Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ] 

On Thu, Jul 28, 2022 at 02:46:38PM +0000, Elliott, Robert (Servers) wrote:
> Two places call UTI_GetRandomBytesUrandom rather than UTI_GetRandomBytes.
> 
> 1. nts_ke_server.c generate_key (from patch a420ed57q):
> +  UTI_GetRandomBytesUrandom(server_keys[index].key, key_length);
> +  if (!SIV_SetKey(server_keys[index].siv, server_keys[index].key, key_length))
> +    assert(0);
> +
> +  UTI_GetRandomBytes(&server_keys[index].id, sizeof (server_keys[index].id));
> 
> 2. client.c process_cmd_keygen (from patch 7fcf69ce):
> +  UTI_GetRandomBytesUrandom(key, length);
> 
> Is there any reason for them to call the Urandom version directly?

They generate long-term keys, i.e. need a higher-quality random
generator. The non-Urandom version can use arc4random() which is fast,
but not described as suitable for long term keys, at least as I
understand it. The upcoming glibc has arc4random(), so this will be
the case also on Linux.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/