diff options
| author | Narrat | 2017-04-04 02:34:59 +0200 |
|---|---|---|
| committer | Narrat | 2017-04-04 02:34:59 +0200 |
| commit | fb190e0120ef5bc63f4e1d4903620d1e241e9324 (patch) | |
| tree | 8ad9271f152912bb90e9ff03e68061c219553cd2 | |
| parent | ed9e7f67f6ebd3673b56f3d5ce5b5eb671871cd3 (diff) | |
| download | aur-fb190e0120ef5bc63f4e1d4903620d1e241e9324.tar.gz | |
Add patch which doesn't use the time as seed
This program uses srand/rand which is a pseudo rng.
For non crypto operations this may be enough and is still used. Especially initializing the srand() call with time().
But as dinghy pointed out this is a risky behaviour.
The added patch replaces time() with an actual random value, but it is still the same PRNG! Still not good.
Additionally it requires glibc-2.25
| -rw-r--r-- | .SRCINFO | 5 | ||||
| -rw-r--r-- | PKGBUILD | 15 | ||||
| -rw-r--r-- | seed.patch | 39 |
3 files changed, 54 insertions, 5 deletions
@@ -1,13 +1,16 @@ pkgbase = correcthorse pkgdesc = Passphrase generator based on https://xkcd.com/936/ pkgver = 1.0 - pkgrel = 3 + pkgrel = 4 url = https://github.com/rmartinjak/correcthorse arch = i686 arch = x86_64 license = WTFPL + depends = glibc>=2.25 source = correcthorse-1.0.tar.gz::https://github.com/rmartinjak/correcthorse/archive/v1.0.tar.gz + source = seed.patch md5sums = 3d691f786f5879f5b902585472d6d195 + md5sums = 34c953a35b1cb563d571005d62c3d199 pkgname = correcthorse @@ -3,21 +3,28 @@ pkgname=correcthorse pkgver=1.0 -pkgrel=3 +pkgrel=4 pkgdesc="Passphrase generator based on https://xkcd.com/936/" arch=('i686' 'x86_64') url="https://github.com/rmartinjak/correcthorse" license=('WTFPL') -source=(${pkgname}-${pkgver}.tar.gz::https://github.com/rmartinjak/$pkgname/archive/v$pkgver.tar.gz) -md5sums=('3d691f786f5879f5b902585472d6d195') +depends=('glibc>=2.25') +source=(${pkgname}-${pkgver}.tar.gz::https://github.com/rmartinjak/$pkgname/archive/v$pkgver.tar.gz + seed.patch) +md5sums=('3d691f786f5879f5b902585472d6d195' + '34c953a35b1cb563d571005d62c3d199') +prepare() { + cd "$srcdir/$pkgname-$pkgver" + patch -Np1 -i "${srcdir}/seed.patch" +} + build() { cd "$srcdir/$pkgname-$pkgver" make PREFIX=/usr } - package() { cd "$srcdir/$pkgname-$pkgver" make DESTDIR="$pkgdir/" PREFIX=/usr install diff --git a/seed.patch b/seed.patch new file mode 100644 index 000000000000..01fb6d1f7301 --- /dev/null +++ b/seed.patch @@ -0,0 +1,39 @@ +commit 406bc7d04fa085667b86276d65ddaa8ca47a28e0 +Author: Narrat <autumn-wind@web.de> +Date: Tue Apr 4 02:08:02 2017 +0200 + + Avoid using a time based seed for srand + + Knowing the time would made it possible to replicate the generated password(s). + Still the pseudeo rng should be replaced + +diff --git a/src/correcthorse.c b/src/correcthorse.c +index 506e8db..46b1995 100644 +--- a/src/correcthorse.c ++++ b/src/correcthorse.c +@@ -15,6 +15,7 @@ + #include <time.h> + #include <string.h> + #include <ctype.h> ++#include <sys/random.h> + + #ifdef _GNU_SOURCE + #include <getopt.h> +@@ -31,10 +32,16 @@ static void print_version(char *argv0); + static size_t rand_index(size_t n) + { + static int seed = 0; ++ long seed_feed[1]; ++ int ret=0; + + if (!seed) + { +- srand(time(NULL)); ++ ret = getrandom(seed_feed, sizeof(long), 0); ++ if (ret <= 0) { ++ printf("Error: Something went wrong. If passwords got generated avoid using them\n"); ++ } ++ srand(*seed_feed); + seed = 1; + } + |