/WinObjC

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

arc4random not cryptographically secure #36

Closed
MikeWeller opened this Issue Aug 7, 2015 · 1 comment

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
5 participants
@MikeWeller @lvh @brianker @winobjc-bot @keluo-ms
@MikeWeller

MikeWeller commented Aug 7, 2015
edited by rajsesh
Edited 1 time
  • @rajsesh rajsesh edited Jun 30, 2016 (most recent)

People rely on arc4random being a cryptographically secure source of random numbers.

The implementation in CFMisc.mm is just calling rand() a few times which is pretty terrible.

It should instead use a real cryptographic PRNG algorithm and be seeded from some kind of reliable source of random data. Either implement it properly or at least call an equivalent windows API for some secure random numbers.
@lvh

This comment has been minimized.

Show comment
Hide comment
@lvh

lvh Aug 7, 2015

This should emphatically be CryptGenRandom calls.

lvh commented Aug 7, 2015

This should emphatically be CryptGenRandom calls.

@brianker brianker self-assigned this Aug 18, 2015

brianker added a commit that referenced this issue Aug 20, 2015

@brianker
Fix for issue #36 -- use CryptographicBuffer::GenerateRandomNumber fo… 
…r arc4random.
d288c73

@winobjc-bot winobjc-bot added the Approved label Nov 3, 2015

@keluo-ms keluo-ms closed this Nov 5, 2015

@winobjc-bot winobjc-bot added the Approved label Nov 5, 2015

@rajsesh rajsesh unassigned brianker Jun 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment