[Mono-devel-list] Patch for using egd/prngd for random number s

Solomon, Bernard bernard.solomon at ugsplm.com
Wed Apr 28 20:50:38 EDT 2004


Thanks for the comments I'm not a great security
expert (I basically just want corlib tests to work). 
I have actually put it in using the env var and in 
the style Miguel suggested. I don't know how secure
it is if you have access to the machine where
the daemon is running (for my own setup I know
not very!)

Bernie

-----Original Message-----
From: Sébastien Pouliot [mailto:spouliot at videotron.ca]
Sent: Tuesday, April 27, 2004 4:37 PM
To: Bernie Solomon
Cc: mono-devel-list at lists.ximian.com
Subject: RE: [Mono-devel-list] Patch for using egd/prngd for random
numbers


Hello Bernie,

In security environment variables are generally considered an untrusted user
input. However I don't know much about EGD so I can't say if it could be
misused or not. But if this can lead to disclosure of the random data (even
partial) then all generated keys (symmetric or asymmetric) may be
compromised.

As an alternative the file machine.config already contains many security
mapping required for the class libraries - but this is an XML file.

Sebastien Pouliot
http://pages.infinit.net/ctech/poupou.html

-----Original Message-----
From: mono-devel-list-admin at lists.ximian.com
[mailto:mono-devel-list-admin at lists.ximian.com]On Behalf Of Bernie
Solomon
Sent: 27 avril 2004 14:27
To: Miguel de Icaza
Cc: mono-devel-list at lists.ximian.com
Subject: Re: [Mono-devel-list] Patch for using egd/prngd for random
numbers


OK (I had that at one stage while I was writing it).

Any thoughts on how to pick up the name of the socket? Is the env var
OK? Or should it go in some config file and if so which?

Bernie
----- Original Message -----
From: "Miguel de Icaza" <miguel at ximian.com>
To: "Bernie Solomon" <bernard at ugsolutions.com>
Cc: <mono-devel-list at lists.ximian.com>
Sent: Monday, April 26, 2004 6:08 PM
Subject: Re: [Mono-devel-list] Patch for using egd/prngd for random numbers


> Hello,
>
> > I've been meaning to send this round for a bit. Here is a patch
> > to enable use of egd or prngd for random numbers for machines
> > without /dev/random.
> >
> > It adds an option to configure --with-egd which can be
> > "yes" meaning use the env var MONO_EGD_SOCKET for
> > getting the socket to talk to the daemon, or can be the
> > name of the path to the socket if you want to compile this
> > in as an absolute reference.
> >
> > Any issues?
>
> I would build the code always, and only activate it if /dev/random is
> missing and we can talk to the server, as opposed to making it
> configurable.
>
> Miguel.
>
_______________________________________________
Mono-devel-list mailing list
Mono-devel-list at lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-devel-list



More information about the Mono-devel-list mailing list