[openssh.git] / entropy.c

/*
 * Copyright (c) 2000 Damien Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *      This product includes software developed by Markus Friedl.
 * 4. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include "ssh.h"
#include "xmalloc.h"

#include <openssl/rand.h>
#include <openssl/sha.h>

RCSID("$Id$");

#ifdef EGD_SOCKET
#ifndef offsetof
# define offsetof(type, member) ((size_t) &((type *)0)->member)
#endif
/* Collect entropy from EGD */
void get_random_bytes(unsigned char *buf, int len)
{
	static int egd_socket = -1;
	int c;
	char egd_message[2] = { 0x02, 0x00 };
	struct sockaddr_un addr;
	int addr_len;

	memset(&addr, '\0', sizeof(addr));
	addr.sun_family = AF_UNIX;
	
	/* FIXME: compile time check? */
	if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path))
		fatal("Random pool path is too long");
	
	strcpy(addr.sun_path, EGD_SOCKET);
	
	addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET);
	
	if (egd_socket == -1) {
		egd_socket = socket(AF_UNIX, SOCK_STREAM, 0);
		if (egd_socket == -1)
			fatal("Couldn't create AF_UNIX socket: %s", strerror(errno));
		if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1)
			fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno));
	}	

	if (len > 255)
		fatal("Too many bytes to read from EGD");
	
	/* Send blocking read request to EGD */
	egd_message[1] = len;

	c = atomicio(write, egd_socket, egd_message, sizeof(egd_message));
	if (c == -1)
		fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno));

	c = atomicio(read, egd_socket, buf, len);
	if (c <= 0)
		fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno));
	
	close(EGD_SOCKET);
}
#else /* !EGD_SOCKET */
#ifdef RANDOM_POOL
/* Collect entropy from /dev/urandom or pipe */
void get_random_bytes(unsigned char *buf, int len)
{
	static int random_pool = -1;
	int c;

	if (random_pool == -1) {
		random_pool = open(RANDOM_POOL, O_RDONLY);
		if (random_pool == -1)
			fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
	}
	
	c = atomicio(read, random_pool, buf, len);
	if (c <= 0)
		fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
}
#endif /* RANDOM_POOL */
#endif /* EGD_SOCKET */

#if !defined(EGD_SOCKET) && !defined(RANDOM_POOL)
/* 
 * FIXME: proper entropy estimations. All current values are guesses
 * FIXME: (ATL) do estimates at compile time?
 * FIXME: More entropy sources
 */

/* slow command timeouts (all in milliseconds) */
/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */
static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC;

static int prng_seed_loaded = 0;
static int prng_seed_saved = 0;
static int prng_commands_loaded = 0;

typedef struct
{
	/* Proportion of data that is entropy */
	double rate;
	/* Counter goes positive if this command times out */
	unsigned int badness;
	/* Increases by factor of two each timeout */
	unsigned int sticky_badness;
	/* Path to executable */
	char *path;
	/* argv to pass to executable */
	char *args[5];
} entropy_source_t;

double stir_from_system(void);
double stir_from_programs(void);
double stir_gettimeofday(double entropy_estimate);
double stir_clock(double entropy_estimate);
double stir_rusage(int who, double entropy_estimate);
double hash_output_from_command(entropy_source_t *src, char *hash);

/* this is initialised from a file, by prng_read_commands() */
entropy_source_t *entropy_sources = NULL;
#define MIN_ENTROPY_SOURCES 16


double 
stir_from_system(void)
{
	double total_entropy_estimate;
	long int i;
	
	total_entropy_estimate = 0;
	
	i = getpid();
	RAND_add(&i, sizeof(i), 0.1);
	total_entropy_estimate += 0.1;
	
	i = getppid();
	RAND_add(&i, sizeof(i), 0.1);
	total_entropy_estimate += 0.1;

	i = getuid();
	RAND_add(&i, sizeof(i), 0.0);
	i = getgid();
	RAND_add(&i, sizeof(i), 0.0);

	total_entropy_estimate += stir_gettimeofday(1.0);
	total_entropy_estimate += stir_clock(0.2);
	total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0);

	return(total_entropy_estimate);
}

double 
stir_from_programs(void)
{
	int i;
	int c;
	double entropy_estimate;
	double total_entropy_estimate;
	char hash[SHA_DIGEST_LENGTH];

	/*
	 * Run through list of programs twice to catch differences
	 */
	total_entropy_estimate = 0;
	for(i = 0; i < 2; i++) {
		c = 0;
		while (entropy_sources[c].path != NULL) {

			if (!entropy_sources[c].badness) {
				/* Hash output from command */
				entropy_estimate = hash_output_from_command(&entropy_sources[c], hash);

				/* Scale back entropy estimate according to command's rate */
				entropy_estimate *= entropy_sources[c].rate;
 
				/* Upper bound of entropy estimate is SHA_DIGEST_LENGTH */
				if (entropy_estimate > SHA_DIGEST_LENGTH)
					entropy_estimate = SHA_DIGEST_LENGTH;

 			/* * Scale back estimates for subsequent passes through list */
				entropy_estimate /= 10.0 * (i + 1.0);
			
				/* Stir it in */
				RAND_add(hash, sizeof(hash), entropy_estimate);

/* FIXME: turn this off later */
#if 1
				debug("Got %0.2f bytes of entropy from %s", entropy_estimate, 
					entropy_sources[c].path);
#endif

				total_entropy_estimate += entropy_estimate;

