entropy.c 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267
  1. /*
  2. * Copyright (c) 2001 Damien Miller. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. * 1. Redistributions of source code must retain the above copyright
  8. * notice, this list of conditions and the following disclaimer.
  9. * 2. Redistributions in binary form must reproduce the above copyright
  10. * notice, this list of conditions and the following disclaimer in the
  11. * documentation and/or other materials provided with the distribution.
  12. *
  13. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23. */
  24. #include "includes.h"
  25. #define RANDOM_SEED_SIZE 48
  26. #ifdef WITH_OPENSSL
  27. #include <sys/types.h>
  28. #include <sys/socket.h>
  29. #ifdef HAVE_SYS_UN_H
  30. # include <sys/un.h>
  31. #endif
  32. #include <netinet/in.h>
  33. #include <arpa/inet.h>
  34. #include <errno.h>
  35. #include <signal.h>
  36. #include <stdlib.h>
  37. #include <string.h>
  38. #include <unistd.h>
  39. #include <stddef.h> /* for offsetof */
  40. #include <openssl/rand.h>
  41. #include <openssl/crypto.h>
  42. #include <openssl/err.h>
  43. #include "openbsd-compat/openssl-compat.h"
  44. #include "ssh.h"
  45. #include "misc.h"
  46. #include "xmalloc.h"
  47. #include "atomicio.h"
  48. #include "pathnames.h"
  49. #include "log.h"
  50. #include "sshbuf.h"
  51. #include "ssherr.h"
  52. /*
  53. * Portable OpenSSH PRNG seeding:
  54. * If OpenSSL has not "internally seeded" itself (e.g. pulled data from
  55. * /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
  56. * PRNGd.
  57. */
  58. #ifndef OPENSSL_PRNG_ONLY
  59. /*
  60. * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon
  61. * listening either on 'tcp_port', or via Unix domain socket at *
  62. * 'socket_path'.
  63. * Either a non-zero tcp_port or a non-null socket_path must be
  64. * supplied.
  65. * Returns 0 on success, -1 on error
  66. */
  67. int
  68. get_random_bytes_prngd(unsigned char *buf, int len,
  69. unsigned short tcp_port, char *socket_path)
  70. {
  71. int fd, addr_len, rval, errors;
  72. u_char msg[2];
  73. struct sockaddr_storage addr;
  74. struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr;
  75. struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr;
  76. sshsig_t old_sigpipe;
  77. /* Sanity checks */
  78. if (socket_path == NULL && tcp_port == 0)
  79. fatal("You must specify a port or a socket");
  80. if (socket_path != NULL &&
  81. strlen(socket_path) >= sizeof(addr_un->sun_path))
  82. fatal("Random pool path is too long");
  83. if (len <= 0 || len > 255)
  84. fatal("Too many bytes (%d) to read from PRNGD", len);
  85. memset(&addr, '\0', sizeof(addr));
  86. if (tcp_port != 0) {
  87. addr_in->sin_family = AF_INET;
  88. addr_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
  89. addr_in->sin_port = htons(tcp_port);
  90. addr_len = sizeof(*addr_in);
  91. } else {
  92. addr_un->sun_family = AF_UNIX;
  93. strlcpy(addr_un->sun_path, socket_path,
  94. sizeof(addr_un->sun_path));
  95. addr_len = offsetof(struct sockaddr_un, sun_path) +
  96. strlen(socket_path) + 1;
  97. }
  98. old_sigpipe = ssh_signal(SIGPIPE, SIG_IGN);
  99. errors = 0;
  100. rval = -1;
  101. reopen:
  102. fd = socket(addr.ss_family, SOCK_STREAM, 0);
  103. if (fd == -1) {
  104. error("Couldn't create socket: %s", strerror(errno));
  105. goto done;
  106. }
  107. if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) {
  108. if (tcp_port != 0) {
  109. error("Couldn't connect to PRNGD port %d: %s",
  110. tcp_port, strerror(errno));
