From 72f02ae704f84d09489ae9c9722a091057ac21d9 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 27 Sep 2005 12:46:32 +0000 Subject: [PATCH] - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed process when sshd relies on ssh-random-helper. Should result in faster logins on systems without a real random device or prngd. ok djm@ --- ChangeLog | 3 +++ entropy.c | 30 ++++++++++++++++++++++++++++++ entropy.h | 5 +++++ sshd.c | 14 ++++++++++++-- 4 files changed, 50 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7cd387da..30ef0bf6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20050927 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid calls, since they can't possibly fail. ok djm@ + - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed + process when sshd relies on ssh-random-helper. Should result in faster + logins on systems without a real random device or prngd. ok djm@ 20050924 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove diff --git a/entropy.c b/entropy.c index b3081af9..2f4c50a0 100644 --- a/entropy.c +++ b/entropy.c @@ -26,6 +26,7 @@ #include #include +#include #include "ssh.h" #include "misc.h" @@ -33,6 +34,8 @@ #include "atomicio.h" #include "pathnames.h" #include "log.h" +#include "buffer.h" +#include "bufaux.h" /* * Portable OpenSSH PRNG seeding: @@ -150,3 +153,30 @@ init_rng(void) #endif } +#ifndef OPENSSL_PRNG_ONLY +void +rexec_send_rng_seed(Buffer *m) +{ + u_char buf[RANDOM_SEED_SIZE]; + + if (RAND_bytes(buf, sizeof(buf)) <= 0) { + error("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); + buffer_put_string(m, "", 0); + } else + buffer_put_string(m, buf, sizeof(buf)); +} + +void +rexec_recv_rng_seed(Buffer *m) +{ + char *buf; + u_int len; + + buf = buffer_get_string_ret(m, &len); + if (buf != NULL) { + debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len); + RAND_add(buf, len, len); + } +} +#endif diff --git a/entropy.h b/entropy.h index 270eacbd..86f69dc5 100644 --- a/entropy.h +++ b/entropy.h @@ -27,7 +27,12 @@ #ifndef _RANDOMS_H #define _RANDOMS_H +#include "buffer.h" + void seed_rng(void); void init_rng(void); +void rexec_send_rng_seed(Buffer *); +void rexec_recv_rng_seed(Buffer *); + #endif /* _RANDOMS_H */ diff --git a/sshd.c b/sshd.c index 92aa9bbd..e9125a22 100644 --- a/sshd.c +++ b/sshd.c @@ -800,6 +800,7 @@ send_rexec_state(int fd, Buffer *conf) * bignum iqmp " * bignum p " * bignum q " + * string rngseed (only if OpenSSL is not self-seeded) */ buffer_init(&m); buffer_put_cstring(&m, buffer_ptr(conf)); @@ -816,6 +817,10 @@ send_rexec_state(int fd, Buffer *conf) } else buffer_put_int(&m, 0); +#ifndef OPENSSL_PRNG_ONLY + rexec_send_rng_seed(&m); +#endif + if (ssh_msg_send(fd, 0, &m) == -1) fatal("%s: ssh_msg_send failed", __func__); @@ -858,6 +863,11 @@ recv_rexec_state(int fd, Buffer *conf) rsa_generate_additional_parameters( sensitive_data.server_key->rsa); } + +#ifndef OPENSSL_PRNG_ONLY + rexec_recv_rng_seed(&m); +#endif + buffer_free(&m); debug3("%s: done", __func__); @@ -1051,8 +1061,6 @@ main(int ac, char **av) drop_cray_privs(); #endif - seed_rng(); - sensitive_data.server_key = NULL; sensitive_data.ssh1_host_key = NULL; sensitive_data.have_ssh1_key = 0; @@ -1071,6 +1079,8 @@ main(int ac, char **av) if (!rexec_flag) buffer_free(&cfg); + seed_rng(); + /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); -- 2.45.1