Hal Murray via devel writes: > Back in December, I fixed get_systime to use random() rather than > ntp_random() > which calls RAND_bytes().
I still consider that change to be wrongdoing. If NTP has a use case for both fast and cryptographically secure randomness, then you should have ntp_* functions with these characteristics. You would also need to audit which randomness is actually required and specifically that no statistical randomness leaks into places where cryptographically secure randomness is required. Calling random() puts you on the mercy of the libc implementation, which historically has been bad more often than not (that the systems NTPsec currently supports should be OK is besides the point). Also note that both the libc random and most fast PRNG are generally not thread safe (they are onrecent enough LINUX, but POSIX doesn't require it), so you either need to put their call in critical sections (likely nixing the speed advantage) or creating per-thread state for them (initializing that state can be tricky if the state space is small). For a fast implementation I'd suggest to use either xoshiro256++ or xoshiro256** . These can be initialized via RAND_bytes (if you're paranoid you can do a popcnt check on the seed), have provisions for creating nonoverlapping sub-sequences which are useful to create per-thread state and are extremely fast on all the architectures we might care about. They are small enough to be inlined, although NTPsec will likely not need that. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Samples for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel