summaryrefslogtreecommitdiffstats
path: root/ipc/chromium/src
diff options
context:
space:
mode:
authorOlivier Certner <olce.palemoon@certner.fr>2021-01-06 11:43:12 +0100
committerOlivier Certner <olce.palemoon@certner.fr>2021-01-07 17:02:06 +0100
commitda217348d9e7fe1e22df725c3b48a149e7dd9f54 (patch)
treea17aa66730be207244e5f5ae919ece7bd976da52 /ipc/chromium/src
parent87aa6b2300e8a1b4730ca4fb8c2c979f255a395f (diff)
downloadUXP-da217348d9e7fe1e22df725c3b48a149e7dd9f54.tar
UXP-da217348d9e7fe1e22df725c3b48a149e7dd9f54.tar.gz
UXP-da217348d9e7fe1e22df725c3b48a149e7dd9f54.tar.lz
UXP-da217348d9e7fe1e22df725c3b48a149e7dd9f54.tar.xz
UXP-da217348d9e7fe1e22df725c3b48a149e7dd9f54.zip
Issue #1699 - Part 2: libevent: Remove 'evutil_secure_rng_add_bytes'
In fact, this is a security threat. This function calls 'arc4random_addrandom', which was removed from the reference implementation 7 years go [1], on the ground that this was in fact an internal interface which is almost impossible to use correctly. This update has since then been propagated to other implementations (e.g., FreeBSD, IllumOS, Android). Do this for all platforms, since 'evutil_secure_rng_add_bytes' is not even used in the current tree, and for the reason stated above, should never be. Related bugs at Mozilla and libevent: Links [2] and [3] below. [1] http://marc.info/?l=openbsd-cvs&m=138238762705209&w=2 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=931354 [3] https://sourceforge.net/p/levent/bugs/320/
Diffstat (limited to 'ipc/chromium/src')
-rw-r--r--ipc/chromium/src/third_party/libevent/evutil_rand.c9
-rw-r--r--ipc/chromium/src/third_party/libevent/include/event2/util.h18
2 files changed, 0 insertions, 27 deletions
diff --git a/ipc/chromium/src/third_party/libevent/evutil_rand.c b/ipc/chromium/src/third_party/libevent/evutil_rand.c
index 7c92bae23..3f5c05b34 100644
--- a/ipc/chromium/src/third_party/libevent/evutil_rand.c
+++ b/ipc/chromium/src/third_party/libevent/evutil_rand.c
@@ -138,12 +138,3 @@ evutil_secure_rng_get_bytes(void *buf, size_t n)
{
ev_arc4random_buf(buf, n);
}
-
-#if !defined(__OpenBSD__) && !defined(ANDROID) && !defined(__sun__)
-void
-evutil_secure_rng_add_bytes(const char *buf, size_t n)
-{
- arc4random_addrandom((unsigned char*)buf,
- n>(size_t)INT_MAX ? INT_MAX : (int)n);
-}
-#endif
diff --git a/ipc/chromium/src/third_party/libevent/include/event2/util.h b/ipc/chromium/src/third_party/libevent/include/event2/util.h
index 78516c156..0f9212af1 100644
--- a/ipc/chromium/src/third_party/libevent/include/event2/util.h
+++ b/ipc/chromium/src/third_party/libevent/include/event2/util.h
@@ -672,24 +672,6 @@ void evutil_secure_rng_get_bytes(void *buf, size_t n);
*/
int evutil_secure_rng_init(void);
-#if !defined(__OpenBSD__) && !defined(ANDROID) && !defined(__sun__)
-/** Seed the random number generator with extra random bytes.
-
- You should almost never need to call this function; it should be
- sufficient to invoke evutil_secure_rng_init(), or let Libevent take
- care of calling evutil_secure_rng_init() on its own.
-
- If you call this function as a _replacement_ for the regular
- entropy sources, then you need to be sure that your input
- contains a fairly large amount of strong entropy. Doing so is
- notoriously hard: most people who try get it wrong. Watch out!
-
- @param dat a buffer full of a strong source of random numbers
- @param datlen the number of bytes to read from datlen
- */
-void evutil_secure_rng_add_bytes(const char *dat, size_t datlen);
-#endif
-
#ifdef __cplusplus
}
#endif