]> andersk Git - openssh.git/blame - entropy.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
whitspace
[openssh.git] / entropy.c
CommitLineData
bfc9a610 1/*
2 * Copyright (c) 2000 Damien Miller. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
bfc9a610 12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25#include "includes.h"
26
35484284 27#include <openssl/rand.h>
28#include <openssl/sha.h>
bfc9a610 29
819b676f 30/* SunOS 4.4.4 needs this */
31#ifdef HAVE_FLOATINGPOINT_H
32# include <floatingpoint.h>
33#endif /* HAVE_FLOATINGPOINT_H */
34
42f11eb2 35#include "ssh.h"
e1a023df 36#include "misc.h"
42f11eb2 37#include "xmalloc.h"
38#include "atomicio.h"
effa6591 39#include "pathnames.h"
42f11eb2 40#include "log.h"
41
bfc9a610 42RCSID("$Id$");
43
bfc9a610 44#ifndef offsetof
45# define offsetof(type, member) ((size_t) &((type *)0)->member)
46#endif
48c99b2c 47
48c99b2c 48/* Number of times to pass through command list gathering entropy */
49#define NUM_ENTROPY_RUNS 1
50
51/* Scale entropy estimates back by this amount on subsequent runs */
52#define SCALE_PER_RUN 10.0
53
54/* Minimum number of commands to be considered valid */
55#define MIN_ENTROPY_SOURCES 16
56
57#define WHITESPACE " \t\n"
58
cbd7492e 59#ifndef RUSAGE_SELF
60# define RUSAGE_SELF 0
61#endif
62#ifndef RUSAGE_CHILDREN
63# define RUSAGE_CHILDREN 0
64#endif
65
86b416a7 66#if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS)
67# define SAVED_IDS_WORK_WITH_SETEUID
68#endif
69
48c99b2c 70#if defined(EGD_SOCKET) || defined(RANDOM_POOL)
71
72#ifdef EGD_SOCKET
bfc9a610 73/* Collect entropy from EGD */
be0b9bb7 74int get_random_bytes(unsigned char *buf, int len)
bfc9a610 75{
be0b9bb7 76 int fd;
77 char msg[2];
bfc9a610 78 struct sockaddr_un addr;
6a951840 79 int addr_len, rval, errors;
e1a023df 80 mysig_t old_sigpipe;
bfc9a610 81
be0b9bb7 82 /* Sanity checks */
bfc9a610 83 if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path))
84 fatal("Random pool path is too long");
be0b9bb7 85 if (len > 255)
86 fatal("Too many bytes to read from EGD");
87
88 memset(&addr, '\0', sizeof(addr));
89 addr.sun_family = AF_UNIX;
48c99b2c 90 strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path));
bfc9a610 91 addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET);
2b87da3b 92
e1a023df 93 old_sigpipe = mysignal(SIGPIPE, SIG_IGN);
6a951840 94
95 errors = rval = 0;
96reopen:
be0b9bb7 97 fd = socket(AF_UNIX, SOCK_STREAM, 0);
98 if (fd == -1) {
99 error("Couldn't create AF_UNIX socket: %s", strerror(errno));
6a951840 100 goto done;
be0b9bb7 101 }
bfc9a610 102
be0b9bb7 103 if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) {
2b87da3b 104 error("Couldn't connect to EGD socket \"%s\": %s",
be0b9bb7 105 addr.sun_path, strerror(errno));
6a951840 106 goto done;
be0b9bb7 107 }
bfc9a610 108
be0b9bb7 109 /* Send blocking read request to EGD */
110 msg[0] = 0x02;
111 msg[1] = len;
112
113 if (atomicio(write, fd, msg, sizeof(msg)) != sizeof(msg)) {
6a951840 114 if (errno == EPIPE && errors < 10) {
115 close(fd);
116 errors++;
117 goto reopen;
118 }
2b87da3b 119 error("Couldn't write to EGD socket \"%s\": %s",
be0b9bb7 120 EGD_SOCKET, strerror(errno));
6a951840 121 goto done;
be0b9bb7 122 }
bfc9a610 123
