tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: OpenSSH/OpenSSL patches to stop excessive entropy consumption

tls@ wrote:

> On Sun, Mar 04, 2012 at 01:26:40PM +0900, Izumi Tsutsui wrote:
> > 
> > It looks the root cause of these problems is that
> > new kernel RNG explicitly requires too much entropy.
> Uh, no.  With DEBUG turned on, the new kernel RNG *tells you* when
> you run out of entropy.  The old one didn't.
> The way OpenSSH uses OpenSSL, it was drawing 32 bytes from /dev/urandom
> half a dozen times per connection.  It's certainly not the fault of
> the new code that the old code did not inform anyone of the problem.

Then what about other OSes, like OpenBSD and FreeBSD etc?

If only NetBSD's RNG implementation requires these OpenSSH/OpenSSL
chagnes, I'm afraid upstream says it's OS specific bug and they
will reject these large changes.

Izumi Tsutsui

Home | Main Index | Thread Index | Old Index