search

openziti / tlsuv

TLS and HTTP(s) client library for libuv
https://docs.openziti.io/tlsuv/
MIT License
43 stars 5 forks source link

Insecure randomization in WebSocket implementation #175

Closed snej closed 1 year ago

snej commented 1 year ago

From websocket.c, starting at line 73:

    srand(time(&t));
    char key[25];
    for (int i = 0; i < 22; i++) {
        int v = rand() & 0x3f;

There are additional calls to rand on lines 197 and 410.

Two issues:

  1. rand is not a cryptographic RNG and shouldn’t be used for anything related to security.
  2. Seeding a RNG with the current time in seconds is extremely insecure, because the value is trivial for an attacker to guess. (This is a famous old vulnerability, dating back to Netscape’s first broken implementation of SSL in 1994.)

It would be best to use the RNG exported by the TLS engine, i.e. mbedtls_ctr_drbg_random; I don’t remember the name of the OpenSSL equivalent.

ekoby commented 1 year ago

If I remember correctly a websocket key is not used for security. Realistically, a secure websocket should go over TLS connection to have proper security guarantees.