~ubuntu-branches/debian/stretch/dropbear/stretch

Viewing changes to random.c

Committer: Package Import Robot
Author(s): Gerrit Pape, Matt Johnston, Gerrit Pape
Date: 2013-10-25 15:00:48 UTC
mfrom: (1.4.6)
Revision ID: package-import@ubuntu.com-20131025150048-3jq765x96xayk392

Tags: 2013.60-1

http://bugs.debian.org/692653

[ Matt Johnston ]
* New upstream release.

[ Gerrit Pape ]
* debian/diff/0004-cve-2013-4421.diff, 0005-user-disclosure.diff:
remove; fixed upstream.
* debian/dropbear.postinst: don't fail if initramfs-tools it not
installed (closes: #692653).

files added:
configure.ac

dropbearconvert.1

dropbearkey.1

files removed:
cli-algo.c

cli-service.c

configure.in

debian/diff/0004-cve-2013-4421.diff

debian/diff/0005-user-disclosure.diff

dropbearkey.8

svr-algo.c

files modified:
.hg_archival.txt

.hgsigs

.hgtags

CHANGES

LICENSE

MULTI

Makefile.in

README

agentfwd.h

algo.h

auth.h

bignum.h

buffer.c

channel.h

circbuffer.c

cli-agentfwd.c

cli-auth.c

cli-authpubkey.c

cli-chansession.c

cli-kex.c

cli-main.c

cli-runopts.c

cli-session.c

common-algo.c

common-channel.c

common-kex.c

common-runopts.c

common-session.c

compat.c

config.guess

config.h.in

config.sub

configure

dbclient.1

dbmulti.c

dbutil.c

dbutil.h

debian/changelog

debian/diff/0001-dbclient.1-dbclient-uses-compression-if-compiled-with.diff

debian/diff/0002-dropbearkey.8-mention-y-option-add-example.diff

debian/diff/0003-options.h-use-usr-bin-xauth-instead-of-usr-bin-X11-xa.diff

debian/dropbear.postinst

debian/rules

debug.h

dropbear.8

dropbearkey.c

dss.c

includes.h

kex.h

libtomcrypt/src/headers/tomcrypt_custom.h

libtommath/Makefile.in

loginrec.c

options.h

packet.c

process-packet.c

queue.c

queue.h

random.c

random.h

rsa.c

runopts.h

scp.c

scpmisc.c

service.h

session.h

signkey.c

sshpty.c

svr-auth.c

svr-authpam.c

svr-authpasswd.c

svr-authpubkeyoptions.c

svr-chansession.c

svr-kex.c

svr-main.c

svr-runopts.c

svr-session.c

svr-tcpfwd.c

svr-x11fwd.c

sysoptions.h

tcp-accept.c

tcpfwd.h

termcodes.c

Show diffs side-by-side

added added

removed removed

random.c

#include "buffer.h"

#include "dbutil.h"

#include "bignum.h"

static int donerandinit = 0;

#include "random.h"

/* this is used to generate unique output from the same hashpool */

static uint32_t counter = 0;

/* the max value for the counter, so it won't integer overflow */

#define MAX_COUNTER 1<<30

static unsigned char hashpool[SHA1_HASH_SIZE];

static unsigned char hashpool[SHA1_HASH_SIZE] = {0};

static int donerandinit = 0;

#define INIT_SEED_SIZE 32 /* 256 bits */

static void readrand(unsigned char* buf, unsigned int buflen);

/* The basic setup is we read some data from /dev/(u)random or prngd and hash it

* into hashpool. To read data, we hash together current hashpool contents,

* and a counter. We feed more data in by hashing the current pool and new

static void readrand(unsigned char* buf, unsigned int buflen) {

/* Pass len=0 to hash an entire file */

static int

process_file(hash_state *hs, const char *filename,

unsigned int len, int prngd)

{

static int already_blocked = 0;

int readfd;

unsigned int readpos;

int readlen;

#ifdef DROPBEAR_PRNGD_SOCKET

struct sockaddr_un egdsock;

char egdcmd[2];

#endif

#ifdef DROPBEAR_RANDOM_DEV

readfd = open(DROPBEAR_RANDOM_DEV, O_RDONLY);

if (readfd < 0) {

dropbear_exit("Couldn't open random device");

