Add patch which uses getrandom() for random numbers

Drops the srand/rand combo.
Issues may still exist

4 files changed, 58 insertions, 46 deletions

diff --git a/.SRCINFO b/.SRCINFO
index ac51fc241fcf..d6a9981bdba8 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,16 +1,16 @@
 pkgbase = correcthorse
 	pkgdesc = Passphrase generator based on https://xkcd.com/936/
 	pkgver = 1.0
-	pkgrel = 4
+	pkgrel = 5
 	url = https://github.com/rmartinjak/correcthorse
 	arch = i686
 	arch = x86_64
 	license = WTFPL
 	depends = glibc>=2.25
 	source = correcthorse-1.0.tar.gz::https://github.com/rmartinjak/correcthorse/archive/v1.0.tar.gz
-	source = seed.patch
+	source = change_prng.patch
 	md5sums = 3d691f786f5879f5b902585472d6d195
-	md5sums = 34c953a35b1cb563d571005d62c3d199
+	md5sums = 652145bc56a7d199c95c241cb3744760
 
 pkgname = correcthorse
 
diff --git a/PKGBUILD b/PKGBUILD
index c0b15f25a667..da9e176652ef 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,21 +3,21 @@
 
 pkgname=correcthorse
 pkgver=1.0
-pkgrel=4
+pkgrel=5
 pkgdesc="Passphrase generator based on https://xkcd.com/936/"
 arch=('i686' 'x86_64')
 url="https://github.com/rmartinjak/correcthorse"
 license=('WTFPL')
 depends=('glibc>=2.25')
 source=(${pkgname}-${pkgver}.tar.gz::https://github.com/rmartinjak/$pkgname/archive/v$pkgver.tar.gz
-        seed.patch)
+        change_prng.patch)
 md5sums=('3d691f786f5879f5b902585472d6d195'
-         '34c953a35b1cb563d571005d62c3d199')
+         '652145bc56a7d199c95c241cb3744760')
 
 
 prepare() {
   cd "$srcdir/$pkgname-$pkgver"
-  patch -Np1 -i "${srcdir}/seed.patch"
+  patch -Np1 -i "${srcdir}/change_prng.patch"
 }
 
 build() {
diff --git a/change_prng.patch b/change_prng.patch
new file mode 100644
index 000000000000..472a39cd8ee6
--- /dev/null
+++ b/change_prng.patch
@@ -0,0 +1,51 @@
+commit ca7beb741b4708e7f2cb2e3c33aafc11b560cb59
+Author: Narrat <autumn-wind@web.de>
+Date:   Tue Apr 4 22:19:53 2017 +0200
+
+    Replace srand()/rand() combo with getrandom()
+    
+    This requires glibc-2.25.
+    
+    Reason for the move: The time based initialization is a security issue.
+    Additionally is the rand() RNG not the best one out there.
+    
+    The newly getentropy/getrandom() from glibc uses for random numbers /dev/(u)random, which are a better choice.
+
+diff --git a/src/correcthorse.c b/src/correcthorse.c
+index 506e8db..77c8a39 100644
+--- a/src/correcthorse.c
++++ b/src/correcthorse.c
+@@ -12,9 +12,9 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+-#include <time.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <sys/random.h>
+ 
+ #ifdef _GNU_SOURCE
+ #include <getopt.h>
+@@ -30,15 +30,16 @@ static void print_version(char *argv0);
+ 
+ static size_t rand_index(size_t n)
+ {
+-    static int seed = 0;
++    unsigned long seed_feed[1];
++    int ret=0;
+ 
+-    if (!seed)
+-    {
+-        srand(time(NULL));
+-        seed = 1;
++    ret = getrandom(seed_feed, sizeof(long), 0);
++    if (ret <= 0) {
++        fprintf(stderr, "getrandom() returned %d: ", ret);
++        perror("");
+     }
+ 
+-    return rand() % n;
++    return *seed_feed % n;
+ }
+ 
+ static void rand_perm(size_t *dest, size_t n)
diff --git a/seed.patch b/seed.patch
deleted file mode 100644
index 01fb6d1f7301..000000000000
--- a/seed.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-commit 406bc7d04fa085667b86276d65ddaa8ca47a28e0
-Author: Narrat <autumn-wind@web.de>
-Date:   Tue Apr 4 02:08:02 2017 +0200
-
-    Avoid using a time based seed for srand
-    
-    Knowing the time would made it possible to replicate the generated password(s).
-    Still the pseudeo rng should be replaced
-
-diff --git a/src/correcthorse.c b/src/correcthorse.c
-index 506e8db..46b1995 100644
---- a/src/correcthorse.c
-+++ b/src/correcthorse.c
-@@ -15,6 +15,7 @@
- #include <time.h>
- #include <string.h>
- #include <ctype.h>
-+#include <sys/random.h>
- 
- #ifdef _GNU_SOURCE
- #include <getopt.h>
-@@ -31,10 +32,16 @@ static void print_version(char *argv0);
- static size_t rand_index(size_t n)
- {
-     static int seed = 0;
-+    long seed_feed[1];
-+    int ret=0;
- 
-     if (!seed)
-     {
--        srand(time(NULL));
-+        ret = getrandom(seed_feed, sizeof(long), 0);
-+        if (ret <= 0) {
-+            printf("Error: Something went wrong. If passwords got generated avoid using them\n");
-+        }
-+        srand(*seed_feed);
-         seed = 1;
-     }
-