On Fri, Sep 16, 2016 at 09:19:40PM -0400, Ted Unangst wrote: > no change, but makes the code a little shorter.
Reads fine to me. arc4random() is already used in other places in ssh, so this shouldn't be an issue for portable. > > > Index: clientloop.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v > retrieving revision 1.287 > diff -u -p -r1.287 clientloop.c > --- clientloop.c 12 Sep 2016 01:22:38 -0000 1.287 > +++ clientloop.c 17 Sep 2016 01:16:46 -0000 > @@ -303,7 +303,7 @@ client_x11_get_proto(const char *display > char xauthfile[PATH_MAX], xauthdir[PATH_MAX]; > static char proto[512], data[512]; > FILE *f; > - int got_data = 0, generated = 0, do_unlink = 0, i, r; > + int got_data = 0, generated = 0, do_unlink = 0, r; > struct stat st; > u_int now, x11_timeout_real; > > @@ -430,17 +430,16 @@ client_x11_get_proto(const char *display > * for the local connection. > */ > if (!got_data) { > - u_int32_t rnd = 0; > + u_int8_t rnd[16]; > + u_int i; > > logit("Warning: No xauth data; " > "using fake authentication data for X11 forwarding."); > strlcpy(proto, SSH_X11_PROTO, sizeof proto); > - for (i = 0; i < 16; i++) { > - if (i % 4 == 0) > - rnd = arc4random(); > + arc4random_buf(rnd, sizeof(rnd)); > + for (i = 0; i < sizeof(rnd); i++) { > snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", > - rnd & 0xff); > - rnd >>= 8; > + rnd[i]); > } > } > >