[ntp:security] [Bug 2666] non-cryptographic random number generator with weak seed

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Nov 3 05:06:56 UTC 2014


http://bugs.ntp.org/show_bug.cgi?id=2666

Danny Mayer <mayer at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mayer at ntp.org

--- Comment #2 from Danny Mayer <mayer at ntp.org> 2014-11-03 05:06:56 UTC ---
(In reply to comment #1)
> I'm currently planning to use the arc4random() routines if available, and
> completely fill the seed buffer.

There is a portable version of arc4random() from OpenBSD which looks like it is
free for any reuse. You can find it here:
https://github.com/libevent/libevent/blob/master/arc4random.c but of course
someone needs to review it to make sure it's not considered weak and can be
reused in this case.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list