summaryrefslogtreecommitdiff
path: root/ipc/chromium
diff options
context:
space:
mode:
authorOlivier Certner <olce.palemoon@certner.fr>2021-01-06 11:43:12 +0100
committerOlivier Certner <olce.palemoon@certner.fr>2021-01-07 17:02:06 +0100
commitda217348d9e7fe1e22df725c3b48a149e7dd9f54 (patch)
treea17aa66730be207244e5f5ae919ece7bd976da52 /ipc/chromium
parent87aa6b2300e8a1b4730ca4fb8c2c979f255a395f (diff)
downloaduxp-da217348d9e7fe1e22df725c3b48a149e7dd9f54.tar.gz
Issue #1699 - Part 2: libevent: Remove 'evutil_secure_rng_add_bytes'
In fact, this is a security threat. This function calls 'arc4random_addrandom', which was removed from the reference implementation 7 years go [1], on the ground that this was in fact an internal interface which is almost impossible to use correctly. This update has since then been propagated to other implementations (e.g., FreeBSD, IllumOS, Android). Do this for all platforms, since 'evutil_secure_rng_add_bytes' is not even used in the current tree, and for the reason stated above, should never be. Related bugs at Mozilla and libevent: Links [2] and [3] below. [1] http://marc.info/?l=openbsd-cvs&m=138238762705209&w=2 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=931354 [3] https://sourceforge.net/p/levent/bugs/320/
Diffstat (limited to 'ipc/chromium')
-rw-r--r--ipc/chromium/src/third_party/libevent/evutil_rand.c9
-rw-r--r--ipc/chromium/src/third_party/libevent/include/event2/util.h18
2 files changed, 0 insertions, 27 deletions
diff --git a/ipc/chromium/src/third_party/libevent/evutil_rand.c b/ipc/chromium/src/third_party/libevent/evutil_rand.c
index 7c92bae232..3f5c05b34a 100644
--- a/ipc/chromium/src/third_party/libevent/evutil_rand.c
+++ b/ipc/chromium/src/third_party/libevent/evutil_rand.c
@@ -138,12 +138,3 @@ evutil_secure_rng_get_bytes(void *buf, size_t n)
{
ev_arc4random_buf(buf, n);
}
-
-#if !defined(__OpenBSD__) && !defined(ANDROID) && !defined(__sun__)
-void
-evutil_secure_rng_add_bytes(const char *buf, size_t n)
-{
- arc4random_addrandom((unsigned char*)buf,
- n>(size_t)INT_MAX ? INT_MAX : (int)n);
-}
-#endif
diff --git a/ipc/chromium/src/third_party/libevent/include/event2/util.h b/ipc/chromium/src/third_party/libevent/include/event2/util.h
index 78516c1563..0f9212af11 100644
--- a/ipc/chromium/src/third_party/libevent/include/event2/util.h
+++ b/ipc/chromium/src/third_party/libevent/include/event2/util.h
@@ -672,24 +672,6 @@ void evutil_secure_rng_get_bytes(void *buf, size_t n);
*/
int evutil_secure_rng_init(void);
-#if !defined(__OpenBSD__) && !defined(ANDROID) && !defined(__sun__)
-/** Seed the random number generator with extra random bytes.
-
- You should almost never need to call this function; it should be
- sufficient to invoke evutil_secure_rng_init(), or let Libevent take
- care of calling evutil_secure_rng_init() on its own.
-
- If you call this function as a _replacement_ for the regular
- entropy sources, then you need to be sure that your input
- contains a fairly large amount of strong entropy. Doing so is
- notoriously hard: most people who try get it wrong. Watch out!
-
- @param dat a buffer full of a strong source of random numbers
- @param datlen the number of bytes to read from datlen
- */
-void evutil_secure_rng_add_bytes(const char *dat, size_t datlen);
-#endif
-
#ifdef __cplusplus
}
#endif