Date: Mon, 27 Nov 2017 11:39:00 -0500 From: Darcy Parker <darcyparker@...il.com> To: musl@...ts.openwall.com Subject: AES_CTR_DRBG / random numbers Hi, Have musl developers considered AES_CTR_DRBG like glibc project has? I learned about it from https://aws.amazon.com/blogs/opensource/better-random-number-generation-for-openssl-libc-and-linux-mainline/. My understanding of it is limited, but enough to be concerned about claimed risk of how fork() may copy memory used by an initialized random number generator. It looks like s2n and linux have or will adopt AES_CTR_DRBG. My concern is other software that may depend on libc's rand() rather than implement their own secure pseudo random number generator. I appreciate musl for its reputation of correctness and performance. And although I saw glibc is moving to it, a quick set of searches with Google didn't uncover discussion about AES_CTR_DRBG being implemented in musl. Is musl's pseudo random number generator methods vulnerable in the same way glibc is? My hope is that it is not vulnerable, but if it is, I'd like to know musl developers are already on top of this. Thanks Darcy Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.