[ntp:security] [Bug 2666] non-cryptographic random number generator with weak seed

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Nov 28 10:23:25 UTC 2014


http://bugs.ntp.org/show_bug.cgi?id=2666

--- Comment #9 from Harlan Stenn <stenn at ntp.org> 2014-11-28 10:23:25 UTC ---
arc4random() should be available, and if it's not I'll build a copy from the
copy Danny mentions in comment#2.

If you have recommendations for something better I'm happy to give that a shot.

When I dug in to this it was my understanding that arc4andom() was much better
suited for use where cryptographic-quality random numbers were needed.

For *ix boxes I could do something with /dev/urandom if that would be better,
and somebody could write something for Windows that used CryptGenRandom (or
similar,
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).aspx).
 I'm not sure what we'd do about other OSes.

Plan B would be to use OpenSSL's RAND_bytes(), which means we'd need to require
OpenSSL.  This might be reasonable for cases where we will be linked with
OpenSSL.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list