Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arc4random not cryptographically secure #36

Closed
MikeWeller opened this issue Aug 7, 2015 · 1 comment
Closed

arc4random not cryptographically secure #36

MikeWeller opened this issue Aug 7, 2015 · 1 comment
Labels
Approved

Comments

@MikeWeller
Copy link

MikeWeller commented Aug 7, 2015
edited by rajsesh

People rely on arc4random being a cryptographically secure source of random numbers.

The implementation in CFMisc.mm is just calling rand() a few times which is pretty terrible.

It should instead use a real cryptographic PRNG algorithm and be seeded from some kind of reliable source of random data. Either implement it properly or at least call an equivalent windows API for some secure random numbers.
@lvh
Copy link

lvh commented Aug 7, 2015

This should emphatically be CryptGenRandom calls.

@brianker brianker self-assigned this Aug 18, 2015
brianker added a commit that referenced this issue Aug 20, 2015
@brianker
Fix for issue #36 -- use CryptographicBuffer::GenerateRandomNumber fo…
d288c73 
…r arc4random.
@consvc consvc added the Approved label Nov 3, 2015
@keluo-ms keluo-ms closed this as completed Nov 5, 2015
@consvc consvc added the Approved label Nov 5, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Approved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MikeWeller @lvh @brianker @consvc @keluo-ms