			/* Execution times should be a little unpredictable */
				total_entropy_estimate += stir_gettimeofday(0.05);
				total_entropy_estimate += stir_clock(0.05);
				total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1);
				total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1);
			} else {
/* FIXME: turn this off later */
#if 1
				debug("Command '%s %s %s' disabled (badness %d)",
					entropy_sources[c].path, entropy_sources[c].args[1],
					entropy_sources[c].args[2], entropy_sources[c].badness);
#endif

				if (entropy_sources[c].badness > 0)
					entropy_sources[c].badness--;
			}

			c++;
		}
	}
	
	return(total_entropy_estimate);
}

double
stir_gettimeofday(double entropy_estimate)
{
	struct timeval tv;
	
	if (gettimeofday(&tv, NULL) == -1)
		fatal("Couldn't gettimeofday: %s", strerror(errno));

	RAND_add(&tv, sizeof(tv), entropy_estimate);
	
	return(entropy_estimate);
}

double
stir_clock(double entropy_estimate)
{
#ifdef HAVE_CLOCK
	clock_t c;
	
	c = clock();
	RAND_add(&c, sizeof(c), entropy_estimate);
	
	return(entropy_estimate);
#else /* _HAVE_CLOCK */
	return(0);
#endif /* _HAVE_CLOCK */
}

double
stir_rusage(int who, double entropy_estimate)
{
#ifdef HAVE_GETRUSAGE
	struct rusage ru;
	
	if (getrusage(who, &ru) == -1)
		fatal("Couldn't getrusage: %s", strerror(errno));

	RAND_add(&ru, sizeof(ru), 0.1);

	return(entropy_estimate);
#else /* _HAVE_GETRUSAGE */
	return(0);
#endif /* _HAVE_GETRUSAGE */
}

double
hash_output_from_command(entropy_source_t *src, char *hash)
{
	static int devnull = -1;
	int p[2];
	fd_set rdset;
	int cmd_eof = 0, error_abort = 0;
	pid_t pid;
	int status;
	char buf[2048];
	int bytes_read;
	int total_bytes_read;
	SHA_CTX sha;
	
	if (devnull == -1) {
		devnull = open("/dev/null", O_RDWR);
		if (devnull == -1)
			fatal("Couldn't open /dev/null: %s", strerror(errno));
	}
	
	if (pipe(p) == -1)
		fatal("Couldn't open pipe: %s", strerror(errno));

	switch (pid = fork()) {
		case -1: /* Error */
			close(p[0]);
			close(p[1]);
			fatal("Couldn't fork: %s", strerror(errno));
			/* NOTREACHED */
		case 0: /* Child */
			dup2(devnull, STDIN_FILENO);
			dup2(p[1], STDOUT_FILENO);
			dup2(p[1], STDERR_FILENO);
			close(p[0]);
			close(p[1]);
			close(devnull);

			execv(src->path, (char**)(src->args));
			debug("(child) Couldn't exec '%s %s %s': %s", src->path,
				src->args[1], src->args[2], strerror(errno));
			src->badness = src->sticky_badness = 128;
			_exit(-1);
		default: /* Parent */
			break;
	}

	RAND_add(&pid, sizeof(&pid), 0.0);

	close(p[1]);

	/* Hash output from child */
	SHA1_Init(&sha);
	total_bytes_read = 0;

	while (!error_abort && !cmd_eof) {
		int ret;
		struct timeval tv;

		FD_ZERO(&rdset);
		FD_SET(p[0], &rdset);
		tv.tv_sec = entropy_timeout_current / 1000;
		tv.tv_usec = (entropy_timeout_current % 1000) * 1000;

		ret = select(p[0]+1, &rdset, NULL, NULL, &tv);
		switch (ret) {
		case 0:
			/* timer expired */
			error_abort = 1;
			break;
			
		case 1:
			/* command input */
			bytes_read = read(p[0], buf, sizeof(buf));
			if (bytes_read == -1) {
				error_abort = 1;
				break;
			}
			SHA1_Update(&sha, buf, bytes_read);
			total_bytes_read += bytes_read;
			RAND_add(&bytes_read, sizeof(&bytes_read), 0.0);
			cmd_eof = bytes_read ? 0 : 1;

			break;

		case -1:
		default:
			error("Command '%s %s': select() failed: %s", src->path, src->args[1],
				strerror(errno));
			error_abort = 1;
			break;
		} /* switch ret */

		RAND_add(&tv, sizeof(&tv), 0.0);
	} /* while !error_abort && !cmd_eof */

	SHA1_Final(hash, &sha);

	close(p[0]);
	
	if (waitpid(pid, &status, 0) == -1) {
		error("Couldn't wait for child '%s %s' completion: %s", src->path,
			src->args[1], strerror(errno));
		/* return(-1); */ /* FIXME: (ATL) this doesn't feel right */
		return(0.0);
	}

	RAND_add(&status, sizeof(&status), 0.0);

	if (error_abort) {
		/* closing p[0] on timeout causes the entropy command to
		 * SIGPIPE. Take whatever output we got, and mark this command
		 * as slow */
		debug("Command %s %s timed out", src->path, src->args[1]);
		src->sticky_badness *= 2;
		src->badness = src->sticky_badness;
		return(total_bytes_read);
	}

	if (WIFEXITED(status)) {
		if (WEXITSTATUS(status)==0) {
			return(total_bytes_read);
		} else {
			debug("Exit status was %d", WEXITSTATUS(status));
			src->badness = src->sticky_badness = 128;
			return (0.0);
		}
	} else if (WIFSIGNALED(status)) {
		debug("Returned on uncaught signal %d !", status);
		src->badness = src->sticky_badness = 128;
		return(0.0);
	} else
		return(0.0);
}

/*
 * prng seedfile functions
 */
int
prng_check_seedfile(char *filename) {

	struct stat st;

