diff options
author | Narrat | 2017-04-04 02:18:23 +0200 |
---|---|---|
committer | Narrat | 2017-04-04 02:24:22 +0200 |
commit | d238a4a42a5d995c9661a758d8146491d097ab6a (patch) | |
tree | ee0065328734abaade340e3099ca960b43b01d06 | |
parent | 2a01106a76425d2ace9eddf7096efc14434e8ef4 (diff) | |
download | aur-d238a4a42a5d995c9661a758d8146491d097ab6a.tar.gz |
Add patch which doesn't use the time as seed
This program uses srand/rand which is a pseudo rng.
For non crypto operations this may be enough and is still used. Especially initializing the srand() call with time().
But as dinghy pointed out this is a risky behaviour.
The added patch replaces time() with an actual random value, but it is still the same PRNG! Still not good.
Additionally it requires glibc-2.25
-rw-r--r-- | .SRCINFO | 5 | ||||
-rw-r--r-- | PKGBUILD | 15 | ||||
-rw-r--r-- | seed.patch | 39 |
3 files changed, 55 insertions, 4 deletions
@@ -1,16 +1,19 @@ pkgbase = correcthorse-git pkgdesc = Passphrase generator based on https://xkcd.com/936/ pkgver = 1.0.r23.g2a214af - pkgrel = 1 + pkgrel = 2 url = https://github.com/rmartinjak/correcthorse arch = i686 arch = x86_64 license = WTFPL makedepends = git + depends = glibc>=2.25 provides = correcthorse conflicts = correcthorse source = git://github.com/rmartinjak/correcthorse.git + source = seed.patch md5sums = SKIP + md5sums = 34c953a35b1cb563d571005d62c3d199 pkgname = correcthorse-git @@ -4,16 +4,19 @@ _gitname=correcthorse pkgname=correcthorse-git pkgver=1.0.r23.g2a214af -pkgrel=1 +pkgrel=2 pkgdesc="Passphrase generator based on https://xkcd.com/936/" arch=('i686' 'x86_64') url="https://github.com/rmartinjak/correcthorse" license=('WTFPL') +depends=('glibc>=2.25') makedepends=('git') provides=('correcthorse') conflicts=('correcthorse') -source=(git://github.com/rmartinjak/correcthorse.git) -md5sums=('SKIP') +source=(git://github.com/rmartinjak/correcthorse.git + seed.patch) +md5sums=('SKIP' + '34c953a35b1cb563d571005d62c3d199') pkgver() { @@ -22,6 +25,12 @@ pkgver() { git describe --long | sed 's/\([^-]*-g\)/r\1/;s/-/./g;s/v//' } +prepare() { + cd "$_gitname" + + patch -Np1 -i "${srcdir}/seed.patch" +} + build() { cd "$_gitname" diff --git a/seed.patch b/seed.patch new file mode 100644 index 000000000000..01fb6d1f7301 --- /dev/null +++ b/seed.patch @@ -0,0 +1,39 @@ +commit 406bc7d04fa085667b86276d65ddaa8ca47a28e0 +Author: Narrat <autumn-wind@web.de> +Date: Tue Apr 4 02:08:02 2017 +0200 + + Avoid using a time based seed for srand + + Knowing the time would made it possible to replicate the generated password(s). + Still the pseudeo rng should be replaced + +diff --git a/src/correcthorse.c b/src/correcthorse.c +index 506e8db..46b1995 100644 +--- a/src/correcthorse.c ++++ b/src/correcthorse.c +@@ -15,6 +15,7 @@ + #include <time.h> + #include <string.h> + #include <ctype.h> ++#include <sys/random.h> + + #ifdef _GNU_SOURCE + #include <getopt.h> +@@ -31,10 +32,16 @@ static void print_version(char *argv0); + static size_t rand_index(size_t n) + { + static int seed = 0; ++ long seed_feed[1]; ++ int ret=0; + + if (!seed) + { +- srand(time(NULL)); ++ ret = getrandom(seed_feed, sizeof(long), 0); ++ if (ret <= 0) { ++ printf("Error: Something went wrong. If passwords got generated avoid using them\n"); ++ } ++ srand(*seed_feed); + seed = 1; + } + |