I'm somewhat confused with the implementation details: placing fallback into library
would mean we effectively duplicate the fallback logic: the library might or might
not fallback and than the application will have to decide if it's ok with the
fallback.
I'd prefer to use secure only random in the library code and make insecure fallback a
compile-time option in the application code. That way we can manage it on application
or even case-by-case basis later on if we decide to drop it altogether.
Although I might be missing smth, so looking forward for your feedback.
On 07.10.2017 08:34, Harald Welte wrote:
I think it should be a compile time decision for now,
and the default
should be "no fallback". So basically the entire fallback code is
#ifdef'd out unless somebody builds libosmocore with a possibly
dangerous compile option and has a good reason to do so.
If the user does that, there should be a related warning at the end of
the ./configure step, and we should also print runtime WARNING level
messages once we actually start to fallback to insecure rand().
--
Max Suraev <msuraev(a)sysmocom.de>
http://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Alt-Moabit 93
* 10559 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschaeftsfuehrer / Managing Director: Harald Welte