From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 3 Aug 2023 09:35:33 +0000 (+1000)
Subject: Fix RNG seeding for OpenSSL w/out self seeding.
X-Git-Tag: V_9_4_P1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d92e7b24848fcc605945f7c2e3460c7c31832ce;p=thirdparty%2Fopenssh-portable.git

Fix RNG seeding for OpenSSL w/out self seeding.

When sshd is built with an OpenSSL that does not self-seed, it would
fail in the preauth privsep process while handling a new connection.
Sanity checked by djm@
---

diff --git a/openbsd-compat/bsd-getentropy.c b/openbsd-compat/bsd-getentropy.c
index 0231e066c..fc1b4ac42 100644
--- a/openbsd-compat/bsd-getentropy.c
+++ b/openbsd-compat/bsd-getentropy.c
@@ -41,7 +41,7 @@
 int
 _ssh_compat_getentropy(void *s, size_t len)
 {
-#ifdef WITH_OPENSSL
+#if defined(WITH_OPENSSL) && defined(OPENSSL_PRNG_ONLY)
 	if (RAND_bytes(s, len) <= 0)
 		fatal("Couldn't obtain random bytes (error 0x%lx)",
 		    (unsigned long)ERR_get_error());
@@ -50,6 +50,10 @@ _ssh_compat_getentropy(void *s, size_t len)
 	ssize_t r;
 	size_t o = 0;
 
+#ifdef WITH_OPENSSL
+	if (RAND_bytes(s, len) == 1)
+		return 0;
+#endif
 #ifdef HAVE_GETENTROPY
 	if ((r = getentropy(s, len)) == 0)
 		return 0;