diff options
author | Damien Miller <djm@mindrot.org> | 2015-11-14 18:44:49 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-01-14 12:10:39 +1100 |
commit | 076d849e17ab12603627f87b301e2dca71bae518 (patch) | |
tree | 65244fc2803beb8752a595a9723a54cce955a842 | |
parent | f72adc0150011a28f177617a8456e1f83733099d (diff) |
read back from libcrypto RAND when privdropping
makes certain libcrypto implementations cache a /dev/urandom fd
in preparation of sandboxing. Based on patch by Greg Hartman.
-rw-r--r-- | sshd.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -624,6 +624,8 @@ privsep_preauth_child(void) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); @@ -767,6 +769,8 @@ privsep_postauth(Authctxt *authctxt) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); @@ -1436,6 +1440,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); } |