You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
pw_random_number(max_num) simply performs a modulo of a random integer against the number of elements in the character array. Since there is no check whether the maximum integer value is divisible by the number of elements in the character array, modulo bias is introduced. This would need to be fixed before the command is used to generate passwords for a high security environment.
The text was updated successfully, but these errors were encountered:
The pw_random_number function can be re-written as follows to remove the modulo bias
/*
Generate a random number n, where 0 <= n < max_num, using
/dev/urandom if possible.
max_num is never greater than 127 for this application
*/
int pw_random_number(max_num)
int max_num;
{
unsigned char rand_num = 0xff;
unsigned char mask = 0x7f;
int i, fd = get_random_fd();
int lose_counter = 0x1f;
char *cp = (char *) &rand_num;
if (max_num <= 0x3f) mask = 0x3f;
if (max_num <= 0x1f) mask = 0x1f;
if (fd >= 0) {
while (rand_num >= (unsigned int)max_num) { // while loop removes modulo bias
i = read(fd, cp, 1);
rand_num &= mask;
if ((i < 0) &&
((errno == EINTR) || (errno == EAGAIN)))
continue;
if (i <= 0) {
if (!lose_counter--) break;
continue;
}
}
close(fd);
return (rand_num);
}
/* We weren't able to use /dev/random, fail hard */
fprintf(stderr, "No entropy available!\n");
exit(1);
}
pw_random_number(max_num) simply performs a modulo of a random integer against the number of elements in the character array. Since there is no check whether the maximum integer value is divisible by the number of elements in the character array, modulo bias is introduced. This would need to be fixed before the command is used to generate passwords for a high security environment.
The text was updated successfully, but these errors were encountered: