); } + +#ifndef OPENSSL_PRNG_ONLY + rexec_recv_rng_seed(&m); +#endif + buffer_free(&m); debug3("%s: done", __func__); @@ -1051,8 +1061,6 @@ main(int ac, char **av) drop_cray_privs(); #endif - seed_rng(); - sensitive_data.server_key = NULL; sensitive_data.ssh1_host_key = NULL; sensitive_data.have_ssh1_key = 0; @@ -1071,6 +1079,8 @@ main(int ac, char **av) if (!rexec_flag) buffer_free(&cfg); + seed_rng(); + /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); |