------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=722 Phil Pennock <[EMAIL PROTECTED]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[EMAIL PROTECTED] --- Comment #6 from Phil Pennock <[EMAIL PROTECTED]> 2008-06-21 00:58:14 --- The presence of such weak crypto is going to lead to someone misusing it and spammers abusing it if such an abuse is ever codified into a distribution. We don't need cryptographically strong, but gratuitously weak is bad. If you're prepared to accept something _that_ weak, then nhash of md5 of email-supplied data is surely also acceptable? There is a bug in your code. Exim is a forking program. If the user uses the randomness in something used in the daemon process, then every child process will get the same sequence of randomness (overlapping with the daemon's randomness). If Exim is lined against OpenSSL, then RAND_pseudo_bytes() is available. gnutls appears to have some gnutls_prf* functions which look like they supply random data (should be verified). The BSD's have BSD-licensed arc4random stuff which can be used in a pinch. Any randomness code needs to defend against fork() and re-seed as needed. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
