2016-02-04 3:06 GMT+01:00 David Lang <[email protected]>: > 530f91a42307f33c9dd43a7d0c802b3fa469beec > > Author: Rainer Gerhards <[email protected]> > Date: Tue Feb 2 15:51:52 2016 +0100 > > prevent a clang static analyzer warning > > The static analyzer correctly complains about "garbagge > value being used", but this is exactly what we want. The > code in question is a fallback when we cannot obtain any > other source of randomness for cryptography needs. > > > If there is absolutely no source of randomness, cryptography should abort, > not use whatever value happens to be in ram (which should be 0) > > If urandom isn't available, abort with a clear message that access to it > is required, don't silently use garbage to initialize the cryptography. > > Just to make things clear: this commit didn't change behaviour. It just addresses the static analyzer warning but keeps everything else as-is. So if I revert that change, the only thing that will change is that the static analyzer will break all builds.
So the real issue is how to work if /dev/urandom is not available. I used per-existing values in memory so far (based on my understanding that a couple of tools do so). If the consensus is that this is a bad idea, we have actually two choices: a) error out (which could potentially completey exclude some platform) b) use the c runtime library randon number generator (which, I think, is *not* crypto-grade). More comments are appreciated. Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