be0b9bb7 124 if (atomicio(read, fd, buf, len) != len) {
6a951840 125 if (errno == EPIPE && errors < 10) {
126 close(fd);
127 errors++;
128 goto reopen;
129 }
2b87da3b 130 error("Couldn't read from EGD socket \"%s\": %s",
be0b9bb7 131 EGD_SOCKET, strerror(errno));
6a951840 132 goto done;
be0b9bb7 133 }
2b87da3b 134
6a951840 135 rval = 1;
136done:
2adddc78 137 mysignal(SIGPIPE, old_sigpipe);
6a951840 138 if (fd != -1)
139 close(fd);
140 return(rval);
bfc9a610 141}
142#else /* !EGD_SOCKET */
143#ifdef RANDOM_POOL
144/* Collect entropy from /dev/urandom or pipe */
be0b9bb7 145int get_random_bytes(unsigned char *buf, int len)
bfc9a610 146{
be0b9bb7 147 int random_pool;
bfc9a610 148
be0b9bb7 149 random_pool = open(RANDOM_POOL, O_RDONLY);
bfc9a610 150 if (random_pool == -1) {
2b87da3b 151 error("Couldn't open random pool \"%s\": %s",
be0b9bb7 152 RANDOM_POOL, strerror(errno));
153 return(0);
bfc9a610 154 }
2b87da3b 155
be0b9bb7 156 if (atomicio(read, random_pool, buf, len) != len) {
2b87da3b 157 error("Couldn't read from random pool \"%s\": %s",
be0b9bb7 158 RANDOM_POOL, strerror(errno));
159 close(random_pool);
160 return(0);
161 }
2b87da3b 162
be0b9bb7 163 close(random_pool);
2b87da3b 164
be0b9bb7 165 return(1);
bfc9a610 166}
167#endif /* RANDOM_POOL */
168#endif /* EGD_SOCKET */
169
48c99b2c 170/*
171 * Seed OpenSSL's random number pool from Kernel random number generator
172 * or EGD
173 */
174void
175seed_rng(void)
176{
177 char buf[32];
2b87da3b 178
48c99b2c 179 debug("Seeding random number generator");
be0b9bb7 180
b5b3f75d 181 if (!get_random_bytes(buf, sizeof(buf))) {
182 if (!RAND_status())
183 fatal("Entropy collection failed and entropy exhausted");
184 } else {
185 RAND_add(buf, sizeof(buf), sizeof(buf));
186 }
2b87da3b 187
48c99b2c 188 memset(buf, '\0', sizeof(buf));
189}
190
264dce47 191/* No-op */
192void init_rng(void) {}
193
48c99b2c 194#else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */
195
2b87da3b 196/*
bfc9a610 197 * FIXME: proper entropy estimations. All current values are guesses
b7a87eea 198 * FIXME: (ATL) do estimates at compile time?
bfc9a610 199 * FIXME: More entropy sources
200 */
201
b7a87eea 202/* slow command timeouts (all in milliseconds) */
203/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */
204static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC;
205
d3083fbd 206static int prng_seed_saved = 0;
264dce47 207static int prng_initialised = 0;
208uid_t original_uid;
bfc9a610 209
210typedef struct
211{
212 /* Proportion of data that is entropy */
213 double rate;
b7a87eea 214 /* Counter goes positive if this command times out */
215 unsigned int badness;
216 /* Increases by factor of two each timeout */
217 unsigned int sticky_badness;
bfc9a610 218 /* Path to executable */
d3083fbd 219 char *path;
bfc9a610 220 /* argv to pass to executable */
d3083fbd 221 char *args[5];
ad85db64 222 /* full command string (debug) */
223 char *cmdstring;
bfc9a610 224} entropy_source_t;
225
b7a87eea 226double stir_from_system(void);
227double stir_from_programs(void);
228double stir_gettimeofday(double entropy_estimate);
229double stir_clock(double entropy_estimate);
230double stir_rusage(int who, double entropy_estimate);
