[openssh-commits] [openssh] 02/02: Factor out RNG reseeding in to a single function.
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Feb 12 09:39:31 AEDT 2026
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 1a4eb511abaf3522b84fa5697524b81b4865279b
Author: Darren Tucker <dtucker at dtucker.net>
AuthorDate: Wed Feb 11 17:36:42 2026 -0500
Factor out RNG reseeding in to a single function.
sshd and sshd-session both reseed the RNG after a fork. Move the
existing reseed_prngs() function into entropy.c and use for both.
Clean up entropy.h too. ok djm@
---
entropy.c | 21 +++++++++++++++++++++
entropy.h | 9 ++++-----
sshd-session.c | 21 ---------------------
sshd.c | 10 +---------
4 files changed, 26 insertions(+), 35 deletions(-)
diff --git a/entropy.c b/entropy.c
index 65ef92237..8bb3accbd 100644
--- a/entropy.c
+++ b/entropy.c
@@ -108,3 +108,24 @@ seed_rng(void)
}
#endif /* WITH_OPENSSL */
+
+void
+reseed_prngs(void)
+{
+ u_int32_t rnd[256];
+
+#ifdef WITH_OPENSSL
+ RAND_poll();
+#endif
+ arc4random_stir(); /* noop on recent arc4random() implementations */
+ arc4random_buf(rnd, sizeof(rnd)); /* let arc4random notice PID change */
+
+#ifdef WITH_OPENSSL
+ RAND_seed(rnd, sizeof(rnd));
+ /* give libcrypto a chance to notice the PID change */
+ if ((RAND_bytes((u_char *)rnd, 1)) != 1)
+ fatal_f("RAND_bytes failed");
+#endif
+
+ explicit_bzero(rnd, sizeof(rnd));
+}
diff --git a/entropy.h b/entropy.h
index 870164d30..45d56a339 100644
--- a/entropy.h
+++ b/entropy.h
@@ -22,13 +22,12 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-#ifndef _RANDOMS_H
-#define _RANDOMS_H
+#ifndef _ENTROPY_H
+#define _ENTROPY_H
struct sshbuf;
void seed_rng(void);
-void rexec_send_rng_seed(struct sshbuf *);
-void rexec_recv_rng_seed(struct sshbuf *);
+void reseed_prngs(void);
-#endif /* _RANDOMS_H */
+#endif /* _ENTROPY_H */
diff --git a/sshd-session.c b/sshd-session.c
index d8dfc7432..29de97fa6 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -262,27 +262,6 @@ demote_sensitive_data(void)
}
}
-static void
-reseed_prngs(void)
-{
- u_int32_t rnd[256];
-
-#ifdef WITH_OPENSSL
- RAND_poll();
-#endif
- arc4random_stir(); /* noop on recent arc4random() implementations */
- arc4random_buf(rnd, sizeof(rnd)); /* let arc4random notice PID change */
-
-#ifdef WITH_OPENSSL
- RAND_seed(rnd, sizeof(rnd));
- /* give libcrypto a chance to notice the PID change */
- if ((RAND_bytes((u_char *)rnd, 1)) != 1)
- fatal_f("RAND_bytes failed");
-#endif
-
- explicit_bzero(rnd, sizeof(rnd));
-}
-
struct sshbuf *
pack_hostkeys(void)
{
diff --git a/sshd.c b/sshd.c
index 0bea88927..74d25fc73 100644
--- a/sshd.c
+++ b/sshd.c
@@ -922,7 +922,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
struct early_child *child;
struct sshbuf *buf;
socklen_t fromlen;
- u_char rnd[256];
sigset_t nsigset, osigset;
/* pipes connected to unauthenticated child sshd processes */
@@ -1219,14 +1218,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
* Ensure that our random state differs
* from that of the child
*/
- arc4random_stir();
- arc4random_buf(rnd, sizeof(rnd));
-#ifdef WITH_OPENSSL
- RAND_seed(rnd, sizeof(rnd));
- if ((RAND_bytes((u_char *)rnd, 1)) != 1)
- fatal_f("RAND_bytes failed");
-#endif
- explicit_bzero(rnd, sizeof(rnd));
+ reseed_prngs();
}
}
}
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list