- (djm) ssh-rand-helper improvements

- Add commandline debugging options - Don't write binary data if stdout is a tty (use hex instead) - Give it a manpage
2002-04-14 19:27:12 +10:00 · 2002-04-14 19:27:12 +10:00 · 32e4818015
parent fd4c9eee25
commit 32e4818015
4 changed files with 178 additions and 17 deletions
--- a/8
+++ b/8
@ -1,3 +1,9 @@
+20020414
+ - (djm) ssh-rand-helper improvements
+   - Add commandline debugging options
+   - Don't write binary data if stdout is a tty (use hex instead)
+   - Give it a manpage
+
 20020413
 - (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk>

@ -8234,4 +8240,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1

-$Id: ChangeLog,v 1.2051 2002/04/13 01:04:40 djm Exp $
+$Id: ChangeLog,v 1.2052 2002/04/14 09:27:12 djm Exp $
--- a/Makefile.in
+++ b/Makefile.in
@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.202 2002/04/13 01:04:41 djm Exp $
+# $Id: Makefile.in,v 1.203 2002/04/14 09:27:13 djm Exp $

 prefix=@prefix@
 exec_prefix=@exec_prefix@
@ -56,14 +56,15 @@ SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clie

 SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o

-MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
-MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
+MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out
+MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8
 MANTYPE		= @MANTYPE@

 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
 CONFIGFILES_IN=sshd_config ssh_config moduli

 PATHSUBS	= \
+	-D/etc/ssh/ssh_prng_cmds=$(sysconfdir)/ssh_prng_cmds \
 	-D/etc/ssh/ssh_config=$(sysconfdir)/ssh_config \
 	-D/etc/ssh/ssh_known_hosts=$(sysconfdir)/ssh_known_hosts \
 	-D/etc/ssh/sshd_config=$(sysconfdir)/sshd_config \
@ -216,6 +217,9 @@ install-files: scard-install
 	$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
 	$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
 	$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+	if [ ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
+		$(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
+	fi
 	@NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
 	@NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(bindir)/slogin
@ -309,5 +313,6 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
--- a/ssh-rand-helper.8
+++ b/ssh-rand-helper.8
@ -0,0 +1,94 @@
+.\" $Id: ssh-rand-helper.8,v 1.1 2002/04/14 09:27:13 djm Exp $
+.\"
+.\" Copyright (c) 2002 Damien Miller.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd April 14, 2002
+.Dt SSH-RAND-HELPER 8
+.Os
+.Sh NAME
+.Nm ssh-rand-helper
+.Nd Random number gatherer for OpenSSH
+.Sh SYNOPSIS
+.Nm ssh-rand-hlper
+.Op Fl vxXh
+.Op Fl b Ar bytes
+.Sh DESCRIPTION
+.Nm
+is a small helper program used by 
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr ssh-keyscan 1 
+and
+.Xr sshd 8
+to gather random numbers of cryptographic quality if the 
+.Xr openssl 4
+library has not been configured to provide them itself.
+.Pp
+Normally 
+.Nm
+will generate a strong random seed and provide it to the calling
+program via standard output. If standard output is a tty, 
+.Nm
+will instead print the seed in hexidecimal format unless told otherwise.
+.Pp
+.Nm
+will by default gather random numbers from the system commands listed
+in
+.Pa /etc/ssh/ssh_prng_cmds .
+The output of each of the commands listed will be hashed and used to 
+generate a random seed for the calling program. 
+.Nm
+will also store seed files in 
+.Pa ~/.ssh/prng_seed
+between executions.
+.Pp
+Alternately, 
+.Nm
+may be configured at build time to collect random numbers from a 
+EGD/PRNGd server via a unix domain or localhost tcp socket.
+.Pp
+This program is not intended to be run by the end-user, so the few 
+commandline options are for debugging purposes only.
+.Bl -tag -width Ds
+.It Fl b Ar bytes
+Specify the number of random bytes to include in the output.
+.It Fl x
+Output a hexidecimal instead of a binary seed.
+.It Fl X
+Force output of a binary seed, even if standard output is a tty
+.It Fl v
+Turn on debugging message. Multiple
+.Fl v
+options will increase the debugging level.
+.Fl h
+Display a summary of options.
+.El
+.Sh AUTHORS
+Damien Miller <djm@mindrot.org>
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@ -39,7 +39,7 @@
 #include "pathnames.h"
 #include "log.h"

