From 07889c75926c040b8e095949c724e66af26441cb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Nov 2015 18:44:49 +1100 Subject: [PATCH] read back from libcrypto RAND when privdropping makes certain libcrypto implementations cache a /dev/urandom fd in preparation of sandboxing. Based on patch by Greg Hartman. --- sshd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sshd.c b/sshd.c index d86808912..b19cc34c7 100644 --- a/sshd.c +++ b/sshd.c @@ -624,6 +624,8 @@ privsep_preauth_child(void) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); @@ -767,6 +769,8 @@ privsep_postauth(Authctxt *authctxt) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); @@ -1436,6 +1440,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); }