Be more parsimonious with /dev/random when using the NSS PRNGnss

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/nss@24414 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2010-10-02 14:48:17 +0000
committer: Greg Hudson <ghudson@mit.edu> 2010-10-02 14:48:17 +0000
commit: 37c8182a75df27c96cbb93e980490f93e1b8b6c9 (patch)
tree: 72eddb0edd9d2e905376014472eb4e7a2f0308af
parent: 41d98a62180d92188321cbd6cbb50125e9e2fec1 (diff)
download: krb5-nss.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index b9da3d595..a25cfcfcb 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -47,9 +47,12 @@ k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
 #include "../nss/nss_gen.h"
 #include <pk11pub.h>
 
-/* Gather 8K of OS entropy per call, enough to fill the additional data buffer
- * for the built-in PRNG and trigger a reseed. */
-#define OS_ENTROPY_LEN 8192
+/*
+ * NSS gathers its own OS entropy, so it doesn't really matter how much we read
+ * in krb5_c_random_os_entropy.  Use the same value as Yarrow (without using a
+ * Yarrow constant), so that we don't read too much from /dev/random.
+ */
+#define OS_ENTROPY_LEN 20
 
 int krb5int_prng_init(void)
 {
author	Greg Hudson <ghudson@mit.edu>	2010-10-02 14:48:17 +0000
committer	Greg Hudson <ghudson@mit.edu>	2010-10-02 14:48:17 +0000
commit	37c8182a75df27c96cbb93e980490f93e1b8b6c9 (patch)
tree	72eddb0edd9d2e905376014472eb4e7a2f0308af
parent	41d98a62180d92188321cbd6cbb50125e9e2fec1 (diff)
download	krb5-nss.tar.gz