- (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove

   unnecessary arc4random_stir() calls. The only ones left are to ensure
   that the PRNG gets a different state after fork() for platforms that
   have broken the API.

diff --git a/ChangeLog b/ChangeLog
index e396e470e237b3fbd39cd5ee0c63b86850414b50..d32065913ec4e11eb1c3bc0505b4216ff7b883f3 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+20131025
+ - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
+   unnecessary arc4random_stir() calls. The only ones left are to ensure
+   that the PRNG gets a different state after fork() for platforms that
+   have broken the API.
+
 20131024
  - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
    rather than full client name which may be of form user@REALM;

diff --git a/ssh-keygen.c b/ssh-keygen.c
index b664a5f1feb7ce2fa3a6b67f914fd771b03a4c08..678dafe87d55fb434312a735588b1627b69293b2 100644 (file)
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -910,7 +910,6 @@ do_gen_all_hostkeys(struct passwd *pw)
                }
                printf("%s ", key_types[i].key_type_display);
                fflush(stdout);
-               arc4random_stir();
                type = key_type_from_name(key_types[i].key_type);
                strlcpy(identity_file, key_types[i].path, sizeof(identity_file));
                bits = 0;
@@ -932,7 +931,6 @@ do_gen_all_hostkeys(struct passwd *pw)
                        continue;
                }
                key_free(private);
-               arc4random_stir();
                strlcat(identity_file, ".pub", sizeof(identity_file));
                fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
                if (fd == -1) {
@@ -2543,8 +2541,6 @@ main(int argc, char **argv)
                return (0);
        }
 
-       arc4random_stir();
-
        if (key_type_name == NULL)
                key_type_name = "rsa";
 
@@ -2638,7 +2634,6 @@ passphrase_again:
 
        /* Clear the private key and the random number generator. */
        key_free(private);
-       arc4random_stir();
 
        if (!quiet)
                printf("Your identification has been saved in %s.\n", identity_file);

diff --git a/ssh-keysign.c b/ssh-keysign.c
index b67ed1ead22680e65edbe62c375d56e178d669a8..518373bf8960bf8b8667d62a9b57fb1d7f8a373c 100644 (file)
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -179,7 +179,6 @@ main(int argc, char **argv)
        permanently_set_uid(pw);
 
        seed_rng();
-       arc4random_stir();
 
 #ifdef DEBUG_SSH_KEYSIGN
        log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);

diff --git a/sshconnect1.c b/sshconnect1.c
index f4b89077335e1674224870dac8b5b48704662a97..7bd6cb0189eb617860c5b49c931c4c2700729421 100644 (file)
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -542,9 +542,6 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
 
        derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id);
 
-       /* Generate a session key. */
-       arc4random_stir();
-
        /*
         * Generate an encryption key for the session.   The key is a 256 bit
         * random number, interpreted as a 32-byte key, with the least

diff --git a/sshd.c b/sshd.c
index c9ead2e7f4e11d6805cd9cd1f52740ad6fb6fb56..d4349f618165f4ad794b5047ec759702fc726b9a 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -398,7 +398,6 @@ generate_ephemeral_server_key(void)
        verbose("RSA key generation complete.");
 
        arc4random_buf(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
-       arc4random_stir();
 }
 
 /*ARGSUSED*/
@@ -1867,9 +1866,6 @@ main(int ac, char **av)
        /* Reinitialize the log (because of the fork above). */
        log_init(__progname, options.log_level, options.log_facility, log_stderr);
 
-       /* Initialize the random number generator. */
-       arc4random_stir();
-
        /* Chdir to the root directory so that the current disk can be
           unmounted if desired. */
        if (chdir("/") == -1)