231double hash_output_from_command(entropy_source_t *src, char *hash);
232
d3083fbd 233/* this is initialised from a file, by prng_read_commands() */
234entropy_source_t *entropy_sources = NULL;
bfc9a610 235
2b87da3b 236double
bfc9a610 237stir_from_system(void)
238{
239 double total_entropy_estimate;
240 long int i;
2b87da3b 241
bfc9a610 242 total_entropy_estimate = 0;
2b87da3b 243
bfc9a610 244 i = getpid();
cbd7492e 245 RAND_add(&i, sizeof(i), 0.5);
bfc9a610 246 total_entropy_estimate += 0.1;
2b87da3b 247
bfc9a610 248 i = getppid();
cbd7492e 249 RAND_add(&i, sizeof(i), 0.5);
bfc9a610 250 total_entropy_estimate += 0.1;
251
252 i = getuid();
253 RAND_add(&i, sizeof(i), 0.0);
254 i = getgid();
255 RAND_add(&i, sizeof(i), 0.0);
256
257 total_entropy_estimate += stir_gettimeofday(1.0);
cbd7492e 258 total_entropy_estimate += stir_clock(0.5);
bfc9a610 259 total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0);
260
261 return(total_entropy_estimate);
262}
263
2b87da3b 264double
bfc9a610 265stir_from_programs(void)
266{
267 int i;
268 int c;
269 double entropy_estimate;
270 double total_entropy_estimate;
271 char hash[SHA_DIGEST_LENGTH];
272
bfc9a610 273 total_entropy_estimate = 0;
48c99b2c 274 for(i = 0; i < NUM_ENTROPY_RUNS; i++) {
bfc9a610 275 c = 0;
276 while (entropy_sources[c].path != NULL) {
bfc9a610 277
b7a87eea 278 if (!entropy_sources[c].badness) {
279 /* Hash output from command */
280 entropy_estimate = hash_output_from_command(&entropy_sources[c], hash);
281
282 /* Scale back entropy estimate according to command's rate */
283 entropy_estimate *= entropy_sources[c].rate;
2b87da3b 284
b7a87eea 285 /* Upper bound of entropy estimate is SHA_DIGEST_LENGTH */
286 if (entropy_estimate > SHA_DIGEST_LENGTH)
287 entropy_estimate = SHA_DIGEST_LENGTH;
bfc9a610 288
2b87da3b 289 /* Scale back estimates for subsequent passes through list */
48c99b2c 290 entropy_estimate /= SCALE_PER_RUN * (i + 1.0);
2b87da3b 291
b7a87eea 292 /* Stir it in */
293 RAND_add(hash, sizeof(hash), entropy_estimate);
bfc9a610 294
2b87da3b 295 debug3("Got %0.2f bytes of entropy from '%s'", entropy_estimate,
ad85db64 296 entropy_sources[c].cmdstring);
bfc9a610 297
b7a87eea 298 total_entropy_estimate += entropy_estimate;
bfc9a610 299
300 /* Execution times should be a little unpredictable */
b7a87eea 301 total_entropy_estimate += stir_gettimeofday(0.05);
302 total_entropy_estimate += stir_clock(0.05);
303 total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1);
304 total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1);
305 } else {
22d89d24 306 debug2("Command '%s' disabled (badness %d)",
ad85db64 307 entropy_sources[c].cmdstring, entropy_sources[c].badness);
b7a87eea 308
309 if (entropy_sources[c].badness > 0)
310 entropy_sources[c].badness--;
311 }
312
bfc9a610 313 c++;
314 }
315 }
2b87da3b 316
bfc9a610 317 return(total_entropy_estimate);
318}
319
320double
321stir_gettimeofday(double entropy_estimate)
322{
323 struct timeval tv;
2b87da3b 324
bfc9a610 325 if (gettimeofday(&tv, NULL) == -1)
326 fatal("Couldn't gettimeofday: %s", strerror(errno));
327
328 RAND_add(&tv, sizeof(tv), entropy_estimate);
2b87da3b 329
bfc9a610 330 return(entropy_estimate);
331}
332
333double
