Quoting from Peter Gutmann's paper when he describes the use of the
ToolHelp library:
"Since even a moderately loaded system can contain over 500 heap
objects and 50 modules, we need to limit the duration of the poll
to a second or two, which is enough to get information on several
hundred objects without halting the calling program for an
unacceptable amount of time ..."
I am going to recommend the following change to the code in the heap
list and heap walking section of RAND_poll():
Walk the entire heap list (HEAPLIST32) but limit the heap walk
(HEAPENTRY32) to the first 50 entries.
This will preserve a reasonable quantity of heap data being read for
the slow randomness poll as described by Peter Gutmann.
BTW, the reference to Mr. Gutmann's paper in the code should be
updated. The list reference no longer exists. This reference looks
like it may stay around for a while:
http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
