Be more parsimonious with /dev/random when using the NSS PRNG.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/nss@24414 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Oct 2, 2010 · 2287366 · 2287366
1 parent 16220c2
commit 2287366
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
@@ -47,9 +47,12 @@ k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
 #include "../nss/nss_gen.h"
 #include <pk11pub.h>
 
-/* Gather 8K of OS entropy per call, enough to fill the additional data buffer
- * for the built-in PRNG and trigger a reseed. */
-#define OS_ENTROPY_LEN 8192
+/*
+ * NSS gathers its own OS entropy, so it doesn't really matter how much we read
+ * in krb5_c_random_os_entropy.  Use the same value as Yarrow (without using a
+ * Yarrow constant), so that we don't read too much from /dev/random.
+ */
+#define OS_ENTROPY_LEN 20
 
 int krb5int_prng_init(void)
 {