}

#endif

#ifdef DROPBEAR_PRNGD_SOCKET

readfd = connect_unix(DROPBEAR_PRNGD_SOCKET);

if (readfd < 0) {

dropbear_exit("Couldn't open random device");

}

if (buflen > 255)

dropbear_exit("Can't request more than 255 bytes from egd");

egdcmd[0] = 0x02; /* blocking read */

egdcmd[1] = (unsigned char)buflen;

if (write(readfd, egdcmd, 2) < 0)

dropbear_exit("Can't send command to egd");

#endif

/* read the actual random data */

readpos = 0;

do {

unsigned int readcount;

int ret = DROPBEAR_FAILURE;

#ifdef DROPBEAR_PRNGD_SOCKET

if (prngd)

{

readfd = connect_unix(filename);

}

else

#endif

{

readfd = open(filename, O_RDONLY);

}

if (readfd < 0) {

goto out;

}

readcount = 0;

while (len == 0 || readcount < len)

{

int readlen, wantread;

unsigned char readbuf[4096];

if (!already_blocked)

{

int ret;

struct timeval timeout;

struct timeval timeout = { .tv_sec = 2, .tv_usec = 0};

fd_set read_fds;

timeout.tv_sec = 2; /* two seconds should be enough */

timeout.tv_usec = 0;

FD_ZERO(&read_fds);

FD_SET(readfd, &read_fds);

100

ret = select(readfd + 1, &read_fds, NULL, NULL, &timeout);

101

if (ret == 0)

102

{

103

dropbear_log(LOG_INFO, "Warning: Reading the random source seems to have blocked.\nIf you experience problems, you probably need to find a better entropy source.");

dropbear_log(LOG_WARNING, "Warning: Reading the randomness source '%s' seems to have blocked.\nYou may need to find a better entropy source.", filename);

104

already_blocked = 1;

105

}

106

}

107

readlen = read(readfd, &buf[readpos], buflen - readpos);

if (len == 0)

{

wantread = sizeof(readbuf);

100

}

101

else

102

{

103

wantread = MIN(sizeof(readbuf), len-readcount);

104

}

105

106

#ifdef DROPBEAR_PRNGD_SOCKET

107

if (prngd)

108

{

109

char egdcmd[2];

110

egdcmd[0] = 0x02; /* blocking read */

111

egdcmd[1] = (unsigned char)wantread;

112

if (write(readfd, egdcmd, 2) < 0)

113

{

114

dropbear_exit("Can't send command to egd");

115

}

116

}

117

#endif

118

119

readlen = read(readfd, readbuf, wantread);

108

120

if (readlen <= 0) {

109

121

if (readlen < 0 && errno == EINTR) {

110

122

continue;

111

123

}

112

dropbear_exit("Error reading random source");

124

if (readlen == 0 && len == 0)

125

{

126

/* whole file was read as requested */

127

break;

128

}

129

goto out;

113

130

}

114

readpos += readlen;

115

} while (readpos < buflen);

116

117

close (readfd);

118

}

119

120

/* initialise the prng from /dev/(u)random or prngd */

131

sha1_process(hs, readbuf, readlen);

132

readcount += readlen;

133

}

134

ret = DROPBEAR_SUCCESS;

135

out:

136

close(readfd);

137

return ret;

138

}

139

140

void addrandom(char * buf, unsigned int len)

141

{

142

hash_state hs;

143

144

/* hash in the new seed data */

145

sha1_init(&hs);

146

/* existing state (zeroes on startup) */

147

sha1_process(&hs, (void*)hashpool, sizeof(hashpool));

148

149

/* new */

150

sha1_process(&hs, buf, len);

151

sha1_done(&hs, hashpool);

152

}

153

154

static void write_urandom()

155

{

156

#ifndef DROPBEAR_PRNGD_SOCKET

157

/* This is opportunistic, don't worry about failure */

158

unsigned char buf[INIT_SEED_SIZE];

159

FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w");

160

if (!f) {

161

return;

162

}

163

genrandom(buf, sizeof(buf));

164

fwrite(buf, sizeof(buf), 1, f);

165

fclose(f);

166

#endif

167

}

168

169

/* Initialise the prng from /dev/urandom or prngd. This function can

170

* be called multiple times */

121

171

void seedrandom() {

122

172

123

unsigned char readbuf[INIT_SEED_SIZE];