  111. } else {
  112. error("Couldn't connect to PRNGD socket \"%s\": %s",
  113. addr_un->sun_path, strerror(errno));
  114. }
  115. goto done;
  116. }
  117. /* Send blocking read request to PRNGD */
  118. msg[0] = 0x02;
  119. msg[1] = len;
  120. if (atomicio(vwrite, fd, msg, sizeof(msg)) != sizeof(msg)) {
  121. if (errno == EPIPE && errors < 10) {
  122. close(fd);
  123. errors++;
  124. goto reopen;
  125. }
  126. error("Couldn't write to PRNGD socket: %s",
  127. strerror(errno));
  128. goto done;
  129. }
  130. if (atomicio(read, fd, buf, len) != (size_t)len) {
  131. if (errno == EPIPE && errors < 10) {
  132. close(fd);
  133. errors++;
  134. goto reopen;
  135. }
  136. error("Couldn't read from PRNGD socket: %s",
  137. strerror(errno));
  138. goto done;
  139. }
  140. rval = 0;
  141. done:
  142. ssh_signal(SIGPIPE, old_sigpipe);
  143. if (fd != -1)
  144. close(fd);
  145. return rval;
  146. }
  147. static int
  148. seed_from_prngd(unsigned char *buf, size_t bytes)
  149. {
  150. #ifdef PRNGD_PORT
  151. debug("trying egd/prngd port %d", PRNGD_PORT);
  152. if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == 0)
  153. return 0;
  154. #endif
  155. #ifdef PRNGD_SOCKET
  156. debug("trying egd/prngd socket %s", PRNGD_SOCKET);
  157. if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == 0)
  158. return 0;
  159. #endif
  160. return -1;
  161. }
  162. void
  163. rexec_send_rng_seed(struct sshbuf *m)
  164. {
  165. u_char buf[RANDOM_SEED_SIZE];
  166. size_t len = sizeof(buf);
  167. int r;
  168. if (RAND_bytes(buf, sizeof(buf)) <= 0) {
  169. error("Couldn't obtain random bytes (error %ld)",
  170. ERR_get_error());
  171. len = 0;
  172. }
  173. if ((r = sshbuf_put_string(m, buf, len)) != 0)
  174. fatal("%s: buffer error: %s", __func__, ssh_err(r));
  175. explicit_bzero(buf, sizeof(buf));
  176. }
  177. void
  178. rexec_recv_rng_seed(struct sshbuf *m)
  179. {
  180. const u_char *buf = NULL;
  181. size_t len = 0;
  182. int r;
  183. if ((r = sshbuf_get_string_direct(m, &buf, &len)) != 0)
  184. fatal("%s: buffer error: %s", __func__, ssh_err(r));
  185. debug3("rexec_recv_rng_seed: seeding rng with %lu bytes",
  186. (unsigned long)len);
  187. RAND_add(buf, len, len);
  188. }
  189. #endif /* OPENSSL_PRNG_ONLY */
  190. void
  191. seed_rng(void)
  192. {
  193. unsigned char buf[RANDOM_SEED_SIZE];
  194. /* Initialise libcrypto */
  195. ssh_libcrypto_init();
  196. if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
  197. OpenSSL_version_num()))
  198. fatal("OpenSSL version mismatch. Built against %lx, you "
  199. "have %lx", (u_long)OPENSSL_VERSION_NUMBER,
  200. OpenSSL_version_num());
  201. #ifndef OPENSSL_PRNG_ONLY
  202. if (RAND_status() == 1)
  203. debug3("RNG is ready, skipping seeding");
  204. else {
  205. if (seed_from_prngd(buf, sizeof(buf)) == -1)
  206. fatal("Could not obtain seed from PRNGd");
  207. RAND_add(buf, sizeof(buf), sizeof(buf));
  208. }
  209. #endif /* OPENSSL_PRNG_ONLY */
  210. if (RAND_status() != 1)
  211. fatal("PRNG is not seeded");
  212. /* Ensure arc4random() is primed */
  213. arc4random_buf(buf, sizeof(buf));
  214. explicit_bzero(buf, sizeof(buf));
  215. }
  216. #else /* WITH_OPENSSL */
  217. #include <stdlib.h>
  218. #include <string.h>
  219. /* Actual initialisation is handled in arc4random() */
  220. void
  221. seed_rng(void)
  222. {
  223. unsigned char buf[RANDOM_SEED_SIZE];
  224. /* Ensure arc4random() is primed */
  225. arc4random_buf(buf, sizeof(buf));
  226. explicit_bzero(buf, sizeof(buf));
  227. }
  228. #endif /* WITH_OPENSSL */