334stir_clock(double entropy_estimate)
335{
336#ifdef HAVE_CLOCK
337 clock_t c;
2b87da3b 338
bfc9a610 339 c = clock();
340 RAND_add(&c, sizeof(c), entropy_estimate);
2b87da3b 341
bfc9a610 342 return(entropy_estimate);
343#else /* _HAVE_CLOCK */
344 return(0);
345#endif /* _HAVE_CLOCK */
346}
347
348double
349stir_rusage(int who, double entropy_estimate)
350{
351#ifdef HAVE_GETRUSAGE
352 struct rusage ru;
2b87da3b 353
b7a87eea 354 if (getrusage(who, &ru) == -1)
cbd7492e 355 return(0);
bfc9a610 356
cbd7492e 357 RAND_add(&ru, sizeof(ru), entropy_estimate);
bfc9a610 358
359 return(entropy_estimate);
360#else /* _HAVE_GETRUSAGE */
361 return(0);
362#endif /* _HAVE_GETRUSAGE */
363}
364
ad85db64 365
366static
367int
368_get_timeval_msec_difference(struct timeval *t1, struct timeval *t2) {
369 int secdiff, usecdiff;
370
371 secdiff = t2->tv_sec - t1->tv_sec;
372 usecdiff = (secdiff*1000000) + (t2->tv_usec - t1->tv_usec);
373 return (int)(usecdiff / 1000);
374}
375
bfc9a610 376double
b7a87eea 377hash_output_from_command(entropy_source_t *src, char *hash)
bfc9a610 378{
379 static int devnull = -1;
380 int p[2];
b7a87eea 381 fd_set rdset;
382 int cmd_eof = 0, error_abort = 0;
ad85db64 383 struct timeval tv_start, tv_current;
384 int msec_elapsed = 0;
bfc9a610 385 pid_t pid;
386 int status;
ad85db64 387 char buf[16384];
bfc9a610 388 int bytes_read;
389 int total_bytes_read;
390 SHA_CTX sha;
2b87da3b 391
22d89d24 392 debug3("Reading output from \'%s\'", src->cmdstring);
393
bfc9a610 394 if (devnull == -1) {
395 devnull = open("/dev/null", O_RDWR);
396 if (devnull == -1)
397 fatal("Couldn't open /dev/null: %s", strerror(errno));
398 }
2b87da3b 399
bfc9a610 400 if (pipe(p) == -1)
401 fatal("Couldn't open pipe: %s", strerror(errno));
402
ad85db64 403 (void)gettimeofday(&tv_start, NULL); /* record start time */
404
bfc9a610 405 switch (pid = fork()) {
406 case -1: /* Error */
407 close(p[0]);
408 close(p[1]);
409 fatal("Couldn't fork: %s", strerror(errno));
410 /* NOTREACHED */
411 case 0: /* Child */
b7a87eea 412 dup2(devnull, STDIN_FILENO);
413 dup2(p[1], STDOUT_FILENO);
414 dup2(p[1], STDERR_FILENO);
bfc9a610 415 close(p[0]);
416 close(p[1]);
417 close(devnull);
418
264dce47 419 setuid(original_uid);
b7a87eea 420 execv(src->path, (char**)(src->args));
ad85db64 421 debug("(child) Couldn't exec '%s': %s", src->cmdstring,
422 strerror(errno));
bfc9a610 423 _exit(-1);
424 default: /* Parent */
425 break;
426 }
427
428 RAND_add(&pid, sizeof(&pid), 0.0);
429
430 close(p[1]);
431
432 /* Hash output from child */
433 SHA1_Init(&sha);
434 total_bytes_read = 0;
b7a87eea 435
436 while (!error_abort && !cmd_eof) {
437 int ret;
438 struct timeval tv;
ad85db64 439 int msec_remaining;
440
441 (void) gettimeofday(&tv_current, 0);
48c99b2c 442 msec_elapsed = _get_timeval_msec_difference(&tv_start, &tv_current);
ad85db64 443 if (msec_elapsed >= entropy_timeout_current) {
444 error_abort=1;
445 continue;
446 }
447 msec_remaining = entropy_timeout_current - msec_elapsed;
b7a87eea 448
449 FD_ZERO(&rdset);
450 FD_SET(p[0], &rdset);
ad85db64 451 tv.tv_sec = msec_remaining / 1000;
452 tv.tv_usec = (msec_remaining % 1000) * 1000;
b7a87eea 453
454 ret = select(p[0]+1, &rdset, NULL, NULL, &tv);
