[PATCH v3] Seed random generator in main()

Andrew Bartlett abartlet at samba.org
Wed Jun 17 16:30:38 MDT 2015


On Wed, 2015-06-17 at 09:49 -0400, Simo wrote:
> On Wed, 2015-06-17 at 15:38 +0200, Volker Lendecke wrote:
> > On Wed, Jun 17, 2015 at 09:36:00AM -0400, Simo wrote:
> > > On Wed, 2015-06-17 at 08:23 +0200, Volker Lendecke wrote:
> > > > On Wed, Jun 17, 2015 at 05:11:37PM +1200, Andrew Bartlett 
> > > > wrote:
> > > > > In other parts of Samba we just use the generate_random() 
> > > > > function,
> > > > > which avoids needing to think about all this.  We have 
> > > > > cryptographic
> > > > > random numbers in Samba, we can just use those for this. 
> > > > > 
> > > > > We set up a PRNG using MD4 over a RC4 stream from 40 bytes of 
> > > > > random
> > > > > data.  It isn't the best, but it avoids the bad pattern of 
> > > > > using
> > > > > srandom() et al, which will just trigger folks either re
> > > > > -using in more
> > > > > important places or alternately writing to us with 'security' 
> > > > > warnings
> > > > > about using it. 
> > > > 
> > > > Seen from another angle: The BSD world seems to settle on
> > > > the arc4random family of functions. There's a libbsd
> > > > replacement on Linux for those. Shouldn't we get rid of our
> > > > own random number generator and just use that, possibly with
> > > > the libbsd code in libreplace?
> > > 
> > > Why are we not just using urandom ? Why do we want to get in the
> > > business of guaranteeing proper random number generation ????
> > 
> > Portability?
> 
> krb5 runs on all platforms and uses cryptographically secure PRNGs
> (urandom on Linux), perhaps we can use that libraries for random 
> number
> generation.

That's what I want to do, and have proposed twice now.  I guess I need
to come back with a patch :-).  

The reason for not just reading every byte from /dev/urandom was to
avoid it being drained excessively - we can use a lot of random bytes. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team         http://samba.org
Samba Development and Support, Catalyst IT   
http://catalyst.net.nz/services/samba





-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team         http://samba.org
Samba Development and Support, Catalyst IT   http://catalyst.net.nz/services/samba








More information about the samba-technical mailing list