53
static void readrand(unsigned char* buf, unsigned int buflen) {
51
/* Pass len=0 to hash an entire file */
53
process_file(hash_state *hs, const char *filename,
54
unsigned int len, int prngd)
55
56
static int already_blocked = 0;
59
#ifdef DROPBEAR_PRNGD_SOCKET
60
struct sockaddr_un egdsock;
64
#ifdef DROPBEAR_RANDOM_DEV
65
readfd = open(DROPBEAR_RANDOM_DEV, O_RDONLY);
67
dropbear_exit("Couldn't open random device");
71
#ifdef DROPBEAR_PRNGD_SOCKET
72
readfd = connect_unix(DROPBEAR_PRNGD_SOCKET);
75
dropbear_exit("Couldn't open random device");
79
dropbear_exit("Can't request more than 255 bytes from egd");
80
egdcmd[0] = 0x02; /* blocking read */
81
egdcmd[1] = (unsigned char)buflen;
82
if (write(readfd, egdcmd, 2) < 0)
83
dropbear_exit("Can't send command to egd");
86
/* read the actual random data */
58
unsigned int readcount;
59
int ret = DROPBEAR_FAILURE;
61
#ifdef DROPBEAR_PRNGD_SOCKET
64
readfd = connect_unix(filename);
69
readfd = open(filename, O_RDONLY);
77
while (len == 0 || readcount < len)
79
int readlen, wantread;
80
unsigned char readbuf[4096];
89
81
if (!already_blocked)
92
struct timeval timeout;
84
struct timeval timeout = { .tv_sec = 2, .tv_usec = 0};
95
timeout.tv_sec = 2; /* two seconds should be enough */
98
87
FD_ZERO(&read_fds);
99
88
FD_SET(readfd, &read_fds);
100
89
ret = select(readfd + 1, &read_fds, NULL, NULL, &timeout);
103
dropbear_log(LOG_INFO, "Warning: Reading the random source seems to have blocked.\nIf you experience problems, you probably need to find a better entropy source.");
92
dropbear_log(LOG_WARNING, "Warning: Reading the randomness source '%s' seems to have blocked.\nYou may need to find a better entropy source.", filename);
104
93
already_blocked = 1;
107
readlen = read(readfd, &buf[readpos], buflen - readpos);
99
wantread = sizeof(readbuf);
103
wantread = MIN(sizeof(readbuf), len-readcount);
106
#ifdef DROPBEAR_PRNGD_SOCKET
110
egdcmd[0] = 0x02; /* blocking read */
111
egdcmd[1] = (unsigned char)wantread;
112
if (write(readfd, egdcmd, 2) < 0)
114
dropbear_exit("Can't send command to egd");
119
readlen = read(readfd, readbuf, wantread);
108
120
if (readlen <= 0) {
109
121
if (readlen < 0 && errno == EINTR) {
112
dropbear_exit("Error reading random source");
124
if (readlen == 0 && len == 0)
126
/* whole file was read as requested */
115
} while (readpos < buflen);
120
/* initialise the prng from /dev/(u)random or prngd */
131
sha1_process(hs, readbuf, readlen);
132
readcount += readlen;
134
ret = DROPBEAR_SUCCESS;
140
void addrandom(char * buf, unsigned int len)
144
/* hash in the new seed data */
146
/* existing state (zeroes on startup) */
147
sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
150
sha1_process(&hs, buf, len);
151
sha1_done(&hs, hashpool);
154
static void write_urandom()
156
#ifndef DROPBEAR_PRNGD_SOCKET
157
/* This is opportunistic, don't worry about failure */
158
unsigned char buf[INIT_SEED_SIZE];
159
FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w");
163
genrandom(buf, sizeof(buf));
164
fwrite(buf, sizeof(buf), 1, f);
169
/* Initialise the prng from /dev/urandom or prngd. This function can
170
* be called multiple times */
121
171
void seedrandom() {
123
unsigned char readbuf[INIT_SEED_SIZE];
127
/* initialise so that things won't warn about
128
* hashing an undefined buffer */
130
m_burn(hashpool, sizeof(hashpool));
133
/* get the seed data */
134
readrand(readbuf, sizeof(readbuf));
136
/* hash in the new seed data */
138
sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
139
sha1_process(&hs, (void*)readbuf, sizeof(readbuf));
140
sha1_done(&hs, hashpool);
146
/* hash the current random pool with some unique identifiers
147
* for this process and point-in-time. this is used to separate
148
* the random pools for fork()ed processes. */
149
void reseedrandom() {
153
176
struct timeval tv;
156
dropbear_exit("seedrandom not done");
179
/* hash in the new seed data */
182
sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
184
#ifdef DROPBEAR_PRNGD_SOCKET
185
if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1)
186
!= DROPBEAR_SUCCESS) {
187
dropbear_exit("Failure reading random device %s",
188
DROPBEAR_PRNGD_SOCKET);
191
/* non-blocking random source (probably /dev/urandom) */
192
if (process_file(&hs, DROPBEAR_URANDOM_DEV, INIT_SEED_SIZE, 0)
193
!= DROPBEAR_SUCCESS) {
194
dropbear_exit("Failure reading random device %s",
195
DROPBEAR_URANDOM_DEV);
199
/* A few other sources to fall back on.
200
* Add more here for other platforms */
202
/* Seems to be a reasonable source of entropy from timers. Possibly hard
203
* for even local attackers to reproduce */
204
process_file(&hs, "/proc/timer_list", 0, 0);
205
/* Might help on systems with wireless */
206
process_file(&hs, "/proc/interrupts", 0, 0);
208
process_file(&hs, "/proc/loadavg", 0, 0);
209
process_file(&hs, "/proc/sys/kernel/random/entropy_avail", 0, 0);
211
/* Mostly network visible but useful in some situations.
212
* Limit size to avoid slowdowns on systems with lots of routes */
213
process_file(&hs, "/proc/net/netstat", 4096, 0);
214
process_file(&hs, "/proc/net/dev", 4096, 0);
215
process_file(&hs, "/proc/net/tcp", 4096, 0);
216
/* Also includes interface lo */
217
process_file(&hs, "/proc/net/rt_cache", 4096, 0);
218
process_file(&hs, "/proc/vmstat", 0, 0);
222
sha1_process(&hs, (void*)&pid, sizeof(pid));
224
// gettimeofday() doesn't completely fill out struct timeval on
225
// OS X (10.8.3), avoid valgrind warnings by clearing it first
226
memset(&tv, 0x0, sizeof(tv));
160
227
gettimeofday(&tv, NULL);
163
sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
164
sha1_process(&hs, (void*)&pid, sizeof(pid));
165
228
sha1_process(&hs, (void*)&tv, sizeof(tv));
231
sha1_process(&hs, (void*)&clockval, sizeof(clockval));
233
/* When a private key is read by the client or server it will
234
* be added to the hashpool - see runopts.c */
166
236
sha1_done(&hs, hashpool);
241
/* Feed it all back into /dev/urandom - this might help if Dropbear
242
* is running from inetd and gets new state each time */
169
246
/* return len bytes of pseudo-random data */