ad85db64 455
264dce47 456 RAND_add(&tv, sizeof(tv), 0.0);
457
b7a87eea 458 switch (ret) {
459 case 0:
460 /* timer expired */
461 error_abort = 1;
462 break;
b7a87eea 463 case 1:
464 /* command input */
465 bytes_read = read(p[0], buf, sizeof(buf));
264dce47 466 RAND_add(&bytes_read, sizeof(&bytes_read), 0.0);
b7a87eea 467 if (bytes_read == -1) {
468 error_abort = 1;
469 break;
264dce47 470 } else if (bytes_read) {
ad85db64 471 SHA1_Update(&sha, buf, bytes_read);
472 total_bytes_read += bytes_read;
264dce47 473 } else {
ad85db64 474 cmd_eof = 1;
264dce47 475 }
b7a87eea 476 break;
b7a87eea 477 case -1:
478 default:
264dce47 479 /* error */
ad85db64 480 debug("Command '%s': select() failed: %s", src->cmdstring,
481 strerror(errno));
b7a87eea 482 error_abort = 1;
483 break;
264dce47 484 }
485 }
b7a87eea 486
bfc9a610 487 SHA1_Final(hash, &sha);
488
489 close(p[0]);
ad85db64 490
22d89d24 491 debug3("Time elapsed: %d msec", msec_elapsed);
2b87da3b 492
bfc9a610 493 if (waitpid(pid, &status, 0) == -1) {
22d89d24 494 error("Couldn't wait for child '%s' completion: %s", src->cmdstring,
ad85db64 495 strerror(errno));
b7a87eea 496 return(0.0);
bfc9a610 497 }
498
499 RAND_add(&status, sizeof(&status), 0.0);
500
b7a87eea 501 if (error_abort) {
502 /* closing p[0] on timeout causes the entropy command to
503 * SIGPIPE. Take whatever output we got, and mark this command
504 * as slow */
22d89d24 505 debug2("Command '%s' timed out", src->cmdstring);
b7a87eea 506 src->sticky_badness *= 2;
507 src->badness = src->sticky_badness;
bfc9a610 508 return(total_bytes_read);
b7a87eea 509 }
510
511 if (WIFEXITED(status)) {
512 if (WEXITSTATUS(status)==0) {
513 return(total_bytes_read);
514 } else {
2b87da3b 515 debug2("Command '%s' exit status was %d", src->cmdstring,
48c99b2c 516 WEXITSTATUS(status));
b7a87eea 517 src->badness = src->sticky_badness = 128;
518 return (0.0);
519 }
520 } else if (WIFSIGNALED(status)) {
2b87da3b 521 debug2("Command '%s' returned on uncaught signal %d !", src->cmdstring,
48c99b2c 522 status);
b7a87eea 523 src->badness = src->sticky_badness = 128;
524 return(0.0);
525 } else
526 return(0.0);
527}
528
529/*
530 * prng seedfile functions
531 */
532int
533prng_check_seedfile(char *filename) {
534
535 struct stat st;
536
537 /* FIXME raceable: eg replace seed between this stat and subsequent open */
538 /* Not such a problem because we don't trust the seed file anyway */
539 if (lstat(filename, &st) == -1) {
5b2d4b75 540 /* Give up on hard errors */
b7a87eea 541 if (errno != ENOENT)
2b87da3b 542 debug("WARNING: Couldn't stat random seed file \"%s\": %s",
5b2d4b75 543 filename, strerror(errno));
b7a87eea 544
545 return(0);
546 }
547
548 /* regular file? */
549 if (!S_ISREG(st.st_mode))
550 fatal("PRNG seedfile %.100s is not a regular file", filename);
551
552 /* mode 0600, owned by root or the current user? */
5b2d4b75 553 if (((st.st_mode & 0177) != 0) || !(st.st_uid == original_uid)) {
554 debug("WARNING: PRNG seedfile %.100s must be mode 0600, owned by uid %d",
b7a87eea 555 filename, getuid());
5b2d4b75 556 return(0);
557 }
2b87da3b 558
b7a87eea 559 return(1);
560}
561
562void
563prng_write_seedfile(void) {
564 int fd;
565 char seed[1024];
566 char filename[1024];
