# HG changeset patch # User Matt Johnston # Date 1384437947 -28800 # Node ID 220f55d540ae814825827c538be45c05bdd2493c # Parent c19acba285905d89ebeeb13cd9a5749bd3da38a5 rename random.h to dbrandom.h since some OSes have a system random.h diff -r c19acba28590 -r 220f55d540ae Makefile.in --- a/Makefile.in Thu Nov 14 22:03:30 2013 +0800 +++ b/Makefile.in Thu Nov 14 22:05:47 2013 +0800 @@ -24,7 +24,7 @@ COMMONOBJS=dbutil.o buffer.o \ dss.o bignum.o \ - signkey.o rsa.o random.o \ + signkey.o rsa.o dbrandom.o \ queue.o \ atomicio.o compat.o fake-rfc2553.o \ ltc_prng.o ecc.o ecdsa.o crypto_desc.o \ @@ -52,7 +52,7 @@ SCPOBJS=scp.o progressmeter.o atomicio.o scpmisc.o compat.o HEADERS=options.h dbutil.h session.h packet.h algo.h ssh.h buffer.h kex.h \ - dss.h bignum.h signkey.h rsa.h random.h service.h auth.h \ + dss.h bignum.h signkey.h rsa.h dbrandom.h service.h auth.h \ debug.h channel.h chansession.h config.h queue.h sshpty.h \ termcodes.h gendss.h genrsa.h runopts.h includes.h \ loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ diff -r c19acba28590 -r 220f55d540ae cli-agentfwd.c --- a/cli-agentfwd.c Thu Nov 14 22:03:30 2013 +0800 +++ b/cli-agentfwd.c Thu Nov 14 22:05:47 2013 +0800 @@ -34,7 +34,7 @@ #include "channel.h" #include "packet.h" #include "buffer.h" -#include "random.h" +#include "dbrandom.h" #include "listener.h" #include "runopts.h" #include "atomicio.h" diff -r c19acba28590 -r 220f55d540ae cli-kex.c --- a/cli-kex.c Thu Nov 14 22:03:30 2013 +0800 +++ b/cli-kex.c Thu Nov 14 22:05:47 2013 +0800 @@ -33,7 +33,7 @@ #include "ssh.h" #include "packet.h" #include "bignum.h" -#include "random.h" +#include "dbrandom.h" #include "runopts.h" #include "signkey.h" #include "ecc.h" diff -r c19acba28590 -r 220f55d540ae cli-main.c --- a/cli-main.c Thu Nov 14 22:03:30 2013 +0800 +++ b/cli-main.c Thu Nov 14 22:05:47 2013 +0800 @@ -28,7 +28,7 @@ #include "dbutil.h" #include "runopts.h" #include "session.h" -#include "random.h" +#include "dbrandom.h" #include "crypto_desc.h" static void cli_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_NORETURN; diff -r c19acba28590 -r 220f55d540ae cli-session.c --- a/cli-session.c Thu Nov 14 22:03:30 2013 +0800 +++ b/cli-session.c Thu Nov 14 22:05:47 2013 +0800 @@ -31,7 +31,7 @@ #include "packet.h" #include "tcpfwd.h" #include "channel.h" -#include "random.h" +#include "dbrandom.h" #include "service.h" #include "runopts.h" #include "chansession.h" diff -r c19acba28590 -r 220f55d540ae common-kex.c --- a/common-kex.c Thu Nov 14 22:03:30 2013 +0800 +++ b/common-kex.c Thu Nov 14 22:05:47 2013 +0800 @@ -32,7 +32,7 @@ #include "ssh.h" #include "packet.h" #include "bignum.h" -#include "random.h" +#include "dbrandom.h" #include "runopts.h" #include "ecc.h" #include "crypto_desc.h" diff -r c19acba28590 -r 220f55d540ae common-runopts.c --- a/common-runopts.c Thu Nov 14 22:03:30 2013 +0800 +++ b/common-runopts.c Thu Nov 14 22:05:47 2013 +0800 @@ -29,7 +29,7 @@ #include "dbutil.h" #include "auth.h" #include "algo.h" -#include "random.h" +#include "dbrandom.h" runopts opts; /* GLOBAL */ diff -r c19acba28590 -r 220f55d540ae common-session.c --- a/common-session.c Thu Nov 14 22:03:30 2013 +0800 +++ b/common-session.c Thu Nov 14 22:05:47 2013 +0800 @@ -30,7 +30,7 @@ #include "buffer.h" #include "dss.h" #include "ssh.h" -#include "random.h" +#include "dbrandom.h" #include "kex.h" #include "channel.h" #include "runopts.h" diff -r c19acba28590 -r 220f55d540ae dbrandom.