From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 2 Oct 2010 14:48:17 +0000 (+0000)
Subject: Be more parsimonious with /dev/random when using the NSS PRNG
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fnss;p=thirdparty%2Fkrb5.git

Be more parsimonious with /dev/random when using the NSS PRNG

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/nss@24414 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index b9da3d595e..a25cfcfcb3 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -47,9 +47,12 @@ k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
 #include "../nss/nss_gen.h"
 #include <pk11pub.h>
 
-/* Gather 8K of OS entropy per call, enough to fill the additional data buffer
- * for the built-in PRNG and trigger a reseed. */
-#define OS_ENTROPY_LEN 8192
+/*
+ * NSS gathers its own OS entropy, so it doesn't really matter how much we read
+ * in krb5_c_random_os_entropy.  Use the same value as Yarrow (without using a
+ * Yarrow constant), so that we don't read too much from /dev/random.
+ */
+#define OS_ENTROPY_LEN 20
 
 int krb5int_prng_init(void)
 {