 @@ -1,14 +1,14 @@
-/*	$NetBSD: sshd.c,v 1.8 2011/09/16 15:36:18 joerg Exp $	*/
+/*	$NetBSD: sshd.c,v 1.9 2012/03/05 20:13:36 tls Exp $	*/
 /* $OpenBSD: sshd.c,v 1.385 2011/06/23 09:34:13 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
  * This program is the ssh daemon.  It listens for connections from clients,
  * and performs authentication, executes use commands or shell, and forwards
  * information to/from the application to the user client over an encrypted
  * connection.  This can also handle forwarding of X11, TCP/IP, and
  * authentication agent connections.
+ *
  * As far as I am concerned, the code I have written for this software
  * can be used freely for any purpose.  Any derived versions of this
 @@ -34,27 +34,27 @@
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-__RCSID("$NetBSD: sshd.c,v 1.8 2011/09/16 15:36:18 joerg Exp $");
+__RCSID("$NetBSD: sshd.c,v 1.9 2012/03/05 20:13:36 tls Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>
 #include <sys/wait.h>
 #include <sys/tree.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/queue.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <netdb.h>
 @@ -119,27 +119,30 @@ int deny_severity = LOG_WARNING;
 #ifdef WITH_LDAP_PUBKEY
 #include "ldapauth.h"
 #endif
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
 #define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
-#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
+#define REEXEC_DEVURANDOM_FD		(STDERR_FILENO + 4)
 #define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 5)
 int urandom_fd = -1;
 int myflag = 0;
 extern char *__progname;
 /* Server configuration options. */
 ServerOptions options;
 /* Name of the server configuration file. */
 const char *config_file_name = _PATH_SERVER_CONFIG_FILE;
 /*
 @@ -572,37 +575,40 @@ demote_sensitive_data(void)
 			sensitive_data.host_keys[i] = tmp;
 			if (tmp->type == KEY_RSA1)
 				sensitive_data.ssh1_host_key = tmp;
+		}
 		/* Certs do not need demotion */
+	}
 	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
+}
 static void
 privsep_preauth_child(void)
+{
-	u_int32_t rnd[256];
+	u_int32_t rnd[32];
 	gid_t gidset[1];
 	struct passwd *pw;
 	/* Enable challenge-response authentication for privilege separation */
 	privsep_challenge_enable();
-	arc4random_stir();
+	if (read(urandom_fd, rnd, sizeof(rnd)) != sizeof(rnd)) {
-	arc4random_buf(rnd, sizeof(rnd));
+	    fatal("privsep_preauth_child: entropy read failed");
+	}
 	RAND_seed(rnd, sizeof(rnd));
 	arc4random_stir();
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
 	if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
 		fatal("Privilege separation user %s does not exist",
 		    SSH_PRIVSEP_USER);
 	memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
 	endpwent();
 	/* Change our root directory */
 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
 		    strerror(errno));
 @@ -679,27 +685,27 @@ privsep_preauth(Authctxt *authctxt)
 		if (getuid() == 0 || geteuid() == 0)
 			privsep_preauth_child();
 		setproctitle("%s", "[net]");
 		if (box != NULL)
 			ssh_sandbox_child(box);
 		return 0;
+	}
+}
 static void
 privsep_postauth(Authctxt *authctxt)
+{
-	u_int32_t rnd[256];
+	u_int32_t rnd[32];
 	if (authctxt->pw->pw_uid == 0 || options.use_login) {
 		/* File descriptor passing is broken or root login */
 		use_privsep = 0;
 		goto skip;
+	}
 	/* New socket pair */
 	monitor_reinit(pmonitor);
 	pmonitor->m_pid = fork();
 	if (pmonitor->m_pid == -1)
 		fatal("fork of unprivileged child failed");
 @@ -710,30 +716,33 @@ privsep_postauth(Authctxt *authctxt)
 		/* NEVERREACHED */
 		exit(0);
+	}
 	/* child */
 	close(pmonitor->m_sendfd);
 	pmonitor->m_sendfd = -1;
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
-	arc4random_stir();
+	if (read(urandom_fd, rnd, sizeof(rnd)) != sizeof(rnd)) {
-	arc4random_buf(rnd, sizeof(rnd));
+	    fatal("privsep_postauth: entropy read failed");
+	}
 	RAND_seed(rnd, sizeof(rnd));
 	arc4random_stir();
 	/* Drop privileges */
 	do_setusercontext(authctxt->pw);
  skip:
 	/* It is safe now to apply the key state */
 	monitor_apply_keystate(pmonitor);
 	/*
 	 * Tell the packet layer that authentication was successful, since
 	 * this information is not part of the key state.
