search

lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
70 stars 38 forks source link

random() is an insecure random number generation function #43

Open wsp1991 opened 3 years ago

wsp1991 commented 3 years ago

random() is an insecure random number generation function,Is there a safer solution,such as /dev/random

generate_pw_salt (char salt[], const unsigned int salt_size) { struct timeval tv; char *rand_str; int remain = salt_size;

salt[0] = '\0';

(void) gettimeofday (&tv, NULL);
srandom (tv.tv_sec ^ tv.tv_usec ^ getpid ());

do {
    rand_str = l64a (random());
    strncat (salt, rand_str, remain);
    remain = remain - strlen(rand_str);
} while (remain > 0);

salt[salt_size] = '\0';

}

lcp commented 3 years ago

Thanks for the reviewing. Indeed, the quality of random numbers generated by random() is not as good as /dev/random. I'll evaluate converting random() to getrandom() which draws random bytes from /dev/random or /dev/urandom.

lcp commented 2 years ago

I'm working on the patch to replace generate_pw_salt() with crypt_gensalt() and this should fix https://github.com/lcp/mokutil/issues/44 all together.