Be more parsimonious with /dev/random when using the NSS PRNG

author Greg Hudson <ghudson@mit.edu>

Sat, 2 Oct 2010 14:48:17 +0000 (14:48 +0000)

committer Greg Hudson <ghudson@mit.edu>

Sat, 2 Oct 2010 14:48:17 +0000 (14:48 +0000)
author Greg Hudson <ghudson@mit.edu>
Sat, 2 Oct 2010 14:48:17 +0000 (14:48 +0000)
committer Greg Hudson <ghudson@mit.edu>
Sat, 2 Oct 2010 14:48:17 +0000 (14:48 +0000)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c

index b9da3d595e674ebebf06ea0b33483f1826d98497..a25cfcfcb395618fa4bbd4da6e885ba40c9fa668 100644 (file)
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -47,9 +47,12 @@ k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
  #include "../nss/nss_gen.h"
  #include <pk11pub.h>
  
-/* Gather 8K of OS entropy per call, enough to fill the additional data buffer
- * for the built-in PRNG and trigger a reseed. */
-#define OS_ENTROPY_LEN 8192
+/*
+ * NSS gathers its own OS entropy, so it doesn't really matter how much we read
+ * in krb5_c_random_os_entropy.  Use the same value as Yarrow (without using a
+ * Yarrow constant), so that we don't read too much from /dev/random.
+ */
+#define OS_ENTROPY_LEN 20
  
  int krb5int_prng_init(void)
  {
author	Greg Hudson <ghudson@mit.edu>
	Sat, 2 Oct 2010 14:48:17 +0000 (14:48 +0000)
committer	Greg Hudson <ghudson@mit.edu>
	Sat, 2 Oct 2010 14:48:17 +0000 (14:48 +0000)