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dbrandom.c Thu Nov 14 22:05:47 2013 +0800 @@ -0,0 +1,312 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2002,2003 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +#include "includes.h" +#include "buffer.h" +#include "dbutil.h" +#include "bignum.h" +#include "dbrandom.h" + + +/* this is used to generate unique output from the same hashpool */ +static uint32_t counter = 0; +/* the max value for the counter, so it won't integer overflow */ +#define MAX_COUNTER 1<<30 + +static unsigned char hashpool[SHA1_HASH_SIZE] = {0}; +static int donerandinit = 0; + +#define INIT_SEED_SIZE 32 /* 256 bits */ + +/* The basic setup is we read some data from /dev/(u)random or prngd and hash it + * into hashpool. To read data, we hash together current hashpool contents, + * and a counter. We feed more data in by hashing the current pool and new + * data into the pool. + * + * It is important to ensure that counter doesn't wrap around before we + * feed in new entropy. + * + */ + +/* Pass len=0 to hash an entire file */ +static int +process_file(hash_state *hs, const char *filename, + unsigned int len, int prngd) +{ + static int already_blocked = 0; + int readfd; + unsigned int readcount; + int ret = DROPBEAR_FAILURE; + +#ifdef DROPBEAR_PRNGD_SOCKET + if (prngd) + { + readfd = connect_unix(filename); + } + else +#endif + { + readfd = open(filename, O_RDONLY); + } + + if (readfd < 0) { + goto out; + } + + readcount = 0; + while (len == 0 || readcount < len) + { + int readlen, wantread; + unsigned char readbuf[4096]; + if (!already_blocked && !prngd) + { + int res; + struct timeval timeout; + fd_set read_fds; + + timeout.tv_sec = 2; + timeout.tv_usec = 0; + + FD_ZERO(&read_fds); + FD_SET(readfd, &read_fds); + res = select(readfd + 1, &read_fds, NULL, NULL, &timeout); + if (res == 0) + { + dropbear_log(LOG_WARNING, "Warning: Reading the randomness source '%s' seems to have blocked.\nYou may need to find a better entropy source.", filename); + already_blocked = 1; + } + } + + if (len == 0) + { + wantread = sizeof(readbuf); + } + else + { + wantread = MIN(sizeof(readbuf), len-readcount); + } + +#ifdef DROPBEAR_PRNGD_SOCKET + if (prngd) + { + char egdcmd[2]; + egdcmd[0] = 0x02; /* blocking read */ + egdcmd[1] = (unsigned char)wantread; + if (write(readfd, egdcmd, 2) < 0) + { + dropbear_exit("Can't send command to egd"); + } + } +#endif + + readlen = read(readfd, readbuf, wantread); + if (readlen <= 0) { + if (readlen < 0 && errno == EINTR) { + continue; + } + if (readlen == 0 && len == 0) + { + /* whole file was read as requested */ + break; + } + goto out; + } + sha1_process(hs, readbuf, readlen); + readcount += readlen; + } + ret = DROPBEAR_SUCCESS; +out: + close(readfd); + return ret; +} + +void addrandom(char * buf, unsigned int len) +{ + hash_state hs; + + /* hash in the new seed data */ + sha1_init(&hs); + /* existing state (zeroes on startup) */ + sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); + + /* new */ + sha1_process(&hs, buf, len); + sha1_done(&hs, hashpool); +} + +static void write_urandom() +{ +#ifndef DROPBEAR_PRNGD_SOCKET + /* This is opportunistic, don't worry about failure */ + unsigned char buf[INIT_SEED_SIZE]; + FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w"); + if (!f) { + return; + } + genrandom(buf, sizeof(buf)); + fwrite(buf, sizeof(buf), 1, f); + fclose(f); +#endif +} + +/* Initialise the prng from /dev/urandom or prngd. This function can + * be called multiple times */ +void seedrandom() { + + hash_state hs; + + pid_t pid; + struct