[ntp:security] [Bug 2666] non-cryptographic random number generator with weak seed

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Thu Dec 4 09:34:08 UTC 2014


--- Comment #11 from Harlan Stenn <stenn at ntp.org> 2014-12-04 09:34:08 UTC ---

My current thought is that the ntp codebase use wrappers for accessing random
number stuff, and we use:

- OpenSSL's RAND_*() routines if they are available, otherwise
- arc4random(3), otherwise
- our local implementation of arc4random(3), noting

There are still potential problems with some of the above choices.

How far should we really go here, knowing that this is likely going to be a
never-ending quest?

What do you recommend?

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list