From c6709c6b0fa1f96d9a7caa0d6a0afe4e0474fe9f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Fri, 25 Feb 2000 07:40:53 +0000 Subject: [PATCH] handle entropy estimate correctly --- crypto/rand/md_rand.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index ce901759db..6b158f0349 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -282,13 +282,13 @@ static void ssleay_rand_add(const void *buf, int num, double add) { md[k] ^= local_md[k]; } + if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */ + entropy += add; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); #ifndef THREADS assert(md_c[1] == md_count[1]); #endif - if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */ - entropy += add; } static void ssleay_rand_seed(const void *buf, int num) @@ -318,8 +318,8 @@ static void ssleay_rand_initialize(void) RAND_add(&l,sizeof(l),0); #ifdef DEVRANDOM - /* Use a random entropy pool device. Linux and FreeBSD have - * this. Use /dev/urandom if you can as /dev/random will block + /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD + * have this. Use /dev/urandom if you can as /dev/random may block * if it runs out of random entries. */ if ((fh = fopen(DEVRANDOM, "r")) != NULL) @@ -388,6 +388,19 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) ssleay_rand_initialize(); ok = (entropy >= ENTROPY_NEEDED); + if (!ok) + { + /* If the PRNG state is not yet unpredictable, then seeing + * the PRNG output may help attackers to determine the new + * state; thus we have to decrease the entropy estimate. + * Once we've had enough initial seeding we don't bother to + * adjust the entropy count, though, because we're not ambitious + * to provide *information-theoretic* randomness. + */ + entropy -= num; + if (entropy < 0) + entropy = 0; + } st_idx=state_index; st_num=state_num; -- 2.34.1