-RCSID("$Id: ssh-rand-helper.c,v 1.5 2002/02/10 07:32:30 djm Exp $");
+RCSID("$Id: ssh-rand-helper.c,v 1.6 2002/04/14 09:27:13 djm Exp $");

 /* Number of bytes we write out */
 #define OUTPUT_SEED_SIZE	48
@ -747,38 +747,88 @@ prng_read_commands(char *cmdfilename)
 	return cur_cmd < MIN_ENTROPY_SOURCES ? -1 : 0;
 }

+void
+usage(void)
+{
+	fprintf(stderr, "Usage: %s [options]\n", __progname);
+	fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
+	fprintf(stderr, "              Multiple -v increases verbosity.\n");
+	fprintf(stderr, "  -x          Force output in hexidecimal (for debugging)\n");
+	fprintf(stderr, "  -X          Force output in binary\n");
+	fprintf(stderr, "  -b bytes    Number of bytes to output (default %d)\n",
+	    OUTPUT_SEED_SIZE);
+}
+
 int 
 main(int argc, char **argv)
 {
-	unsigned char buf[OUTPUT_SEED_SIZE];
-	int ret;
+	unsigned char *buf;
+	int ret, ch, debug_level, output_hex, bytes;
+	extern char *optarg;
+	LogLevel ll;

 	__progname = get_progname(argv[0]);
-	/* XXX: need some debugging mode */
 	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);

+	ll = SYSLOG_LEVEL_INFO;
+	debug_level = output_hex = 0;
+	bytes = OUTPUT_SEED_SIZE;
+
+	/* Don't write binary data to a tty, unless we are forced to */
+	if (isatty(STDOUT_FILENO))
+		output_hex = 1;
+	
+	while ((ch = getopt(argc, argv, "vxXhb:")) != -1) {
+		switch (ch) {
+		case 'v':
+			if (debug_level < 3)
+				ll = SYSLOG_LEVEL_DEBUG1 + debug_level++;
+			break;
+		case 'x':
+			output_hex = 1;
+			break;
+		case 'X':
+			output_hex = 0;
+			break;
+		case 'b':
+			if ((bytes = atoi(optarg)) <= 0)
+				fatal("Invalid number of output bytes");
+			break;
+		case 'h':
+			usage();
+			exit(0);
+		default:
+			error("Invalid commandline option");
+			usage();
+		}
+	}
+
+	log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
+	
 #ifdef USE_SEED_FILES
 	prng_read_seedfile();
 #endif

+	buf = xmalloc(bytes);
+
 	/*
 	 * Seed the RNG from wherever we can
 	 */
 	 
 	/* Take whatever is on the stack, but don't credit it */
-	RAND_add(buf, sizeof(buf), 0);
+	RAND_add(buf, bytes, 0);

 	debug("Seeded RNG with %i bytes from system calls", 
 	    (int)stir_from_system());

 #ifdef PRNGD_PORT
-	if (get_random_bytes_prngd(buf, sizeof(buf), PRNGD_PORT, NULL) == -1)
+	if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == -1)
 		fatal("Entropy collection failed");
-	RAND_add(buf, sizeof(buf), sizeof(buf));
+	RAND_add(buf, bytes, bytes);
 #elif defined(PRNGD_SOCKET)
-	if (get_random_bytes_prngd(buf, sizeof(buf), 0, PRNGD_SOCKET) == -1)
+	if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == -1)
 		fatal("Entropy collection failed");
-	RAND_add(buf, sizeof(buf), sizeof(buf));
+	RAND_add(buf, bytes, bytes);
 #else
 	/* Read in collection commands */
 	if (prng_read_commands(SSH_PRNG_COMMAND_FILE) == -1)
@ -798,12 +848,18 @@ main(int argc, char **argv)
 	if (!RAND_status())
 		fatal("Not enough entropy in RNG");

-	RAND_bytes(buf, sizeof(buf));
+	RAND_bytes(buf, bytes);

-	ret = atomicio(write, STDOUT_FILENO, buf, sizeof(buf));
+	if (output_hex) {
+		for(ret = 0; ret < bytes; ret++)
+			printf("%02x", (unsigned char)(buf[ret]));
+		printf("\n");
+	} else
+		ret = atomicio(write, STDOUT_FILENO, buf, bytes);
 		
-	memset(buf, '\0', sizeof(buf));
+	memset(buf, '\0', bytes);
+	xfree(buf);
 	
-	return ret == sizeof(buf) ? 0 : 1;
+	return ret == bytes ? 0 : 1;
 }