	/* FIXME raceable: eg replace seed between this stat and subsequent open */
	/* Not such a problem because we don't trust the seed file anyway */
	if (lstat(filename, &st) == -1) {
		/* Fail on hard errors */
		if (errno != ENOENT)
			fatal("Couldn't stat random seed file \"%s\": %s", filename,
				strerror(errno));

		return(0);
	}

	/* regular file? */
	if (!S_ISREG(st.st_mode))
		fatal("PRNG seedfile %.100s is not a regular file", filename);

	/* mode 0600, owned by root or the current user? */
	if (((st.st_mode & 0177) != 0) || !(st.st_uid == geteuid()))
		fatal("PRNG seedfile %.100s must be mode 0600, owned by uid %d",
			 filename, getuid());

	return(1);
}

void
prng_write_seedfile(void) {
	int fd;
	char seed[1024];
	char filename[1024];
	struct passwd *pw;

	/* Don't bother if we have already saved a seed */
	if (prng_seed_saved)
		return;
	
	prng_seed_saved = 1;
	
	pw = getpwuid(getuid());
	if (pw == NULL)
		fatal("Couldn't get password entry for current user (%i): %s", 
			getuid(), strerror(errno));
				
	/* Try to ensure that the parent directory is there */
	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, 
		SSH_USER_DIR);
	mkdir(filename, 0700);

	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, 
		SSH_PRNG_SEED_FILE);

	debug("writing PRNG seed to file %.100s", filename);

	RAND_bytes(seed, sizeof(seed));

	/* Don't care if the seed doesn't exist */
	prng_check_seedfile(filename);
	
	if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1)
		fatal("couldn't access PRNG seedfile %.100s (%.100s)", filename, 
			strerror(errno));
	
	if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed))
		fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, 
			 strerror(errno));

	close(fd);
}

void
prng_read_seedfile(void) {
	int fd;
	char seed[1024];
	char filename[1024];
	struct passwd *pw;
	
	pw = getpwuid(getuid());
	if (pw == NULL)
		fatal("Couldn't get password entry for current user (%i): %s", 
			getuid(), strerror(errno));
			
	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, 
		SSH_PRNG_SEED_FILE);

	debug("loading PRNG seed from file %.100s", filename);

	if (!prng_check_seedfile(filename)) {
		verbose("Random seed file not found, creating new");
		prng_write_seedfile();
		
		/* Reseed immediatly */
		(void)stir_from_system();
		(void)stir_from_programs();
		return;
	}

	/* open the file and read in the seed */
	fd = open(filename, O_RDONLY);
	if (fd == -1)
		fatal("could not open PRNG seedfile %.100s (%.100s)", filename, 
			strerror(errno));

	if (atomicio(read, fd, &seed, sizeof(seed)) != sizeof(seed)) {
		verbose("invalid or short read from PRNG seedfile %.100s - ignoring",
			filename);
		memset(seed, '\0', sizeof(seed));
	}
	close(fd);

	/* stir in the seed, with estimated entropy zero */
	RAND_add(&seed, sizeof(seed), 0.0);
}


/*
 * entropy command initialisation functions
 */
#define WHITESPACE " \t\n"

int
prng_read_commands(char *cmdfilename)
{
	FILE *f;
	char line[1024];
	char cmd[1024], path[256];
	double est;
	char *cp;
	int linenum;
	entropy_source_t *entcmd;
	int num_cmds = 64;
	int cur_cmd = 0;

	f = fopen(cmdfilename, "r");
	if (!f) {
		fatal("couldn't read entropy commands file %.100s: %.100s",
		    cmdfilename, strerror(errno));
	}

	linenum = 0;

	entcmd = (entropy_source_t *)xmalloc(num_cmds * sizeof(entropy_source_t));
	memset(entcmd, '\0', num_cmds * sizeof(entropy_source_t));

	while (fgets(line, sizeof(line), f)) {
		linenum++;

		/* skip leading whitespace, test for blank line or comment */
		cp = line + strspn(line, WHITESPACE);
		if ((*cp == 0) || (*cp == '#'))
			continue; /* done with this line */

		switch (*cp) {
			int arg;
			char *argv;

		case '"':
			/* first token, command args (incl. argv[0]) in double quotes */
			cp = strtok(cp, "\"");
			if (cp==NULL) {
				error("missing or bad command string, %.100s line %d -- ignored",
				      cmdfilename, linenum);
				continue;
			}
			strncpy(cmd, cp, sizeof(cmd));
			/* second token, full command path */
			if ((cp = strtok(NULL, WHITESPACE)) == NULL) {
				error("missing command path, %.100s line %d -- ignored",
				      cmdfilename, linenum);
				continue;
			}
			if (strncmp("undef", cp, 5)==0)   /* did configure mark this as dead? */
				continue;

			strncpy(path, cp, sizeof(path));			
			/* third token, entropy rate estimate for this command */
			if ( (cp = strtok(NULL, WHITESPACE)) == NULL) {
				error("missing entropy estimate, %.100s line %d -- ignored",
				      cmdfilename, linenum);
				continue;
			}
			est = strtod(cp, &argv);/* FIXME: (ATL) no error checking here */

			/* end of line */
			if ((cp = strtok(NULL, WHITESPACE)) != NULL) {
				error("garbage at end of line %d in %.100s -- ignored",
				      linenum, cmdfilename);
				continue;
			}

			/* split the command args */
			cp = strtok(cmd, WHITESPACE);
			arg = 0; argv = NULL;
			do {
				char *s = (char*)xmalloc(strlen(cp)+1);
				strncpy(s, cp, strlen(cp)+1);
				entcmd[cur_cmd].args[arg] = s;
				arg++;
			} while ((arg < 5) && (cp = strtok(NULL, WHITESPACE)));
			if (strtok(NULL, WHITESPACE))
				error("ignored extra command elements (max 5), %.100s line %d",
				      cmdfilename, linenum);

