Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Nov 2017 11:39:00 -0500
From: Darcy Parker <darcyparker@...il.com>
To: musl@...ts.openwall.com
Subject: AES_CTR_DRBG / random numbers

Hi,

Have musl developers considered  AES_CTR_DRBG like glibc project has?

I learned about it from
https://aws.amazon.com/blogs/opensource/better-random-number-generation-for-openssl-libc-and-linux-mainline/.
My understanding of it is limited, but enough to be concerned about claimed
risk of how fork() may copy memory used by an initialized random number
generator.  It looks like s2n and linux have or will adopt AES_CTR_DRBG.
My concern is other software that may depend on libc's rand() rather than
implement their own secure pseudo random number generator.

I appreciate musl for its reputation of correctness and performance.  And
although I saw glibc is moving to it, a quick set of searches with Google
didn't uncover discussion about AES_CTR_DRBG being implemented in musl.

Is musl's pseudo random number generator methods vulnerable in the same way
glibc is?  My hope is that it is not vulnerable, but if it is, I'd like to
know musl developers are already on top of this.

Thanks
Darcy

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.