Anybody taking care of refclock_trimble?

[Hal Murray]

>> Back in December, I fixed get_systime to use random() rather than
>> ntp_random()  which calls RAND_bytes().

> I still consider that change to be wrongdoing.  If NTP has a use case for
> both fast and cryptographically secure randomness, then you should have ntp_*
> functions with these characteristics.  You would also need to audit which
> randomness is actually required and specifically that no statistical
> randomness leaks into places where cryptographically secure randomness is
> required.

I don't think there is any need for crypto randomness when fuzzing the low 
bits of time.  If anybody has other opinions, please sing out.

I think we should dump ntp_random and use either random() or 
RAND_bytes/RAND_priv_bytes as appropriate.

In the old days, ntp_random had its own built-in pseudo random number scheme.  
So there was no cryptographically strong randomness in ntpd.  (or I missed 
something in the old code)  That was removed in 2015 when we started using 
libsodium.

NTS uses RAND_bytes.


-- 
These are my opinions.  I hate spam.