From 5372db7e7985ba2c00f20fdff8942145ca99e033 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 10 Nov 2022 12:44:51 +1100
Subject: [PATCH] Remove seed passing over reexec.

This was added for the benefit of platforms using ssh-rand-helper to
prevent a delay on each connection as sshd reseeded itself.

ssh-random-helper is long gone, and since the re-exec happens before the
chroot the re-execed sshd can reseed itself normally. ok djm@
---
 entropy.c | 34 ----------------------------------
 sshd.c    |  8 --------
 2 files changed, 42 deletions(-)

diff --git a/entropy.c b/entropy.c
index a4088e43c..842c66fd6 100644
--- a/entropy.c
+++ b/entropy.c
@@ -57,40 +57,6 @@
  * /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
  * PRNGd.
  */
-#ifndef OPENSSL_PRNG_ONLY
-
-void
-rexec_send_rng_seed(struct sshbuf *m)
-{
-	u_char buf[RANDOM_SEED_SIZE];
-	size_t len = sizeof(buf);
-	int r;
-
-	if (RAND_bytes(buf, sizeof(buf)) <= 0) {
-		error("Couldn't obtain random bytes (error %ld)",
-		    ERR_get_error());
-		len = 0;
-	}
-	if ((r = sshbuf_put_string(m, buf, len)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	explicit_bzero(buf, sizeof(buf));
-}
-
-void
-rexec_recv_rng_seed(struct sshbuf *m)
-{
-	const u_char *buf = NULL;
-	size_t len = 0;
-	int r;
-
-	if ((r = sshbuf_get_string_direct(m, &buf, &len)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
-	debug3("rexec_recv_rng_seed: seeding rng with %lu bytes",
-	    (unsigned long)len);
-	RAND_add(buf, len, len);
-}
-#endif /* OPENSSL_PRNG_ONLY */
 
 void
 seed_rng(void)
diff --git a/sshd.c b/sshd.c
index 808d91ef2..d5e6a133c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -937,14 +937,10 @@ send_rexec_state(int fd, struct sshbuf *conf)
 	 *		string	filename
 	 *		string	contents
 	 *	}
-	 *	string	rng_seed (if required)
 	 */
 	if ((r = sshbuf_put_stringb(m, conf)) != 0 ||
 	    (r = sshbuf_put_stringb(m, inc)) != 0)
 		fatal_fr(r, "compose config");
-#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
-	rexec_send_rng_seed(m);
-#endif
 	if (ssh_msg_send(fd, 0, m) == -1)
 		error_f("ssh_msg_send failed");
 
@@ -977,10 +973,6 @@ recv_rexec_state(int fd, struct sshbuf *conf)
 	    (r = sshbuf_get_stringb(m, inc)) != 0)
 		fatal_fr(r, "parse config");
 
-#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
-	rexec_recv_rng_seed(m);
-#endif
-
 	if (conf != NULL && (r = sshbuf_put(conf, cp, len)))
 		fatal_fr(r, "sshbuf_put");