Module Name: src
Committed By: riz
Date: Mon Apr 2 18:28:12 UTC 2012
Modified Files:
src/crypto/external/bsd/openssh/dist [netbsd-6]: sshd.c
src/crypto/external/bsd/openssl/dist/crypto/rand [netbsd-6]: md_rand.c
rand_unix.c
Removed Files:
src/crypto/external/bsd/openssh/dist [netbsd-6]: random.c
Log Message:
Pull up following revision(s) (requested by tls in ticket #146):
crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c: revision 1.2
crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c: revision 1.3
crypto/external/bsd/openssh/dist/sshd.c: revision 1.9
crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c: revision 1.3
crypto/external/bsd/openssh/dist/random.c: file removal
Patch OpenSSL RNG to allow explicit initial seeding. Patch OpenSSH to
explicitly seed the OpenSSL RNG in each new process rather than letting
it repeatedly open /dev/urandom to reseed, which depletes entropy severely.
Note that the OpenSSH part of this fix works better on NetBSD than it would
on many other platforms because on NetBSD, if you don't reopen /dev/urandom,
repeated reads don't deplete entropy. On other platforms, some other
approach might be required.
Note also that this problem does not arise on OpenBSD because OpenBSD seems
to have patched OpenSSL to seed the RAND functions from arc4random()! That
seems dangerous, so I am not taking that approach here.
Fix applications that call RAND_bytes() before any other RAND function.
Last change was...a bit too simple.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r0 src/crypto/external/bsd/openssh/dist/random.c
cvs rdiff -u -r1.8 -r1.8.4.1 src/crypto/external/bsd/openssh/dist/sshd.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \
src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c
cvs rdiff -u -r1.2 -r1.2.8.1 \
src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