 	 */
 	packet_set_authenticated();
+}
 @@ -1081,26 +1090,27 @@ server_listen(void)
  * The main TCP accept loop. Note that, for the non-debug case, returns
  * from this function are in a forked subprocess.
  */
 static void
 server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+{
 	fd_set *fdset;
 	int i, j, ret, maxfd;
 	int key_used = 0, startups = 0;
 	int startup_p[2] = { -1 , -1 };
 	struct sockaddr_storage from;
 	socklen_t fromlen;
 	pid_t pid;
 	uint8_t rnd[32];
 	/* setup fd set for accept */
 	fdset = NULL;
 	maxfd = 0;
 	for (i = 0; i < num_listen_socks; i++)
 		if (listen_socks[i] > maxfd)
 			maxfd = listen_socks[i];
 	/* pipes connected to unauthenticated childs */
 	startup_pipes = xcalloc(options.max_startups, sizeof(int));
 	for (i = 0; i < options.max_startups; i++)
 		startup_pipes[i] = -1;
 	/*
 @@ -1273,26 +1283,32 @@ server_accept_loop(int *sock_in, int *so
 			    key_used == 0) {
 				/* Schedule server key regeneration alarm. */
 				signal(SIGALRM, key_regeneration_alarm);
 				alarm(options.key_regeneration_time);
 				key_used = 1;
+			}
 			close(*newsock);
 			/*
 			 * Ensure that our random state differs
 			 * from that of the child
 			 */
 			if (read(urandom_fd, rnd, sizeof(rnd)) !=
 			    sizeof(rnd)) {
 				fatal("server_accept_loop: "
 				      "entropy read failed");
+			}
 			RAND_seed(rnd, sizeof(rnd));
 			arc4random_stir();
+		}
 		/* child process check (or debug mode) */
 		if (num_listen_socks < 0)
 			break;
+	}
+}
 /*
  * Main program for the daemon.
  */
 @@ -1302,26 +1318,27 @@ main(int ac, char **av)
 	extern char *optarg;
 	extern int optind;
 	int opt, i, j, on = 1;
 	int sock_in = -1, sock_out = -1, newsock = -1;
 	const char *remote_ip;
 	char *test_user = NULL, *test_host = NULL, *test_addr = NULL;
 	int remote_port;
 	char *line, *p, *cp;
 	int config_s[2] = { -1 , -1 };
 	u_int64_t ibytes, obytes;
 	mode_t new_umask;
 	Key *key;
 	Authctxt *authctxt;
 	uint8_t rnd[32];
 	/* Save argv. */
 	saved_argv = av;
 	rexec_argc = ac;
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 	/* Initialize configuration options to their default values. */
 	initialize_server_options(&options);
 	/* Parse command-line arguments. */
 	while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeiqrtQRT46")) != -1) {
 @@ -1452,26 +1469,55 @@ main(int ac, char **av)
+	}
 	if (rexeced_flag || inetd_flag)
 		rexec_flag = 0;
 	if (!test_flag && (rexec_flag && (av[0] == NULL || *av[0] != '/')))
 		fatal("sshd re-exec requires execution with an absolute path");
 	if (rexeced_flag)
 		closefrom(REEXEC_MIN_FREE_FD);
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 	OpenSSL_add_all_algorithms();
 	/*
 	 * The OpenSSL PRNG is used by key-generation functions we
 	 * rely on for security.  Seed it ourselves, so that:
+	 *
 	 *	A) it does not seed itself from somewhere questionable,
 	 *	   such as the libc arc4random or, worse, getpid().