			/* copy the command path and rate estimate */
			entcmd[cur_cmd].path = (char *)xmalloc(strlen(path)+1);
			strncpy(entcmd[cur_cmd].path, path, strlen(path)+1);
		        entcmd[cur_cmd].rate = est;
			/* initialise other values */
			entcmd[cur_cmd].sticky_badness = 1;

			cur_cmd++;

			/* If we've filled the array, reallocate it twice the size */
			/* Do this now because even if this we're on the last command,
			   we need another slot to mark the last entry */
			if (cur_cmd == num_cmds) {
				num_cmds *= 2;
				entcmd = xrealloc(entcmd, num_cmds * sizeof(entropy_source_t));
			}
			break;

		default:
			error("bad entropy command, %.100s line %d", cmdfilename,
			     linenum);
			continue;
		}
	}

	/* zero the last entry */
	memset(&entcmd[cur_cmd], '\0', sizeof(entropy_source_t));
	/* trim to size */
	entropy_sources = xrealloc(entcmd, (cur_cmd+1) * sizeof(entropy_source_t));

	debug("loaded %d entropy commands from %.100s", cur_cmd, cmdfilename);

	return (cur_cmd >= MIN_ENTROPY_SOURCES);
}


#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */

#if defined(EGD_SOCKET) || defined(RANDOM_POOL)

/*
 * Seed OpenSSL's random number pool from Kernel random number generator
 * or EGD
 */
void
seed_rng(void)
{
	char buf[32];
	
	debug("Seeding random number generator");
	get_random_bytes(buf, sizeof(buf));
	RAND_add(buf, sizeof(buf), sizeof(buf));
	memset(buf, '\0', sizeof(buf));
}

#else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */

/*
 * Write a keyfile at exit
 */ 
void
prng_seed_cleanup(void *junk)
{
	prng_write_seedfile();
}

/*
 * Conditionally Seed OpenSSL's random number pool from
 * syscalls and program output
 */
void
seed_rng(void)
{
	if (!prng_commands_loaded) {
		if (!prng_read_commands(SSH_PRNG_COMMAND_FILE))
			fatal("PRNG initialisation failed -- exiting.");
		prng_commands_loaded = 1;
	}

	debug("Seeding random number generator.");
	debug("OpenSSL random status is now %i\n", RAND_status());
	debug("%i bytes from system calls", (int)stir_from_system());
	debug("%i bytes from programs", (int)stir_from_programs());
	debug("OpenSSL random status is now %i\n", RAND_status());