567 struct passwd *pw;
568
569 /* Don't bother if we have already saved a seed */
570 if (prng_seed_saved)
571 return;
2b87da3b 572
264dce47 573 setuid(original_uid);
2b87da3b 574
52bcc044 575 prng_seed_saved = 1;
2b87da3b 576
264dce47 577 pw = getpwuid(original_uid);
b7a87eea 578 if (pw == NULL)
2b87da3b 579 fatal("Couldn't get password entry for current user (%i): %s",
264dce47 580 original_uid, strerror(errno));
2b87da3b 581
b7a87eea 582 /* Try to ensure that the parent directory is there */
2b87da3b 583 snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
effa6591 584 _PATH_SSH_USER_DIR);
b7a87eea 585 mkdir(filename, 0700);
586
2b87da3b 587 snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
b7a87eea 588 SSH_PRNG_SEED_FILE);
589
590 debug("writing PRNG seed to file %.100s", filename);
591
592 RAND_bytes(seed, sizeof(seed));
593
594 /* Don't care if the seed doesn't exist */
595 prng_check_seedfile(filename);
2b87da3b 596
5b2d4b75 597 if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) {
2b87da3b 598 debug("WARNING: couldn't access PRNG seedfile %.100s (%.100s)",
5b2d4b75 599 filename, strerror(errno));
2b87da3b 600 } else {
5b2d4b75 601 if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed))
2b87da3b 602 fatal("problem writing PRNG seedfile %.100s (%.100s)", filename,
5b2d4b75 603 strerror(errno));
b7a87eea 604
5b2d4b75 605 close(fd);
606 }
b7a87eea 607}
608
609void
610prng_read_seedfile(void) {
611 int fd;
612 char seed[1024];
613 char filename[1024];
614 struct passwd *pw;
2b87da3b 615
264dce47 616 pw = getpwuid(original_uid);
b7a87eea 617 if (pw == NULL)
2b87da3b 618 fatal("Couldn't get password entry for current user (%i): %s",
264dce47 619 original_uid, strerror(errno));
2b87da3b 620
621 snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
b7a87eea 622 SSH_PRNG_SEED_FILE);
623
624 debug("loading PRNG seed from file %.100s", filename);
625
626 if (!prng_check_seedfile(filename)) {
52ce34a2 627 verbose("Random seed file not found or not valid, ignoring.");
b7a87eea 628 return;
629 }
630
631 /* open the file and read in the seed */
632 fd = open(filename, O_RDONLY);
633 if (fd == -1)
2b87da3b 634 fatal("could not open PRNG seedfile %.100s (%.100s)", filename,
b7a87eea 635 strerror(errno));
636
637 if (atomicio(read, fd, &seed, sizeof(seed)) != sizeof(seed)) {
638 verbose("invalid or short read from PRNG seedfile %.100s - ignoring",
639 filename);
640 memset(seed, '\0', sizeof(seed));
641 }
642 close(fd);
643
644 /* stir in the seed, with estimated entropy zero */
645 RAND_add(&seed, sizeof(seed), 0.0);
bfc9a610 646}
b7a87eea 647
d3083fbd 648
649/*
650 * entropy command initialisation functions
651 */
d3083fbd 652int
653prng_read_commands(char *cmdfilename)
654{
655 FILE *f;
d3083fbd 656 char *cp;
48c99b2c 657 char line[1024];
658 char cmd[1024];
659 char path[256];
d3083fbd 660 int linenum;
d3083fbd 661 int num_cmds = 64;
662 int cur_cmd = 0;
48c99b2c 663 double est;
664 entropy_source_t *entcmd;
d3083fbd 665
666 f = fopen(cmdfilename, "r");
667 if (!f) {
668 fatal("couldn't read entropy commands file %.100s: %.100s",
669 cmdfilename, strerror(errno));
670 }
671
d3083fbd 672 entcmd = (entropy_source_t *)xmalloc(num_cmds * sizeof(entropy_source_t));