timeval tv; + clock_t clockval; + + /* hash in the new seed data */ + sha1_init(&hs); + /* existing state */ + sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); + +#ifdef DROPBEAR_PRNGD_SOCKET + if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1) + != DROPBEAR_SUCCESS) { + dropbear_exit("Failure reading random device %s", + DROPBEAR_PRNGD_SOCKET); + } +#else + /* non-blocking random source (probably /dev/urandom) */ + if (process_file(&hs, DROPBEAR_URANDOM_DEV, INIT_SEED_SIZE, 0) + != DROPBEAR_SUCCESS) { + dropbear_exit("Failure reading random device %s", + DROPBEAR_URANDOM_DEV); + } +#endif + + /* A few other sources to fall back on. + * Add more here for other platforms */ +#ifdef __linux__ + /* Seems to be a reasonable source of entropy from timers. Possibly hard + * for even local attackers to reproduce */ + process_file(&hs, "/proc/timer_list", 0, 0); + /* Might help on systems with wireless */ + process_file(&hs, "/proc/interrupts", 0, 0); + + process_file(&hs, "/proc/loadavg", 0, 0); + process_file(&hs, "/proc/sys/kernel/random/entropy_avail", 0, 0); + + /* Mostly network visible but useful in some situations. + * Limit size to avoid slowdowns on systems with lots of routes */ + process_file(&hs, "/proc/net/netstat", 4096, 0); + process_file(&hs, "/proc/net/dev", 4096, 0); + process_file(&hs, "/proc/net/tcp", 4096, 0); + /* Also includes interface lo */ + process_file(&hs, "/proc/net/rt_cache", 4096, 0); + process_file(&hs, "/proc/vmstat", 0, 0); +#endif + + pid = getpid(); + sha1_process(&hs, (void*)&pid, sizeof(pid)); + + /* gettimeofday() doesn't completely fill out struct timeval on + OS X (10.8.3), avoid valgrind warnings by clearing it first */ + memset(&tv, 0x0, sizeof(tv)); + gettimeofday(&tv, NULL); + sha1_process(&hs, (void*)&tv, sizeof(tv)); + + clockval = clock(); + sha1_process(&hs, (void*)&clockval, sizeof(clockval)); + + /* When a private key is read by the client or server it will + * be added to the hashpool - see runopts.c */ + + sha1_done(&hs, hashpool); + + counter = 0; + donerandinit = 1; + + /* Feed it all back into /dev/urandom - this might help if Dropbear + * is running from inetd and gets new state each time */ + write_urandom(); +} + +/* return len bytes of pseudo-random data */ +void genrandom(unsigned char* buf, unsigned int len) { + + hash_state hs; + unsigned char hash[SHA1_HASH_SIZE]; + unsigned int copylen; + + if (!donerandinit) { + dropbear_exit("seedrandom not done"); + } + + while (len > 0) { + sha1_init(&hs); + sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); + sha1_process(&hs, (void*)&counter, sizeof(counter)); + sha1_done(&hs, hash); + + counter++; + if (counter > MAX_COUNTER) { + seedrandom(); + } + + copylen = MIN(len, SHA1_HASH_SIZE); + memcpy(buf, hash, copylen); + len -= copylen; + buf += copylen; + } + m_burn(hash, sizeof(hash)); +} + +/* Generates a random mp_int. + * max is a *mp_int specifying an upper bound. + * rand must be an initialised *mp_int for the result. + * the result rand satisfies: 0 < rand < max + * */ +void gen_random_mpint(mp_int *max, mp_int *rand) { + + unsigned char *randbuf = NULL; + unsigned int len = 0; + const unsigned char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; + + const int size_bits = mp_count_bits(max); + + len = size_bits / 8; + if ((size_bits % 8) != 0) { + len += 1; + } + + randbuf = (unsigned char*)m_malloc(len); + do { + genrandom(randbuf, len); + /* Mask out the unrequired bits - mp_read_unsigned_bin expects + * MSB first.