	if (!prng_seed_loaded)
	{
		prng_seed_loaded = 1;
		prng_seed_saved = 0;		
		prng_read_seedfile();
		fatal_add_cleanup(prng_seed_cleanup, NULL);
		atexit(prng_write_seedfile);
	}
}
#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */
Commit	Line	Data
bfc9a610	1	/*
	2	* Copyright (c) 2000 Damien Miller. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	* 3. All advertising materials mentioning features or use of this software
	13	* must display the following acknowledgement:
	14	* This product includes software developed by Markus Friedl.
	15	* 4. The name of the author may not be used to endorse or promote products
	16	* derived from this software without specific prior written permission.
	17	*
	18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
	30	#include "includes.h"
	31
	32	#include "ssh.h"
	33	#include "xmalloc.h"
	34
35484284	35	#include <openssl/rand.h>
35484284	36	#include <openssl/sha.h>
bfc9a610	37
	38	RCSID("$Id$");
	39
	40	#ifdef EGD_SOCKET
	41	#ifndef offsetof
	42	# define offsetof(type, member) ((size_t) &((type *)0)->member)
	43	#endif
	44	/* Collect entropy from EGD */
	45	void get_random_bytes(unsigned char *buf, int len)
	46	{
	47	static int egd_socket = -1;
	48	int c;
	49	char egd_message[2] = { 0x02, 0x00 };
	50	struct sockaddr_un addr;
	51	int addr_len;
	52
	53	memset(&addr, '\0', sizeof(addr));
	54	addr.sun_family = AF_UNIX;
	55
	56	/* FIXME: compile time check? */
	57	if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path))
	58	fatal("Random pool path is too long");
	59
	60	strcpy(addr.sun_path, EGD_SOCKET);
	61
	62	addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET);
	63
	64	if (egd_socket == -1) {
	65	egd_socket = socket(AF_UNIX, SOCK_STREAM, 0);
	66	if (egd_socket == -1)
	67	fatal("Couldn't create AF_UNIX socket: %s", strerror(errno));
	68	if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1)
	69	fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno));
	70	}
	71
	72	if (len > 255)
	73	fatal("Too many bytes to read from EGD");
	74
	75	/* Send blocking read request to EGD */
	76	egd_message[1] = len;
	77
	78	c = atomicio(write, egd_socket, egd_message, sizeof(egd_message));
	79	if (c == -1)
	80	fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno));
	81
	82	c = atomicio(read, egd_socket, buf, len);
	83	if (c <= 0)
	84	fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno));
	85
	86	close(EGD_SOCKET);
	87	}
	88	#else /* !EGD_SOCKET */
	89	#ifdef RANDOM_POOL
	90	/* Collect entropy from /dev/urandom or pipe */
	91	void get_random_bytes(unsigned char *buf, int len)
	92	{
	93	static int random_pool = -1;
	94	int c;
	95
	96	if (random_pool == -1) {
	97	random_pool = open(RANDOM_POOL, O_RDONLY);
	98	if (random_pool == -1)
	99	fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
	100	}
101
bfc9a610	102	c = atomicio(read, random_pool, buf, len);
	103	if (c <= 0)
	104	fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
	105	}
	106	#endif /* RANDOM_POOL */
	107	#endif /* EGD_SOCKET */
	108
	109	#if !defined(EGD_SOCKET) && !defined(RANDOM_POOL)
	110	/*
	111	* FIXME: proper entropy estimations. All current values are guesses
b7a87eea	112	* FIXME: (ATL) do estimates at compile time?
bfc9a610	113	* FIXME: More entropy sources
	114	*/
	115
b7a87eea	116	/* slow command timeouts (all in milliseconds) */
	117	/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */
	118	static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC;
	119
	120	static int prng_seed_loaded = 0;
d3083fbd	121	static int prng_seed_saved = 0;
d3083fbd	122	static int prng_commands_loaded = 0;
bfc9a610	123
	124	typedef struct
	125	{
	126	/* Proportion of data that is entropy */
	127	double rate;
b7a87eea	128	/* Counter goes positive if this command times out */
	129	unsigned int badness;
	130	/* Increases by factor of two each timeout */
	131	unsigned int sticky_badness;
bfc9a610	132	/* Path to executable */
d3083fbd	133	char *path;
bfc9a610	134	/* argv to pass to executable */
d3083fbd	135	char *args[5];
bfc9a610	136	} entropy_source_t;
bfc9a610	137
b7a87eea	138	double stir_from_system(void);
	139	double stir_from_programs(void);
	140	double stir_gettimeofday(double entropy_estimate);
	141	double stir_clock(double entropy_estimate);
	142	double stir_rusage(int who, double entropy_estimate);
	143	double hash_output_from_command(entropy_source_t src, char hash);
	144
d3083fbd	145	/* this is initialised from a file, by prng_read_commands() */
	146	entropy_source_t *entropy_sources = NULL;
	147	#define MIN_ENTROPY_SOURCES 16
	148
bfc9a610	149
bfc9a610	150	double
	151	stir_from_system(void)
	152	{
	153	double total_entropy_estimate;
	154	long int i;
	155
	156	total_entropy_estimate = 0;
	157
	158	i = getpid();
	159	RAND_add(&i, sizeof(i), 0.1);
	160	total_entropy_estimate += 0.1;
	161
	162	i = getppid();
	163	RAND_add(&i, sizeof(i), 0.1);
	164	total_entropy_estimate += 0.1;
	165
	166	i = getuid();
	167	RAND_add(&i, sizeof(i), 0.0);
	168	i = getgid();
	169	RAND_add(&i, sizeof(i), 0.0);
	170
	171	total_entropy_estimate += stir_gettimeofday(1.0);
	172	total_entropy_estimate += stir_clock(0.2);
	173	total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0);
	174