673 memset(entcmd, '\0', num_cmds * sizeof(entropy_source_t));
674
48c99b2c 675 /* Read in file */
676 linenum = 0;
d3083fbd 677 while (fgets(line, sizeof(line), f)) {
48c99b2c 678 int arg;
679 char *argv;
680
d3083fbd 681 linenum++;
682
683 /* skip leading whitespace, test for blank line or comment */
684 cp = line + strspn(line, WHITESPACE);
685 if ((*cp == 0) || (*cp == '#'))
686 continue; /* done with this line */
687
48c99b2c 688 /* First non-whitespace char should be double quote delimiting */
689 /* commandline */
690 if (*cp != '"') {
691 error("bad entropy command, %.100s line %d", cmdfilename,
692 linenum);
693 continue;
2b87da3b 694 }
d3083fbd 695
48c99b2c 696 /* first token, command args (incl. argv[0]) in double quotes */
697 cp = strtok(cp, "\"");
698 if (cp == NULL) {
699 error("missing or bad command string, %.100s line %d -- ignored",
700 cmdfilename, linenum);
701 continue;
702 }
703 strlcpy(cmd, cp, sizeof(cmd));
2b87da3b 704
48c99b2c 705 /* second token, full command path */
706 if ((cp = strtok(NULL, WHITESPACE)) == NULL) {
707 error("missing command path, %.100s line %d -- ignored",
708 cmdfilename, linenum);
709 continue;
710 }
d3083fbd 711
48c99b2c 712 /* did configure mark this as dead? */
713 if (strncmp("undef", cp, 5) == 0)
714 continue;
d3083fbd 715
2b87da3b 716 strlcpy(path, cp, sizeof(path));
48c99b2c 717
718 /* third token, entropy rate estimate for this command */
719 if ((cp = strtok(NULL, WHITESPACE)) == NULL) {
720 error("missing entropy estimate, %.100s line %d -- ignored",
721 cmdfilename, linenum);
722 continue;
723 }
724 est = strtod(cp, &argv);
725
726 /* end of line */
727 if ((cp = strtok(NULL, WHITESPACE)) != NULL) {
2b87da3b 728 error("garbage at end of line %d in %.100s -- ignored", linenum,
48c99b2c 729 cmdfilename);
d3083fbd 730 continue;
731 }
48c99b2c 732
733 /* save the command for debug messages */
734 entcmd[cur_cmd].cmdstring = xstrdup(cmd);
2b87da3b 735
48c99b2c 736 /* split the command args */
737 cp = strtok(cmd, WHITESPACE);
738 arg = 0;
739 argv = NULL;
740 do {
741 char *s = (char*)xmalloc(strlen(cp) + 1);
742 strncpy(s, cp, strlen(cp) + 1);
743 entcmd[cur_cmd].args[arg] = s;
744 arg++;
745 } while ((arg < 5) && (cp = strtok(NULL, WHITESPACE)));
2b87da3b 746
48c99b2c 747 if (strtok(NULL, WHITESPACE))
748 error("ignored extra command elements (max 5), %.100s line %d",
749 cmdfilename, linenum);
750
751 /* Copy the command path and rate estimate */
752 entcmd[cur_cmd].path = xstrdup(path);
753 entcmd[cur_cmd].rate = est;
754
755 /* Initialise other values */
756 entcmd[cur_cmd].sticky_badness = 1;
757
758 cur_cmd++;
759
760 /* If we've filled the array, reallocate it twice the size */
761 /* Do this now because even if this we're on the last command,
762 we need another slot to mark the last entry */
763 if (cur_cmd == num_cmds) {
764 num_cmds *= 2;
765 entcmd = xrealloc(entcmd, num_cmds * sizeof(entropy_source_t));
766 }
d3083fbd 767 }
768
769 /* zero the last entry */
770 memset(&entcmd[cur_cmd], '\0', sizeof(entropy_source_t));
48c99b2c 771
d3083fbd 772 /* trim to size */
773 entropy_sources = xrealloc(entcmd, (cur_cmd+1) * sizeof(entropy_source_t));
774
