Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

random() is an insecure random number generation function #43

Open
wsp1991 opened this issue Aug 19, 2021 · 2 comments
Open

random() is an insecure random number generation function #43

wsp1991 opened this issue Aug 19, 2021 · 2 comments

Comments

@wsp1991
Copy link

wsp1991 commented Aug 19, 2021

random() is an insecure random number generation function,Is there a safer solution,such as /dev/random

generate_pw_salt (char salt[], const unsigned int salt_size)
{
struct timeval tv;
char *rand_str;
int remain = salt_size;

salt[0] = '\0';

(void) gettimeofday (&tv, NULL);
srandom (tv.tv_sec ^ tv.tv_usec ^ getpid ());

do {
	rand_str = l64a (random());
	strncat (salt, rand_str, remain);
	remain = remain - strlen(rand_str);
} while (remain > 0);

salt[salt_size] = '\0';

}
@lcp
Copy link
Owner

lcp commented Aug 23, 2021

Thanks for the reviewing. Indeed, the quality of random numbers generated by random() is not as good as /dev/random. I'll evaluate converting random() to getrandom() which draws random bytes from /dev/random or /dev/urandom.

@lcp
Copy link
Owner

lcp commented Dec 9, 2021

I'm working on the patch to replace generate_pw_salt() with crypt_gensalt() and this should fix #44 all together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lcp @wsp1991