	175	return(total_entropy_estimate);
	176	}
	177
	178	double
	179	stir_from_programs(void)
	180	{
	181	int i;
	182	int c;
	183	double entropy_estimate;
	184	double total_entropy_estimate;
	185	char hash[SHA_DIGEST_LENGTH];
	186
	187	/*
	188	* Run through list of programs twice to catch differences
	189	*/
	190	total_entropy_estimate = 0;
	191	for(i = 0; i < 2; i++) {
	192	c = 0;
	193	while (entropy_sources[c].path != NULL) {
bfc9a610	194
b7a87eea	195	if (!entropy_sources[c].badness) {
	196	/* Hash output from command */
	197	entropy_estimate = hash_output_from_command(&entropy_sources[c], hash);
	198
	199	/* Scale back entropy estimate according to command's rate */
	200	entropy_estimate *= entropy_sources[c].rate;
bfc9a610	201
b7a87eea	202	/* Upper bound of entropy estimate is SHA_DIGEST_LENGTH */
	203	if (entropy_estimate > SHA_DIGEST_LENGTH)
	204	entropy_estimate = SHA_DIGEST_LENGTH;
bfc9a610	205
bfc9a610	206	/* * Scale back estimates for subsequent passes through list */
b7a87eea	207	entropy_estimate /= 10.0 * (i + 1.0);
bfc9a610	208
b7a87eea	209	/* Stir it in */
b7a87eea	210	RAND_add(hash, sizeof(hash), entropy_estimate);
bfc9a610	211
	212	/* FIXME: turn this off later */
	213	#if 1
b7a87eea	214	debug("Got %0.2f bytes of entropy from %s", entropy_estimate,
b7a87eea	215	entropy_sources[c].path);
bfc9a610	216	#endif
bfc9a610	217
b7a87eea	218	total_entropy_estimate += entropy_estimate;
bfc9a610	219
bfc9a610	220	/* Execution times should be a little unpredictable */
b7a87eea	221	total_entropy_estimate += stir_gettimeofday(0.05);
	222	total_entropy_estimate += stir_clock(0.05);
	223	total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1);
	224	total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1);
	225	} else {
	226	/* FIXME: turn this off later */
	227	#if 1
	228	debug("Command '%s %s %s' disabled (badness %d)",
	229	entropy_sources[c].path, entropy_sources[c].args[1],
	230	entropy_sources[c].args[2], entropy_sources[c].badness);
	231	#endif
	232
	233	if (entropy_sources[c].badness > 0)
	234	entropy_sources[c].badness--;
	235	}
	236
bfc9a610	237	c++;
	238	}
	239	}
	240
	241	return(total_entropy_estimate);
	242	}
	243
	244	double
	245	stir_gettimeofday(double entropy_estimate)
	246	{
	247	struct timeval tv;
	248
	249	if (gettimeofday(&tv, NULL) == -1)
	250	fatal("Couldn't gettimeofday: %s", strerror(errno));
	251
	252	RAND_add(&tv, sizeof(tv), entropy_estimate);
	253
	254	return(entropy_estimate);
	255	}
	256
	257	double
	258	stir_clock(double entropy_estimate)
	259	{
	260	#ifdef HAVE_CLOCK
	261	clock_t c;
	262
	263	c = clock();
	264	RAND_add(&c, sizeof(c), entropy_estimate);
	265
	266	return(entropy_estimate);
	267	#else /* _HAVE_CLOCK */
	268	return(0);
	269	#endif /* _HAVE_CLOCK */
	270	}
	271
	272	double
	273	stir_rusage(int who, double entropy_estimate)
	274	{
	275	#ifdef HAVE_GETRUSAGE
	276	struct rusage ru;
	277
b7a87eea	278	if (getrusage(who, &ru) == -1)
bfc9a610	279	fatal("Couldn't getrusage: %s", strerror(errno));
	280
	281	RAND_add(&ru, sizeof(ru), 0.1);
	282
	283	return(entropy_estimate);
	284	#else /* _HAVE_GETRUSAGE */
	285	return(0);
	286	#endif /* _HAVE_GETRUSAGE */
	287	}
	288
	289	double
b7a87eea	290	hash_output_from_command(entropy_source_t src, char hash)
bfc9a610	291	{
	292	static int devnull = -1;
	293	int p[2];
b7a87eea	294	fd_set rdset;
b7a87eea	295	int cmd_eof = 0, error_abort = 0;
bfc9a610	296	pid_t pid;
	297	int status;
	298	char buf[2048];
	299	int bytes_read;
	300	int total_bytes_read;
	301	SHA_CTX sha;
	302
	303	if (devnull == -1) {
	304	devnull = open("/dev/null", O_RDWR);
	305	if (devnull == -1)
	306	fatal("Couldn't open /dev/null: %s", strerror(errno));
	307	}
	308
	309	if (pipe(p) == -1)
	310	fatal("Couldn't open pipe: %s", strerror(errno));
	311
	312	switch (pid = fork()) {
	313	case -1: /* Error */
	314	close(p[0]);
	315	close(p[1]);
	316	fatal("Couldn't fork: %s", strerror(errno));
	317	/* NOTREACHED */
	318	case 0: /* Child */
b7a87eea	319	dup2(devnull, STDIN_FILENO);
	320	dup2(p[1], STDOUT_FILENO);
	321	dup2(p[1], STDERR_FILENO);
bfc9a610	322	close(p[0]);
	323	close(p[1]);
	324	close(devnull);
	325
b7a87eea	326	execv(src->path, (char**)(src->args));
	327	debug("(child) Couldn't exec '%s %s %s': %s", src->path,
	328	src->args[1], src->args[2], strerror(errno));
	329	src->badness = src->sticky_badness = 128;
bfc9a610	330	_exit(-1);
	331	default: /* Parent */
	332	break;
	333	}
	334
	335	RAND_add(&pid, sizeof(&pid), 0.0);
	336
	337	close(p[1]);
	338
	339	/* Hash output from child */
	340	SHA1_Init(&sha);
	341	total_bytes_read = 0;
b7a87eea	342
	343	while (!error_abort && !cmd_eof) {
	344	int ret;
	345	struct timeval tv;
	346
	347	FD_ZERO(&rdset);
	348	FD_SET(p[0], &rdset);
	349	tv.tv_sec = entropy_timeout_current / 1000;
	350	tv.tv_usec = (entropy_timeout_current % 1000) * 1000;
	351
	352	ret = select(p[0]+1, &rdset, NULL, NULL, &tv);
	353	switch (ret) {
	354	case 0:
	355	/* timer expired */
	356	error_abort = 1;
	357	break;
	358
	359	case 1:
	360	/* command input */
	361	bytes_read = read(p[0], buf, sizeof(buf));
	362	if (bytes_read == -1) {
	363	error_abort = 1;
	364	break;
	365	}
	366	SHA1_Update(&sha, buf, bytes_read);