 	 *	B) it does not reopen /dev/urandom on systems where
 	 *	   this is expensive (generator keyed on open, etc).
+	 *
 	 * Note that /dev/urandom will never return the same data to
 	 * two callers, even if they have the same dup'd reference to it.
 	 */
 	if (rexeced_flag) {
 		urandom_fd = REEXEC_DEVURANDOM_FD;
 	} else {
 		urandom_fd = open("/dev/urandom", O_RDONLY);
 		if (urandom_fd == -1) {
 			fatal("sshd requires random device");
+		}
 		/* Might as well do this here; why do it later? */
 		dup2(urandom_fd, REEXEC_DEVURANDOM_FD);
 		close(urandom_fd);
 		urandom_fd = REEXEC_DEVURANDOM_FD;
+	}
 	if (read(urandom_fd, rnd, sizeof(rnd)) != sizeof(rnd)) {
 		fatal("entropy read failed");
+	}
 	RAND_seed(rnd, sizeof(rnd));
 	/*
 	 * Force logging to stderr until we have loaded the private host
 	 * key (unless started from inetd)
 	 */
 	log_init(__progname,
 	    options.log_level == SYSLOG_LEVEL_NOT_SET ?
 	    SYSLOG_LEVEL_INFO : options.log_level,
 	    options.log_facility == SYSLOG_FACILITY_NOT_SET ?
 	    SYSLOG_FACILITY_AUTH : options.log_facility,
 	    log_stderr || !inetd_flag);
 	sensitive_data.server_key = NULL;
 	sensitive_data.ssh1_host_key = NULL;
 	sensitive_data.have_ssh1_key = 0;
 @@ -1693,27 +1739,27 @@ main(int ac, char **av)
 		if (daemon(0, 0) < 0)
 			fatal("daemon() failed: %.200s", strerror(errno));
 		/* Disconnect from the controlling tty. */
 		fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
 		if (fd >= 0) {
 			(void) ioctl(fd, TIOCNOTTY, NULL);
 			close(fd);
+		}
+	}
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
-	/* Initialize the random number generator. */
+	/* Initialize the fast random number generator. */
 	arc4random_stir();
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	chdir("/");
 	/* ignore SIGPIPE */
 	signal(SIGPIPE, SIG_IGN);
 	/* Get a connection, either from inetd or a listening TCP socket */
 	if (inetd_flag) {
 		server_accept_inetd(&sock_in, &sock_out);
 	} else {

 @@ -131,27 +131,26 @@
 #ifdef BN_DEBUG
 # define PREDICT
 #endif
 /* #define PREDICT	1 */
 #define STATE_SIZE	1023
 static int state_num=0,state_index=0;
 static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
 static unsigned char md[MD_DIGEST_LENGTH];
 static long md_count[2]={0,0};
 static double entropy=0;
 static int initialized=0;
 static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
                                            * holds CRYPTO_LOCK_RAND
                                            * (to prevent double locking) */
 /* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
 static CRYPTO_THREADID locking_threadid; /* valid iff crypto_lock_rand is set */
 #ifdef PREDICT
 int rand_predictable=0;
 #endif
 const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT;
 @@ -177,27 +176,26 @@ RAND_METHOD *RAND_SSLeay(void)
+	{
 	return(&rand_ssleay_meth);
+	}
 static void ssleay_rand_cleanup(void)
+	{
 	OPENSSL_cleanse(state,sizeof(state));
 	state_num=0;
 	state_index=0;
 	OPENSSL_cleanse(md,MD_DIGEST_LENGTH);
 	md_count[0]=0;
 	md_count[1]=0;
 	entropy=0;
 	initialized=0;
+	}
 static void ssleay_rand_add(const void *buf, int num, double add)
+	{
 	int i,j,k,st_idx;
 	long md_c[2];
 	unsigned char local_md[MD_DIGEST_LENGTH];
 	EVP_MD_CTX m;
 	int do_not_lock;
 	/*
 	 * (Based on the rand(3) manpage)
+	 *
 @@ -379,38 +377,35 @@ static int ssleay_rand_bytes(unsigned ch
 	 * caller, 'count' (which is incremented) and the local and global 'md'
 	 * are fed into the hash function and the results are kept in the
 	 * global 'md'.
