On Fri, Sep 16, 2016 at 09:19:40PM -0400, Ted Unangst wrote:
> no change, but makes the code a little shorter.
Reads fine to me. arc4random() is already used in other places in ssh,
so this shouldn't be an issue for portable.
>
>
> Index: clientloop.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v
> retrieving revision 1.287
> diff -u -p -r1.287 clientloop.c
> --- clientloop.c 12 Sep 2016 01:22:38 -0000 1.287
> +++ clientloop.c 17 Sep 2016 01:16:46 -0000
> @@ -303,7 +303,7 @@ client_x11_get_proto(const char *display
> char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
> static char proto[512], data[512];
> FILE *f;
> - int got_data = 0, generated = 0, do_unlink = 0, i, r;
> + int got_data = 0, generated = 0, do_unlink = 0, r;
> struct stat st;
> u_int now, x11_timeout_real;
>
> @@ -430,17 +430,16 @@ client_x11_get_proto(const char *display
> * for the local connection.
> */
> if (!got_data) {
> - u_int32_t rnd = 0;
> + u_int8_t rnd[16];
> + u_int i;
>
> logit("Warning: No xauth data; "
> "using fake authentication data for X11 forwarding.");
> strlcpy(proto, SSH_X11_PROTO, sizeof proto);
> - for (i = 0; i < 16; i++) {
> - if (i % 4 == 0)
> - rnd = arc4random();
> + arc4random_buf(rnd, sizeof(rnd));
> + for (i = 0; i < sizeof(rnd); i++) {
> snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
> - rnd & 0xff);
> - rnd >>= 8;
> + rnd[i]);
> }
> }
>
>