	367	total_bytes_read += bytes_read;
	368	RAND_add(&bytes_read, sizeof(&bytes_read), 0.0);
	369	cmd_eof = bytes_read ? 0 : 1;
	370
	371	break;
	372
	373	case -1:
	374	default:
	375	error("Command '%s %s': select() failed: %s", src->path, src->args[1],
	376	strerror(errno));
	377	error_abort = 1;
	378	break;
	379	} /* switch ret */
	380
	381	RAND_add(&tv, sizeof(&tv), 0.0);
	382	} /* while !error_abort && !cmd_eof */
	383
bfc9a610	384	SHA1_Final(hash, &sha);
	385
	386	close(p[0]);
	387
	388	if (waitpid(pid, &status, 0) == -1) {
b7a87eea	389	error("Couldn't wait for child '%s %s' completion: %s", src->path,
	390	src->args[1], strerror(errno));
	391	/* return(-1); / / FIXME: (ATL) this doesn't feel right */
	392	return(0.0);
bfc9a610	393	}
	394
	395	RAND_add(&status, sizeof(&status), 0.0);
	396
b7a87eea	397	if (error_abort) {
	398	/* closing p[0] on timeout causes the entropy command to
	399	* SIGPIPE. Take whatever output we got, and mark this command
	400	* as slow */
	401	debug("Command %s %s timed out", src->path, src->args[1]);
	402	src->sticky_badness *= 2;
	403	src->badness = src->sticky_badness;
bfc9a610	404	return(total_bytes_read);
b7a87eea	405	}
	406
	407	if (WIFEXITED(status)) {
	408	if (WEXITSTATUS(status)==0) {
	409	return(total_bytes_read);
	410	} else {
	411	debug("Exit status was %d", WEXITSTATUS(status));
	412	src->badness = src->sticky_badness = 128;
	413	return (0.0);
	414	}
	415	} else if (WIFSIGNALED(status)) {
	416	debug("Returned on uncaught signal %d !", status);
	417	src->badness = src->sticky_badness = 128;
	418	return(0.0);
	419	} else
	420	return(0.0);
	421	}
	422
	423	/*
	424	* prng seedfile functions
	425	*/
	426	int
	427	prng_check_seedfile(char *filename) {
	428
	429	struct stat st;
	430
	431	/* FIXME raceable: eg replace seed between this stat and subsequent open */
	432	/* Not such a problem because we don't trust the seed file anyway */
	433	if (lstat(filename, &st) == -1) {
	434	/* Fail on hard errors */
	435	if (errno != ENOENT)
	436	fatal("Couldn't stat random seed file \"%s\": %s", filename,
	437	strerror(errno));
	438
	439	return(0);
	440	}
	441
	442	/* regular file? */
	443	if (!S_ISREG(st.st_mode))
	444	fatal("PRNG seedfile %.100s is not a regular file", filename);
	445
	446	/* mode 0600, owned by root or the current user? */
	447	if (((st.st_mode & 0177) != 0) \|\| !(st.st_uid == geteuid()))
	448	fatal("PRNG seedfile %.100s must be mode 0600, owned by uid %d",
	449	filename, getuid());
	450
	451	return(1);
	452	}
	453
	454	void
	455	prng_write_seedfile(void) {
	456	int fd;
	457	char seed[1024];
	458	char filename[1024];
	459	struct passwd *pw;
	460
	461	/* Don't bother if we have already saved a seed */
	462	if (prng_seed_saved)
	463	return;
	464
52bcc044	465	prng_seed_saved = 1;
52bcc044	466
b7a87eea	467	pw = getpwuid(getuid());
	468	if (pw == NULL)
	469	fatal("Couldn't get password entry for current user (%i): %s",
	470	getuid(), strerror(errno));
	471
	472	/* Try to ensure that the parent directory is there */
	473	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
	474	SSH_USER_DIR);
	475	mkdir(filename, 0700);
	476
	477	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
	478	SSH_PRNG_SEED_FILE);
	479
	480	debug("writing PRNG seed to file %.100s", filename);
	481
	482	RAND_bytes(seed, sizeof(seed));
	483
	484	/* Don't care if the seed doesn't exist */
	485	prng_check_seedfile(filename);
	486
	487	if ((fd = open(filename, O_WRONLY\|O_TRUNC\|O_CREAT, 0600)) == -1)
	488	fatal("couldn't access PRNG seedfile %.100s (%.100s)", filename,
	489	strerror(errno));
	490
	491	if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed))
	492	fatal("problem writing PRNG seedfile %.100s (%.100s)", filename,
	493	strerror(errno));
	494
	495	close(fd);
	496	}
	497
	498	void
	499	prng_read_seedfile(void) {
	500	int fd;
	501	char seed[1024];
	502	char filename[1024];
	503	struct passwd *pw;
	504
	505	pw = getpwuid(getuid());
	506	if (pw == NULL)
	507	fatal("Couldn't get password entry for current user (%i): %s",
	508	getuid(), strerror(errno));
	509
	510	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
	511	SSH_PRNG_SEED_FILE);
	512
	513	debug("loading PRNG seed from file %.100s", filename);
	514
	515	if (!prng_check_seedfile(filename)) {
	516	verbose("Random seed file not found, creating new");
	517	prng_write_seedfile();
	518
	519	/* Reseed immediatly */
	520	(void)stir_from_system();
	521	(void)stir_from_programs();
	522	return;
	523	}
	524
	525	/* open the file and read in the seed */
	526	fd = open(filename, O_RDONLY);
	527	if (fd == -1)
	528	fatal("could not open PRNG seedfile %.100s (%.100s)", filename,
	529	strerror(errno));
	530
531	if (atomicio(read, fd, &seed, sizeof(seed)) != sizeof(seed)) {
532	verbose("invalid or short read from PRNG seedfile %.100s - ignoring",
533	filename);
534	memset(seed, '\0', sizeof(seed));
535	}
536	close(fd);
537
538	/* stir in the seed, with estimated entropy zero */
539	RAND_add(&seed, sizeof(seed), 0.0);
bfc9a610	540	}
b7a87eea	541
d3083fbd	542
	543	/*
	544	* entropy command initialisation functions
	545	*/
	546	#define WHITESPACE " \t\n"
	547
	548	int
	549	prng_read_commands(char *cmdfilename)
	550	{
	551	FILE *f;
