poor default seeding of RNG
Tom Holroyd
tomh at po.crl.go.jp
Wed Mar 14 17:02:53 EST 2001
Correct me if I'm wrong, but init_rng() in entropy.c doesn't call
seed_rng(), and in fact seed_rng() isn't called from _anywhere_ (in
openssh-2.5.1p2). So calls to BN_rand() only pick up the
tiny/non-existent amount of entropy added by BN_rand() itself from the
system clock (time in seconds). Shouldn't seed_rng() be called from
init_rng()? It should be called from _somewhere_, or deleted.
Thanks,
Dr. Tom Holroyd
"I am, as I said, inspired by the biological phenomena in which
chemical forces are used in repetitious fashion to produce all
kinds of weird effects (one of which is the author)."
-- Richard Feynman, _There's Plenty of Room at the Bottom_
More information about the openssh-unix-dev
mailing list