On 12 Dec 2014, at 5:43, Theo de Raadt wrote: >> On 12 Dec 2014, at 5:02, Theo de Raadt wrote: >> >>> In all of these code blocks are a well-known piece of information >>> (same time on your machine as everywhere else) is being used to seed a >>> deterministic number generator. >>> >>> At some later point, deterministic numbers are taken out using rand(), >>> random(), drand48(), lrand48(), mrand48(), or srand48(), or some >>> derivative function inside the program itself, and used for WHO KNOWS >>> WHAT PURPOSE. >>> >>> I did not audit what the numbers are being used for. >>> >>> Quite likely some numbers are just used to help hashing. Some could >>> be used to print pretty pictures. But in xulrunner? In the zip >>> password >>> creator? In postgresql, or say in openldap (a network related thing)? >>> >>> It is doubtful they are all fine. >>> >>> For the benefit of other projects who haven't taken the same steps as >>> OpenBSD, it would be nice if some people helped out these pieces of >>> software. >>> >>> EMBOSS-6.0.1 srand((unsigned) time(&tm)); >> [...] >> >> What you say makes sense. Is there a best practice alternative you >> suggest or did I miss that? Perhaps just some better initiation value, >> preferably not all from the same place? > > These code sequences do not need deterministic values. They actually > want non-deterministic values. Steps are like this: > > 1. Remove the srand(), srandom(), srand48(), seed48(), > lcong48() calls. > > 2. Replace all rand(), random(), lrand48(), mrand48() calls with > arc4random() > > 3. If the calls use %, consider using arcrandom_uniform() instead. > > 4. If it loops to fill a buffer, use arc4random_buf() > > 5. Replace drand48() with arc4random and some floating point, but > be careful. drand48() is very rare. > > Now, talk to the upstream projects. They will reject your changes > because Linux lacks arc4random(). > > Basically, only Linux and Solaris lack arc4random(). All the other > platforms have it. > > There are libraries available which provide arc4random() on Linux, so > maybe you find an upstream software provider who is willing to create > a dependency on such a library on Linux. > > Lots of software is doing precisely that, so don't be afraid.
Got it. Thanks. devin -- contact info: http://nacredata.com/devin gpg public key: http://www.nacredata.com/public_key.txt Use unique, strong passwords! https://www.nacredata.com/password.php