*/ + randbuf[0] &= masks[size_bits % 8]; + + bytes_to_mp(rand, randbuf, len); + + /* keep regenerating until we get one satisfying + * 0 < rand < max */ + } while (mp_cmp(rand, max) != MP_LT); + m_burn(randbuf, len); + m_free(randbuf); +} diff -r c19acba28590 -r 220f55d540ae dbrandom.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dbrandom.h Thu Nov 14 22:05:47 2013 +0800 @@ -0,0 +1,35 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2002,2003 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +#ifndef _RANDOM_H_ +#define _RANDOM_H_ + +#include "includes.h" + +void seedrandom(); +void genrandom(unsigned char* buf, unsigned int len); +void addrandom(char * buf, unsigned int len); +void gen_random_mpint(mp_int *max, mp_int *rand); + +#endif /* _RANDOM_H_ */ diff -r c19acba28590 -r 220f55d540ae dropbearconvert.c --- a/dropbearconvert.c Thu Nov 14 22:03:30 2013 +0800 +++ b/dropbearconvert.c Thu Nov 14 22:05:47 2013 +0800 @@ -29,7 +29,7 @@ #include "dbutil.h" #include "keyimport.h" #include "crypto_desc.h" -#include "random.h" +#include "dbrandom.h" static int do_convert(int intype, const char* infile, int outtype, diff -r c19acba28590 -r 220f55d540ae dropbearkey.c --- a/dropbearkey.c Thu Nov 14 22:03:30 2013 +0800 +++ b/dropbearkey.c Thu Nov 14 22:05:47 2013 +0800 @@ -53,7 +53,7 @@ #include "gendss.h" #include "ecdsa.h" #include "crypto_desc.h" -#include "random.h" +#include "dbrandom.h" #include "gensignkey.h" static void printhelp(char * progname); diff -r c19acba28590 -r 220f55d540ae dss.c --- a/dss.c Thu Nov 14 22:03:30 2013 +0800 +++ b/dss.c Thu Nov 14 22:05:47 2013 +0800 @@ -28,7 +28,7 @@ #include "dss.h" #include "buffer.h" #include "ssh.h" -#include "random.h" +#include "dbrandom.h" /* Handle DSS (Digital Signature Standard), aka DSA (D.S. Algorithm), * operations, such as key reading, signing, verification. Key generation diff -r c19acba28590 -r 220f55d540ae gendss.c --- a/gendss.c Thu Nov 14 22:03:30 2013 +0800 +++ b/gendss.c Thu Nov 14 22:05:47 2013 +0800 @@ -26,7 +26,7 @@ #include "dbutil.h" #include "signkey.h" #include "bignum.h" -#include "random.h" +#include "dbrandom.h" #include "buffer.h" #include "gendss.h" #include "dss.h" diff -r c19acba28590 -r 220f55d540ae genrsa.c --- a/genrsa.c Thu Nov 14 22:03:30 2013 +0800 +++ b/genrsa.c Thu Nov 14 22:05:47 2013 +0800 @@ -25,7 +25,7 @@ #include "includes.h" #include "dbutil.h" #include "bignum.h" -#include "random.h" +#include "dbrandom.h" #include "rsa.h" #include "genrsa.h" diff -r c19acba28590 -r 220f55d540ae gensignkey.c --- a/gensignkey.c Thu Nov 14 22:03:30 2013 +0800 +++ b/gensignkey.c Thu Nov 14 22:05:47 2013 +0800 @@ -5,7 +5,7 @@ #include "genrsa.h" #include "gendss.h" #include "signkey.h" -#include "random.h" +#include "dbrandom.h" #define RSA_DEFAULT_SIZE 2048 #define DSS_DEFAULT_SIZE 1024 diff -r c19acba28590 -r 220f55d540ae ltc_prng.c --- a/ltc_prng.c Thu Nov 14 22:03:30 2013 +0800 +++ b/ltc_prng.c Thu Nov 14 22:05:47 2013 +0800 @@ -13,7 +13,7 @@ */ #include "options.h" #include "includes.h" -#include "random.h" +#include "dbrandom.h" #include "ltc_prng.h" /** diff -r c19acba28590 -r 220f55d540ae packet.c --- a/packet.c Thu Nov 14 22:03:30 2013 +0800 +++ b/packet.c Thu Nov 14 22:05:47 2013 +0800 @@ -30,7 +30,7 @@ #include "algo.h" #include "buffer.h" #include "kex.h" -#include "random.h" +#include "dbrandom.h" #include "service.h" #include "auth.h" #include "channel.h" diff -r c19acba28590 -r 220f55d540ae process-packet.c --- a/process-packet.c Thu Nov 14 22:03:30 2013 +0800 +++ b/process-packet.c Thu Nov 14 22:05:47 2013 +0800 @@ -30,7 +30,7 @@ #include "algo.h" #include "buffer.h" #include "kex.h" -#include "random.h" +#include "dbrandom.h" #include "service.h" #include "auth.h" #include "channel.h" diff -r c19acba28590 -r 220f55d540ae random.c --- a/random.c Thu Nov 14 22:03:30 2013 +0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,312 +0,0 @@ -/* - * Dropbear - a SSH2 server - * - * Copyright (c) 2002,2003 Matt Johnston - * All rights reserved. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. */ - -#include "includes.h" -#include "buffer.h" -#include "dbutil.h" -#include "bignum.h" -#include "random.h" - - -/* this is used to generate unique output from the same hashpool */ -static uint32_t counter = 0; -/* the max value for the counter, so it won't integer overflow */ -#define MAX_COUNTER 1<<30 - -static unsigned char hashpool[SHA1_HASH_SIZE] = {0}; -static int donerandinit = 0; - -#define INIT_SEED_SIZE 32 /* 256 bits */ - -/* The basic setup is we read some data from /dev/(u)random or prngd and hash it - * into hashpool. To read data, we hash together current hashpool contents, - * and a counter. We feed more data in by hashing the current pool and new - * data into the pool. - * - * It is important to ensure that counter doesn't wrap around before we - * feed in new entropy. - * - */ - -/* Pass len=0 to hash an entire file */ -static int -process_file(hash_state *hs, const char *filename, - unsigned int len, int prngd) -{ - static int already_blocked = 0; - int readfd; - unsigned int readcount; - int ret = DROPBEAR_FAILURE; - -#ifdef DROPBEAR_PRNGD_SOCKET - if (prngd) - { - readfd = connect_unix(filename); - } - else -#endif - { - readfd = open(filename, O_RDONLY); - } - - if (readfd < 0) { - goto out; - } - - readcount = 0; - while (len == 0 || readcount < len) - { - int readlen, wantread; - unsigned char readbuf[4096]; - if (!already_blocked && !prngd) - { - int res; - struct timeval timeout; - fd_set read_fds; - - timeout.tv_sec = 2; - timeout.tv_usec = 0; - - FD_ZERO(&read_fds); - FD_SET(readfd, &read_fds); - res = select(readfd + 1, &read_fds, NULL, NULL, &timeout); - if (res == 0) - { - dropbear_log(LOG_WARNING, "Warning: Reading the randomness source '%s' seems to have blocked.\nYou may need to find a better entropy source.", filename); - already_blocked = 1; - } - } - - if (len == 0) - { - wantread = sizeof(readbuf); - } - else - { - wantread = MIN(sizeof(readbuf), len-readcount); - } - -#ifdef DROPBEAR_PRNGD_SOCKET - if (prngd) - { - char egdcmd[2]; - egdcmd[0] = 0x02; /* blocking read */ - egdcmd[1] = (unsigned char)wantread; - if (write(readfd, egdcmd, 2) < 0) - { - dropbear_exit("Can't send command to egd"); - } - } -#endif - - readlen = read(readfd, readbuf, wantread); - if (readlen <= 0) { - if (readlen < 0 && errno == EINTR) { - continue; - } - if (readlen == 0 && len == 0) - { - /* whole file was read as requested */ - break; - } - goto out; - } - sha1_process(hs, readbuf, readlen); - readcount += readlen; - } - ret = DROPBEAR_SUCCESS; -out: - close(readfd); - return ret; -} - -void addrandom(char * buf, unsigned int len) -{ - hash_state hs; - - /* hash in the new seed data */ - sha1_init(&hs); - /* existing state (zeroes on startup) */ - sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); - - /* new */ - sha1_process(&hs, buf, len); - sha1_done(&hs, hashpool); -} - -static void write_urandom() -{ -#ifndef DROPBEAR_PRNGD_SOCKET - /* This is opportunistic, don't worry about failure */ - unsigned char buf[INIT_SEED_SIZE]; - FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w"); - if (!f) { - return; - } - genrandom(buf, sizeof(buf)); - fwrite(buf, sizeof(buf), 1, f); - fclose(f); -#endif -} - -/* Initialise the prng from /dev/urandom or prngd. This function can - * be called multiple times */ -void seedrandom() { - - hash_state hs; - - pid_t pid; - struct timeval tv; - clock_t clockval; - - /* hash in the new seed data */ - sha1_init(&hs); - /* existing state */ - sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); - -#ifdef DROPBEAR_PRNGD_SOCKET - if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1) - != DROPBEAR_SUCCESS) { - dropbear_exit("Failure reading random device %s", - DROPBEAR_PRNGD_SOCKET); - } -#else - /* non-blocking random source (probably /dev/urandom) */ - if (process_file(&hs, DROPBEAR_URANDOM_DEV, INIT_SEED_SIZE, 0) - != DROPBEAR_SUCCESS) { - dropbear_exit("Failure reading random device %s", - DROPBEAR_URANDOM_DEV); - } -#endif - - /* A few other sources to fall back on. - * Add more here for other platforms */ -#ifdef __linux__ - /* Seems to be a reasonable source of entropy from timers. Possibly hard - * for even local attackers to reproduce */ - process_file(&hs, "/proc/timer_list", 0, 0); - /* Might help on systems with wireless */ - process_file(&hs, "/proc/interrupts", 0, 0); - - process_file(&hs, "/proc/loadavg", 0, 0); - process_file(&hs, "/proc/sys/kernel/random/entropy_avail", 0, 0); - - /* Mostly network visible but useful in some situations. - * Limit size to avoid slowdowns on systems with lots of routes */ - process_file(&hs, "/proc/net/netstat", 4096, 0); - process_file(&hs, "/proc/net/dev", 4096, 0); - process_file(&hs, "/proc/net/tcp", 4096, 0); - /* Also includes interface lo */ - process_file(&hs, "/proc/net/rt_cache", 4096, 0); - process_file(&hs, "/proc/vmstat", 0, 0); -#endif - - pid = getpid(); - sha1_process(&hs, (void*)&pid, sizeof(pid)); - - /* gettimeofday() doesn't completely fill out struct timeval on - OS X (10.8.3), avoid valgrind warnings by clearing it first */ - memset(&tv, 0x0, sizeof(tv)); - gettimeofday(&tv, NULL); - sha1_process(&hs, (void*)&tv, sizeof(tv)); - - clockval = clock(); - sha1_process(&hs, (void*)&clockval, sizeof(clockval)); - - /* When a private key is read by the client or server it will - * be added to the hashpool - see runopts.c */ - - sha1_done(&hs, hashpool); - - counter = 0; - donerandinit = 1; - - /* Feed it all back into /dev/urandom - this might help if Dropbear - * is running from inetd and gets new state each time */ - write_urandom(); -} - -/* return len bytes of pseudo-random data */ -void genrandom(unsigned char* buf, unsigned int len) { - - hash_state hs; - unsigned char hash[SHA1_HASH_SIZE]; - unsigned int copylen; - - if (!donerandinit) { - dropbear_exit("seedrandom not done"); - } - - while (len > 0) { - sha1_init(&hs); - sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); - sha1_process(&hs, (void*)&counter, sizeof(counter)); - sha1_done(&hs, hash); - - counter++; - if (counter > MAX_COUNTER) { - seedrandom(); - } - - copylen = MIN(len, SHA1_HASH_SIZE); - memcpy(buf, hash, copylen); - len -= copylen; - buf += copylen; - } - m_burn(hash, sizeof(hash)); -} - -/* Generates a random mp_int. - * max is a *mp_int specifying an upper bound. - * rand must be an initialised *mp_int for the result. - * the result rand satisfies: 0 < rand < max - * */ -void gen_random_mpint(mp_int *max, mp_int *rand) { - - unsigned char *randbuf = NULL; - unsigned int len = 0; - const unsigned char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; - - const int size_bits = mp_count_bits(max); - - len = size_bits / 8; - if ((size_bits % 8) != 0) { - len += 1; - } - - randbuf = (unsigned char*)m_malloc(len); - do { - genrandom(randbuf, len); - /* Mask out the unrequired bits - mp_read_unsigned_bin expects - * MSB first.