Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: src/crypto/external/bsd



Module Name:    src
Committed By:   tls
Date:           Mon Mar  5 20:13:36 UTC 2012

Modified Files:
        src/crypto/external/bsd/openssh/dist: sshd.c
        src/crypto/external/bsd/openssl/dist/crypto/rand: md_rand.c rand_unix.c
Removed Files:
        src/crypto/external/bsd/openssh/dist: random.c

Log Message:
Patch OpenSSL RNG to allow explicit initial seeding.  Patch OpenSSH to
explicitly seed the OpenSSL RNG in each new process rather than letting
it repeatedly open /dev/urandom to reseed, which depletes entropy severely.

Note that the OpenSSH part of this fix works better on NetBSD than it would
on many other platforms because on NetBSD, if you don't reopen /dev/urandom,
repeated reads don't deplete entropy.  On other platforms, some other
approach might be required.

Note also that this problem does not arise on OpenBSD because OpenBSD seems
to have patched OpenSSL to seed the RAND functions from arc4random()!  That
seems dangerous, so I am not taking that approach here.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r0 src/crypto/external/bsd/openssh/dist/random.c
cvs rdiff -u -r1.8 -r1.9 src/crypto/external/bsd/openssh/dist/sshd.c
cvs rdiff -u -r1.1.1.3 -r1.2 \
    src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c
cvs rdiff -u -r1.2 -r1.3 \
    src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index