File openssh-7.2p2-audit_seed_prng.patch of Package openssh.29886

From 0fd72187ef76565563922807edaee3ac1bc252b4 Mon Sep 17 00:00:00 2001
From: Old openssh patches <pcerny@suse.com>
Date: Wed, 26 Oct 2022 09:51:44 +0200
Subject: [PATCH] openssh-7.2p2-audit_seed_prng

# HG changeset patch
# Parent  82e31a033b5c61dff4cf74e8c1bc8d80a897d33e
Audit PRNG re-seeding
---
 audit-bsm.c   |  6 ++++++
 audit-linux.c | 22 ++++++++++++++++++++++
 audit.c       |  6 ++++++
 audit.h       |  1 +
 sshd.c        |  3 +++
 5 files changed, 38 insertions(+)

diff --git a/audit-bsm.c b/audit-bsm.c
index c7a1b47d..93d16431 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -509,4 +509,10 @@ audit_generate_ephemeral_server_key(const char *fp)
 {
 	/* not implemented */
 }
+
+void
+audit_linux_prng_seed(long bytes, const char *rf)
+{
+	/* not implemented */
+}
 #endif /* BSM */
diff --git a/audit-linux.c b/audit-linux.c
index f93bf407..37ca4f55 100644
--- a/audit-linux.c
+++ b/audit-linux.c
@@ -407,4 +407,26 @@ audit_generate_ephemeral_server_key(const char *fp)
 	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
 		error("cannot write into audit");
 }
+
+void
+audit_linux_prng_seed(long bytes, const char *rf)
+{
+	char buf[AUDIT_LOG_SIZE];
+	int audit_fd, audit_ok;
+
+	snprintf(buf, sizeof(buf), "op=prng_seed kind=server bytes=%li source=%s ", bytes, rf);
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+					 errno != EAFNOSUPPORT)
+			error("cannot open audit");
+		return;
+	}
+	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_PARAM_CHANGE_USER,
+			buf, NULL, 0, NULL, 1);
+	audit_close(audit_fd);
+	/* do not abort if the error is EPERM and sshd is run as non root user */
+	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
+		error("cannot write into audit");
+}
 #endif /* USE_LINUX_AUDIT */
diff --git a/audit.c b/audit.c
index fc2e3ded..462679e2 100644
--- a/audit.c
+++ b/audit.c
@@ -309,5 +309,11 @@ audit_generate_ephemeral_server_key(const char *)
 {
 	debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
 }
+
+void
+audit_linux_prng_seed(long bytes, const char *rf)
+{
+	debug("audit PRNG seed euid %d bytes %li source %s", geteuid(), bytes, rf);
+}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
diff --git a/audit.h b/audit.h
index 84b5d0ac..baaf14b6 100644
--- a/audit.h
+++ b/audit.h
@@ -74,5 +74,6 @@ void	audit_session_key_free(int ctos);
 void	audit_session_key_free_body(int ctos, pid_t, uid_t);
 void	audit_destroy_sensitive_data(const char *, pid_t, uid_t);
 void	audit_generate_ephemeral_server_key(const char *);
+void	audit_linux_prng_seed(long, const char *);
 
 #endif /* _SSH_AUDIT_H */
diff --git a/sshd.c b/sshd.c
index e67fc66c..470bf44f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1426,6 +1426,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 			if(!(--re_seeding_counter)) {
 				re_seeding_counter = RESEED_AFTER;
 				linux_seed();
+#ifdef SSH_AUDIT_EVENTS
+				audit_linux_prng_seed(rand_bytes, rand_file);
+#endif
 			}
 
 			/*
-- 
2.38.0