*/ - randbuf[0] &= masks[size_bits % 8]; - - bytes_to_mp(rand, randbuf, len); - - /* keep regenerating until we get one satisfying - * 0 < rand < max */ - } while (mp_cmp(rand, max) != MP_LT); - m_burn(randbuf, len); - m_free(randbuf); -} diff -r c19acba28590 -r 220f55d540ae random.h --- a/random.h Thu Nov 14 22:03:30 2013 +0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,35 +0,0 @@ -/* - * Dropbear - a SSH2 server - * - * Copyright (c) 2002,2003 Matt Johnston - * All rights reserved. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. */ - -#ifndef _RANDOM_H_ -#define _RANDOM_H_ - -#include "includes.h" - -void seedrandom(); -void genrandom(unsigned char* buf, unsigned int len); -void addrandom(char * buf, unsigned int len); -void gen_random_mpint(mp_int *max, mp_int *rand); - -#endif /* _RANDOM_H_ */ diff -r c19acba28590 -r 220f55d540ae rsa.c --- a/rsa.c Thu Nov 14 22:03:30 2013 +0800 +++ b/rsa.c Thu Nov 14 22:05:47 2013 +0800 @@ -34,7 +34,7 @@ #include "rsa.h" #include "buffer.h" #include "ssh.h" -#include "random.h" +#include "dbrandom.h" #ifdef DROPBEAR_RSA diff -r c19acba28590 -r 220f55d540ae svr-agentfwd.c --- a/svr-agentfwd.c Thu Nov 14 22:03:30 2013 +0800 +++ b/svr-agentfwd.c Thu Nov 14 22:05:47 2013 +0800 @@ -37,7 +37,7 @@ #include "channel.h" #include "packet.h" #include "buffer.h" -#include "random.h" +#include "dbrandom.h" #include "listener.h" #include "auth.h" diff -r c19acba28590 -r 220f55d540ae svr-auth.c --- a/svr-auth.c Thu Nov 14 22:03:30 2013 +0800 +++ b/svr-auth.c Thu Nov 14 22:05:47 2013 +0800 @@ -33,7 +33,7 @@ #include "packet.h" #include "auth.h" #include "runopts.h" -#include "random.h" +#include "dbrandom.h" static void authclear(); static int checkusername(unsigned char *username, unsigned int userlen); diff -r c19acba28590 -r 220f55d540ae svr-chansession.c --- a/svr-chansession.c Thu Nov 14 22:03:30 2013 +0800 +++ b/svr-chansession.c Thu Nov 14 22:05:47 2013 +0800 @@ -32,7 +32,7 @@ #include "sshpty.h" #include "termcodes.h" #include "ssh.h" -#include "random.h" +#include "dbrandom.h" #include "x11fwd.h" #include "agentfwd.h" #include "runopts.h" diff -r c19acba28590 -r 220f55d540ae svr-kex.c --- a/svr-kex.c Thu Nov 14 22:03:30 2013 +0800 +++ b/svr-kex.c Thu Nov 14 22:05:47 2013 +0800 @@ -32,7 +32,7 @@ #include "ssh.h" #include "packet.h" #include "bignum.h" -#include "random.h" +#include "dbrandom.h" #include "runopts.h" #include "ecc.h" #include "gensignkey.h" diff -r c19acba28590 -r 220f55d540ae svr-main.c --- a/svr-main.c Thu Nov 14 22:03:30 2013 +0800 +++ b/svr-main.c Thu Nov 14 22:05:47 2013 +0800 @@ -28,7 +28,7 @@ #include "buffer.h" #include "signkey.h" #include "runopts.h" -#include "random.h" +#include "dbrandom.h" #include "crypto_desc.h" static size_t listensockets(int *sock, size_t sockcount, int *maxfd); diff -r c19acba28590 -r 220f55d540ae svr-session.c --- a/svr-session.c Thu Nov 14 22:03:30 2013 +0800 +++ b/svr-session.c Thu Nov 14 22:05:47 2013 +0800 @@ -30,7 +30,7 @@ #include "buffer.h" #include "dss.h" #include "ssh.h" -#include "random.h" +#include "dbrandom.h" #include "kex.h" #include "channel.h" #include "chansession.h"