[ntp:security] [Bug 2666] non-cryptographic random number generator with weak seed

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Nov 3 01:01:13 UTC 2014


http://bugs.ntp.org/show_bug.cgi?id=2666

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2014-11-03 01:01:13 UTC ---
ntp_random.c was added during a time when a *lot* of OSes had significantly
worse random number generators.

It looks like the "worst" use of ntp_random.c is when we need more than 31 bits
of data and we use the entire result from ntp_random() for this.

While we do need to use a better seed with ntp_srandom(), it looks like the
current code is OK if we use the low-order 8 or 16 bits.

I'm currently planning to use the arc4random() routines if available, and
completely fill the seed buffer.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list