264dce47 775 debug("Loaded %d entropy commands from %.100s", cur_cmd, cmdfilename);
d3083fbd 776
777 return (cur_cmd >= MIN_ENTROPY_SOURCES);
778}
779
b7a87eea 780/*
781 * Write a keyfile at exit
2b87da3b 782 */
b7a87eea 783void
784prng_seed_cleanup(void *junk)
785{
786 prng_write_seedfile();
787}
788
bfc9a610 789/*
b7a87eea 790 * Conditionally Seed OpenSSL's random number pool from
791 * syscalls and program output
bfc9a610 792 */
793void
794seed_rng(void)
795{
e1a023df 796 mysig_t old_sigchld_handler;
d3083fbd 797
264dce47 798 if (!prng_initialised)
799 fatal("RNG not initialised");
2b87da3b 800
a64009ad 801 /* Make sure some other sigchld handler doesn't reap our entropy */
802 /* commands */
e1a023df 803 old_sigchld_handler = mysignal(SIGCHLD, SIG_DFL);
a64009ad 804
264dce47 805 debug("Seeded RNG with %i bytes from programs", (int)stir_from_programs());
806 debug("Seeded RNG with %i bytes from system calls", (int)stir_from_system());
807
808 if (!RAND_status())
809 fatal("Not enough entropy in RNG");
b7a87eea 810
e1a023df 811 mysignal(SIGCHLD, old_sigchld_handler);
a64009ad 812
ad85db64 813 if (!RAND_status())
814 fatal("Couldn't initialise builtin random number generator -- exiting.");
264dce47 815}
ad85db64 816
2b87da3b 817void init_rng(void)
264dce47 818{
e879a080 819 int original_euid;
2b87da3b 820
264dce47 821 original_uid = getuid();
e879a080 822 original_euid = geteuid();
264dce47 823
824 /* Read in collection commands */
825 if (!prng_read_commands(SSH_PRNG_COMMAND_FILE))
826 fatal("PRNG initialisation failed -- exiting.");
827
828 /* Set ourselves up to save a seed upon exit */
2b87da3b 829 prng_seed_saved = 0;
e879a080 830
831 /* Give up privs while reading seed file */
e9a13ac1 832#ifdef SAVED_IDS_WORK_WITH_SETEUID
e879a080 833 if ((original_uid != original_euid) && (seteuid(original_uid) == -1))
834 fatal("Couldn't give up privileges");
e9a13ac1 835#else /* SAVED_IDS_WORK_WITH_SETEUID */
836 /*
837 * Propagate the privileged uid to all of our uids.
838 * Set the effective uid to the given (unprivileged) uid.
839 */
840 if (original_uid != original_euid && setuid(original_euid) == -1 ||
841 seteuid(original_uid) == -1)
842 fatal("Couldn't give up privileges");
843#endif /* SAVED_IDS_WORK_WITH_SETEUID */
2b87da3b 844
264dce47 845 prng_read_seedfile();
e879a080 846
e9a13ac1 847#ifdef SAVED_IDS_WORK_WITH_SETEUID
e879a080 848 if ((original_uid != original_euid) && (seteuid(original_euid) == -1))
849 fatal("Couldn't restore privileges");
e9a13ac1 850#else /* SAVED_IDS_WORK_WITH_SETEUID */
851 /*
852 * We are unable to restore the real uid to its unprivileged value.
853 * Propagate the real uid (usually more privileged) to effective uid
854 * as well.
855 */
856 if (original_uid != original_euid && seteuid(original_euid) == -1 ||
857 setuid(original_uid) == -1)
858 fatal("Couldn't restore privileges");
859#endif /* SAVED_IDS_WORK_WITH_SETEUID */
e879a080 860
264dce47 861 fatal_add_cleanup(prng_seed_cleanup, NULL);
862 atexit(prng_write_seedfile);
863
864 prng_initialised = 1;
bfc9a610 865}
264dce47 866
bfc9a610 867#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */
git-cvsimport mirror of OpenSSH
This page took 3.678834 seconds and 5 git commands to generate.