OpenSSL change for review.
Pawel Jakub Dawidek
pjd at FreeBSD.org
Thu May 31 19:50:16 UTC 2012
As learned on someone else's mistakes, I'd like to ask for a review of
those changes related to random data handling:
http://people.freebsd.org/~pjd/patches/libc_arc4random.c.patch
http://people.freebsd.org/~pjd/patches/openssl_rand_unix.c.patch
The first patch changes arc4random() to use sysctl to obtain random data
instead of opening /dev/random. The main reason here is to make it more
sandbox-friendly. Once closed in sandbox, a process can no longer open
files, so it has no access to proper random data. As a side-effect it
should be a bit faster as instead of three system calls (open, read and
close) we use only one (__sysctl).
The second patch enables the use of libc's arc4random(3) in OpenSSL.
After implementing the first one I found that OpenBSD's arc4random(3)
also uses sysctl, but without fall back to /dev/random.
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://tupytaj.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120531/00271c60/attachment.pgp
More information about the freebsd-security
mailing list