124

125

173

hash_state hs;

126

174

127

/* initialise so that things won't warn about

128

* hashing an undefined buffer */

129

if (!donerandinit) {

130

m_burn(hashpool, sizeof(hashpool));

131

}

132

133

/* get the seed data */

134

readrand(readbuf, sizeof(readbuf));

135

136

/* hash in the new seed data */

137

sha1_init(&hs);

138

sha1_process(&hs, (void*)hashpool, sizeof(hashpool));

139

sha1_process(&hs, (void*)readbuf, sizeof(readbuf));

140

sha1_done(&hs, hashpool);

141

142

counter = 0;

143

donerandinit = 1;

144

}

145

146

/* hash the current random pool with some unique identifiers

147

* for this process and point-in-time. this is used to separate

148

* the random pools for fork()ed processes. */

149

void reseedrandom() {

150

151

175

pid_t pid;

152

hash_state hs;

153

176

struct timeval tv;

154

155

if (!donerandinit) {

156

dropbear_exit("seedrandom not done");

157

}

177

clock_t clockval;

178

179

/* hash in the new seed data */

180

sha1_init(&hs);

181

/* existing state */

182

sha1_process(&hs, (void*)hashpool, sizeof(hashpool));

183

184

#ifdef DROPBEAR_PRNGD_SOCKET

185

if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1)

186

!= DROPBEAR_SUCCESS) {

187

dropbear_exit("Failure reading random device %s",

188

DROPBEAR_PRNGD_SOCKET);

189

}

190

#else

191

/* non-blocking random source (probably /dev/urandom) */

192

if (process_file(&hs, DROPBEAR_URANDOM_DEV, INIT_SEED_SIZE, 0)

193

!= DROPBEAR_SUCCESS) {

194

dropbear_exit("Failure reading random device %s",

195

DROPBEAR_URANDOM_DEV);

196

}

197

#endif

198

199

/* A few other sources to fall back on.

200

* Add more here for other platforms */

201

#ifdef __linux__

202

/* Seems to be a reasonable source of entropy from timers. Possibly hard

203

* for even local attackers to reproduce */

204

process_file(&hs, "/proc/timer_list", 0, 0);

205

/* Might help on systems with wireless */

206

process_file(&hs, "/proc/interrupts", 0, 0);

207

208

process_file(&hs, "/proc/loadavg", 0, 0);

209

process_file(&hs, "/proc/sys/kernel/random/entropy_avail", 0, 0);

210

211

/* Mostly network visible but useful in some situations.

212

* Limit size to avoid slowdowns on systems with lots of routes */

213

process_file(&hs, "/proc/net/netstat", 4096, 0);

214

process_file(&hs, "/proc/net/dev", 4096, 0);

215

process_file(&hs, "/proc/net/tcp", 4096, 0);

216

/* Also includes interface lo */

217

process_file(&hs, "/proc/net/rt_cache", 4096, 0);

218

process_file(&hs, "/proc/vmstat", 0, 0);

219

#endif

158

220

159

221

pid = getpid();

222

sha1_process(&hs, (void*)&pid, sizeof(pid));

223

224

// gettimeofday() doesn't completely fill out struct timeval on

225

// OS X (10.8.3), avoid valgrind warnings by clearing it first

226

memset(&tv, 0x0, sizeof(tv));

160

227

gettimeofday(&tv, NULL);

161

162

sha1_init(&hs);

163

sha1_process(&hs, (void*)hashpool, sizeof(hashpool));

164

sha1_process(&hs, (void*)&pid, sizeof(pid));

165

228

sha1_process(&hs, (void*)&tv, sizeof(tv));

229

230

clockval = clock();

231

sha1_process(&hs, (void*)&clockval, sizeof(clockval));

232

233

/* When a private key is read by the client or server it will

234

* be added to the hashpool - see runopts.c */

235

166

236

sha1_done(&hs, hashpool);

237

238

counter = 0;

239

donerandinit = 1;

240

241

/* Feed it all back into /dev/urandom - this might help if Dropbear

242

* is running from inetd and gets new state each time */

243

write_urandom();

167

244

}

168

245

169

246

/* return len bytes of pseudo-random data */

Older »