On Thu, Feb 4, 2016 at 2:15 AM, Rainer Gerhards <[email protected]> wrote:
> 2016-02-04 3:06 GMT+01:00 David Lang <[email protected]>: > > > 530f91a42307f33c9dd43a7d0c802b3fa469beec > > > > Author: Rainer Gerhards <[email protected]> > > Date: Tue Feb 2 15:51:52 2016 +0100 > > > > prevent a clang static analyzer warning > > > > The static analyzer correctly complains about "garbagge > > value being used", but this is exactly what we want. The > > code in question is a fallback when we cannot obtain any > > other source of randomness for cryptography needs. > > > > > > If there is absolutely no source of randomness, cryptography should > abort, > > not use whatever value happens to be in ram (which should be 0) > > > > If urandom isn't available, abort with a clear message that access to it > > is required, don't silently use garbage to initialize the cryptography. > > > > > Just to make things clear: this commit didn't change behaviour. It just > addresses the static analyzer warning but keeps everything else as-is. So > if I revert that change, the only thing that will change is that the static > analyzer will break all builds. > > So the real issue is how to work if /dev/urandom is not available. I used > per-existing values in memory so far (based on my understanding that a > couple of tools do so). If the consensus is that this is a bad idea, we > have actually two choices: > > a) error out (which could potentially completey exclude some platform) > Error out. Thanks! > b) use the c runtime library randon number generator (which, I think, is > *not* crypto-grade). > > More comments are appreciated. > > Rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