 	 */
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
 	CRYPTO_THREADID_current(&locking_threadid);
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
 	crypto_lock_rand = 1;
 	if (!initialized)
 		RAND_poll();
 		initialized = 1;
 	if (!stirred_pool)
 		do_stir_pool = 1;
 	ok = (entropy >= ENTROPY_NEEDED);
 	if (!ok)
+		{
 		RAND_poll();
 		/* If the PRNG state is not yet unpredictable, then seeing
 		 * the PRNG output may help attackers to determine the new
 		 * state; thus we have to decrease the entropy estimate.
 		 * Once we've had enough initial seeding we don't bother to
 		 * adjust the entropy count, though, because we're not ambitious
 		 * to provide *information-theoretic* randomness.
+		 *
 		 * NOTE: This approach fails if the program forks before
 		 * we have enough entropy. Entropy should be collected
 		 * in a separate input pool and be transferred to the
 		 * output pool only when the entropy limit has been reached.
 		 */
 		entropy -= num;
 @@ -561,31 +556,30 @@ static int ssleay_rand_status(void)
 	else
 		do_not_lock = 0;
 	if (!do_not_lock)
+		{
 		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 		/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 		CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
 		CRYPTO_THREADID_cpy(&locking_threadid, &cur);
 		CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
 		crypto_lock_rand = 1;
+		}
-	if (!initialized)
+	if (entropy < ENTROPY_NEEDED)
+		{
 		RAND_poll();
 		initialized = 1;
+		}
 	ret = entropy >= ENTROPY_NEEDED;
 	if (!do_not_lock)
+		{
 		/* before unlocking, we must clear 'crypto_lock_rand' */
 		crypto_lock_rand = 0;
 		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+		}
 	return ret;

 @@ -172,26 +172,36 @@ int RAND_poll(void)
 		rnd >>= 8;
+	}
 	RAND_add(buf, sizeof(buf), ENTROPY_NEEDED);
 	memset(buf, 0, sizeof(buf));
 	return 1;
+}
 #elif defined __OpenBSD__
 int RAND_poll(void)
+{
 	u_int32_t rnd = 0, i;
 	unsigned char buf[ENTROPY_NEEDED];
 	/*
 	 * XXX is this really a good idea?  It has the seemingly
 	 * XXX very undesirable eventual result of keying the CTR_DRBG
 	 * XXX generator exclusively with key material produced by
 	 * XXX the libc arc4random().  It also guarantees that even
 	 * XXX if the generator tries to use RAND_poll() to rekey
 	 * XXX itself after a call to fork() etc, it will end up with
 	 * XXX the same state, since the libc arc4 state will be the same
 	 * XXX unless explicitly updated by the application.
 	 */
 	for (i = 0; i < sizeof(buf); i++) {
 		if (i % 4 == 0)
 			rnd = arc4random();
 		buf[i] = rnd;
 		rnd >>= 8;
+	}
 	RAND_add(buf, sizeof(buf), ENTROPY_NEEDED);
 	memset(buf, 0, sizeof(buf));
 	return 1;
+}
 #else /* !defined(__OpenBSD__) */
 int RAND_poll(void)