tech-security: Re: replace kernel random number function

Subject: Re: replace kernel random number function
To: None <tech-security@netbsd.org>
From: Theo de Raadt <deraadt@cvs.openbsd.org>
List: tech-security
Date: 10/22/2000 02:52:18

  by mail.netbsd.org with SMTP; 22 Oct 2000 08:53:02 -0000
	by cvs.openbsd.org (8.10.1/8.10.1) with ESMTP id e9M8qJK09053
	for <tech-security@netbsd.org>; Sun, 22 Oct 2000 02:52:19 -0600 (MDT)
Message-Id: <200010220852.e9M8qJK09053@cvs.openbsd.org>
To: tech-security@netbsd.org
Subject: Re: replace kernel random number function 
In-reply-to: Your message of "Sat, 21 Oct 2000 08:02:02 +0900."
             <20001020230203.097CB7E46@starfruit.itojun.org> 
Date: Sun, 22 Oct 2000 02:52:18 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>

> 	i plan to replace kernel random(9) with libc random(3) code,
> 	or arc4random.  any comments?
> 
> 	current random(9) is too weak, and allows security threat like we saw
> 	with TCP ISS guessing.   libc random(3) code looks enough strong for
> 	polinomial random number generator.

be careful.

last i checked, the scheduler requires random() to be a LCG.

that is why we left random alone, and everything else calls something
else.