[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: getppid misused as entropy source
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: getppid misused as entropy source
- From: Fabio Olive Leite <fabio_(_dot_)_olive_(_at_)_gmail_(_dot_)_com>
- Date: Tue, 8 Mar 2005 16:50:57 -0300
- Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
On Tue, Mar 08, 2005 at 03:27:55PM +0100, Bruno Rohee wrote:
> I'm afraid that this patch is wrong, the return value from getppid()
> was constrained in the 2-65535 range and the call to arc4random()
> isn't. And I think it's bad in that context. I'll look at it again tonight.
I admit I do not know the protocol, so I don't know all of the
implications of that change. It's just that the code looked so weird
"I need an auth_port (whatever it is), let's get the ttyslot(). Oh
wait, it was zero? Then get the parent pid.".
BTW, the range of getppid() is 1-32766.
I drowned in the universal pool of entropy
Eris has saved me, and she has set me free