[ntp:security] [Bug 2666] non-cryptographic random number generator with weak seed

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Thu Dec 4 09:34:08 UTC 2014


http://bugs.ntp.org/show_bug.cgi?id=2666

--- Comment #11 from Harlan Stenn <stenn at ntp.org> 2014-12-04 09:34:08 UTC ---
Stephen,

My current thought is that the ntp codebase use wrappers for accessing random
number stuff, and we use:

- OpenSSL's RAND_*() routines if they are available, otherwise
- arc4random(3), otherwise
- our local implementation of arc4random(3), noting
https://lists.freebsd.org/pipermail/freebsd-bugs/2013-October/054018.html

There are still potential problems with some of the above choices.

How far should we really go here, knowing that this is likely going to be a
never-ending quest?

What do you recommend?

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list