	552	char line[1024];
	553	char cmd[1024], path[256];
	554	double est;
	555	char *cp;
	556	int linenum;
	557	entropy_source_t *entcmd;
	558	int num_cmds = 64;
	559	int cur_cmd = 0;
	560
	561	f = fopen(cmdfilename, "r");
	562	if (!f) {
	563	fatal("couldn't read entropy commands file %.100s: %.100s",
	564	cmdfilename, strerror(errno));
	565	}
	566
	567	linenum = 0;
	568
	569	entcmd = (entropy_source_t )xmalloc(num_cmds sizeof(entropy_source_t));
	570	memset(entcmd, '\0', num_cmds * sizeof(entropy_source_t));
	571
	572	while (fgets(line, sizeof(line), f)) {
	573	linenum++;
	574
	575	/* skip leading whitespace, test for blank line or comment */
	576	cp = line + strspn(line, WHITESPACE);
	577	if ((cp == 0) \|\| (cp == '#'))
	578	continue; /* done with this line */
	579
	580	switch (*cp) {
	581	int arg;
	582	char *argv;
	583
	584	case '"':
	585	/* first token, command args (incl. argv[0]) in double quotes */
	586	cp = strtok(cp, "\"");
	587	if (cp==NULL) {
	588	error("missing or bad command string, %.100s line %d -- ignored",
	589	cmdfilename, linenum);
	590	continue;
	591	}
	592	strncpy(cmd, cp, sizeof(cmd));
	593	/* second token, full command path */
	594	if ((cp = strtok(NULL, WHITESPACE)) == NULL) {
	595	error("missing command path, %.100s line %d -- ignored",
	596	cmdfilename, linenum);
	597	continue;
	598	}
	599	if (strncmp("undef", cp, 5)==0) /* did configure mark this as dead? */
	600	continue;
	601
	602	strncpy(path, cp, sizeof(path));
	603	/* third token, entropy rate estimate for this command */
	604	if ( (cp = strtok(NULL, WHITESPACE)) == NULL) {
	605	error("missing entropy estimate, %.100s line %d -- ignored",
606	cmdfilename, linenum);
607	continue;
608	}
609	est = strtod(cp, &argv);/* FIXME: (ATL) no error checking here */
610
611	/* end of line */
612	if ((cp = strtok(NULL, WHITESPACE)) != NULL) {
613	error("garbage at end of line %d in %.100s -- ignored",
614	linenum, cmdfilename);
615	continue;
616	}
617
618	/* split the command args */
619	cp = strtok(cmd, WHITESPACE);
620	arg = 0; argv = NULL;
621	do {
622	char s = (char)xmalloc(strlen(cp)+1);
623	strncpy(s, cp, strlen(cp)+1);
624	entcmd[cur_cmd].args[arg] = s;
625	arg++;
626	} while ((arg < 5) && (cp = strtok(NULL, WHITESPACE)));
627	if (strtok(NULL, WHITESPACE))
628	error("ignored extra command elements (max 5), %.100s line %d",
629	cmdfilename, linenum);
630
631	/* copy the command path and rate estimate */
632	entcmd[cur_cmd].path = (char *)xmalloc(strlen(path)+1);
633	strncpy(entcmd[cur_cmd].path, path, strlen(path)+1);
634	entcmd[cur_cmd].rate = est;
635	/* initialise other values */
636	entcmd[cur_cmd].sticky_badness = 1;
637
638	cur_cmd++;
639
640	/* If we've filled the array, reallocate it twice the size */
641	/* Do this now because even if this we're on the last command,
642	we need another slot to mark the last entry */
643	if (cur_cmd == num_cmds) {
644	num_cmds *= 2;
645	entcmd = xrealloc(entcmd, num_cmds * sizeof(entropy_source_t));
646	}
647	break;
648
649	default:
650	error("bad entropy command, %.100s line %d", cmdfilename,
651	linenum);
652	continue;
653	}
654	}
655
656	/* zero the last entry */
657	memset(&entcmd[cur_cmd], '\0', sizeof(entropy_source_t));
658	/* trim to size */
659	entropy_sources = xrealloc(entcmd, (cur_cmd+1) * sizeof(entropy_source_t));
660
661	debug("loaded %d entropy commands from %.100s", cur_cmd, cmdfilename);
662
663	return (cur_cmd >= MIN_ENTROPY_SOURCES);
664	}
665
666
bfc9a610	667	#endif /* defined(EGD_SOCKET) \|\| defined(RANDOM_POOL) */
	668
	669	#if defined(EGD_SOCKET) \|\| defined(RANDOM_POOL)
b7a87eea	670
bfc9a610	671	/*
	672	* Seed OpenSSL's random number pool from Kernel random number generator
	673	* or EGD
	674	*/
	675	void
	676	seed_rng(void)
	677	{
	678	char buf[32];
	679
	680	debug("Seeding random number generator");
	681	get_random_bytes(buf, sizeof(buf));
	682	RAND_add(buf, sizeof(buf), sizeof(buf));
	683	memset(buf, '\0', sizeof(buf));
	684	}
b7a87eea	685
bfc9a610	686	#else /* defined(EGD_SOCKET) \|\| defined(RANDOM_POOL) */
b7a87eea	687
	688	/*
	689	* Write a keyfile at exit
	690	*/
	691	void
	692	prng_seed_cleanup(void *junk)
	693	{
	694	prng_write_seedfile();
	695	}
	696
bfc9a610	697	/*
b7a87eea	698	* Conditionally Seed OpenSSL's random number pool from
b7a87eea	699	* syscalls and program output
bfc9a610	700	*/
	701	void
	702	seed_rng(void)
	703	{
d3083fbd	704	if (!prng_commands_loaded) {
	705	if (!prng_read_commands(SSH_PRNG_COMMAND_FILE))
	706	fatal("PRNG initialisation failed -- exiting.");
	707	prng_commands_loaded = 1;
	708	}
	709
6c081128	710	debug("Seeding random number generator.");
	711	debug("OpenSSL random status is now %i\n", RAND_status());
	712	debug("%i bytes from system calls", (int)stir_from_system());
	713	debug("%i bytes from programs", (int)stir_from_programs());
	714	debug("OpenSSL random status is now %i\n", RAND_status());
b7a87eea	715
	716	if (!prng_seed_loaded)
	717	{
	718	prng_seed_loaded = 1;
	719	prng_seed_saved = 0;
	720	prng_read_seedfile();
	721	fatal_add_cleanup(prng_seed_cleanup, NULL);
	722	atexit(prng_write_seedfile);
	723	}
bfc9a610	724	}
bfc9a610	725	#endif /* defined(EGD_SOCKET) \|\| defined(RANDOM_POOL) */