Date: Thu, 31 May 2012 21:48:26 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: freebsd-security@FreeBSD.org Subject: OpenSSL change for review. Message-ID: <20120531194825.GB1400@garage.freebsd.pl>
next in thread | raw e-mail | index | archive | help
--S1BNGpv0yoYahz37 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable As learned on someone else's mistakes, I'd like to ask for a review of those changes related to random data handling: http://people.freebsd.org/~pjd/patches/libc_arc4random.c.patch http://people.freebsd.org/~pjd/patches/openssl_rand_unix.c.patch The first patch changes arc4random() to use sysctl to obtain random data instead of opening /dev/random. The main reason here is to make it more sandbox-friendly. Once closed in sandbox, a process can no longer open files, so it has no access to proper random data. As a side-effect it should be a bit faster as instead of three system calls (open, read and close) we use only one (__sysctl). The second patch enables the use of libc's arc4random(3) in OpenSSL. After implementing the first one I found that OpenBSD's arc4random(3) also uses sysctl, but without fall back to /dev/random. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --S1BNGpv0yoYahz37 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk/HywkACgkQForvXbEpPzRcZwCguqnhwuk92bUzZ1MJbMzsmqTV vckAoNAVukmnA14Q5r7+ZQGX+JqL69n/ =xy5c -----END PGP SIGNATURE----- --S1BNGpv0yoYahz37--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120531194825.GB1400>