From 37c8182a75df27c96cbb93e980490f93e1b8b6c9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 2 Oct 2010 14:48:17 +0000
Subject: [PATCH] Be more parsimonious with /dev/random when using the NSS PRNG

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/nss@24414 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/crypto/krb/prng.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index b9da3d595e..a25cfcfcb3 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -47,9 +47,12 @@ k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
 #include "../nss/nss_gen.h"
 #include <pk11pub.h>
 
-/* Gather 8K of OS entropy per call, enough to fill the additional data buffer
- * for the built-in PRNG and trigger a reseed. */
-#define OS_ENTROPY_LEN 8192
+/*
+ * NSS gathers its own OS entropy, so it doesn't really matter how much we read
+ * in krb5_c_random_os_entropy.  Use the same value as Yarrow (without using a
+ * Yarrow constant), so that we don't read too much from /dev/random.
+ */
+#define OS_ENTROPY_LEN 20
 
 int krb5int_prng_init(void)
 {
-- 
2.47.2