[exim-dev] [Bug 722] Need a random number generator

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Phil Pennock
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 722] Need a random number generator
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=722

Phil Pennock <exim-dev@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |exim-dev@???





--- Comment #6 from Phil Pennock <exim-dev@???> 2008-06-21 00:58:14 ---
The presence of such weak crypto is going to lead to someone misusing it and
spammers abusing it if such an abuse is ever codified into a distribution. We
don't need cryptographically strong, but gratuitously weak is bad. If you're
prepared to accept something _that_ weak, then nhash of md5 of email-supplied
data is surely also acceptable?

There is a bug in your code. Exim is a forking program. If the user uses the
randomness in something used in the daemon process, then every child process
will get the same sequence of randomness (overlapping with the daemon's
randomness).

If Exim is lined against OpenSSL, then RAND_pseudo_bytes() is available.
gnutls appears to have some gnutls_prf* functions which look like they supply
random data (should be verified).

The BSD's have BSD-licensed arc4random stuff which can be used in a pinch.

Any randomness code needs to defend against fork() and re-seed as needed.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email