You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that during pkispawn a lot of noise files generated to work with certutil contain just the string "not_so_random_data". I do not think that "It's not used anyway" comment from the code justifies this behavior. It may not be used now but if there's a use to it in the future, it'd be hard to notice and would instantly cause a CVE to pop out.
I think that reading bytes from /dev/random should be cheap enough operation and should be used instead.
The text was updated successfully, but these errors were encountered:
REASON PROVIDED BY RRELYEA: A modern nss running on a modern box. NSS's own entropy, which uses dev urandom, is very good and using a bad noise file will be of little consequence at this point.
PROPOSED SOLUTION: Either remove noise file, or populate it with random data (use NSS method).
This issue was migrated from Pagure Issue #2559. Originally filed by stlaz (@stlaz) on 2016-12-08 15:27:58:
I noticed that during pkispawn a lot of noise files generated to work with certutil contain just the string "not_so_random_data". I do not think that "It's not used anyway" comment from the code justifies this behavior. It may not be used now but if there's a use to it in the future, it'd be hard to notice and would instantly cause a CVE to pop out.
I think that reading bytes from /dev/random should be cheap enough operation and should be used instead.
The text was updated successfully, but these errors were encountered: