search

FreeRADIUS / freeradius-client

A BSD licenced RADIUS client library
http://freeradius.org/freeradius-client/
Other
143 stars 100 forks source link

srandom() not called #82

Closed pem closed 6 years ago

pem commented 6 years ago

random() is used internally when generating IDs by rc_get_id(). When using rc_read_config(), srandom() gets called, but if you need to set up the configuration in some other way and use rc_config_init() instead, srandom() is not called, which results in the same random sequence each time. (And for a client program that's restarted for each call, the same ID every time.)

So rc_config_init(), and/or possibly some other function(s) should call srandom() as well.

It's easy enough to work around by letting the client program call srandom(), but the caller should preferably not need to know which random generator is used internally.

mcpat commented 6 years ago

That's an interesting issue. It also leads to the authenticators being the same every time. That most probably is a problem for password based authentications with a password with at most 16 bytes: two such authentications for different users/passwords will give you the XOR'ed passwords.