Changeset: 67dbeb724bda for MonetDB URL: http://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=67dbeb724bda Modified Files: common/utils/muuid.c monetdb5/modules/atoms/uuid.c monetdb5/modules/mal/mal_mapi.c tools/merovingian/utils/utils.c Branch: Oct2014 Log Message:
Use OpenSSL's RAND_bytes() to generate randomness for security. diffs (144 lines): diff --git a/common/utils/muuid.c b/common/utils/muuid.c --- a/common/utils/muuid.c +++ b/common/utils/muuid.c @@ -26,6 +26,8 @@ #include <string.h> /* strdup */ #ifdef HAVE_UUID_UUID_H # include <uuid/uuid.h> +#else +# include <openssl/rand.h> #endif /** @@ -49,14 +51,27 @@ generateUUID(void) /* try to do some pseudo interesting stuff, and stash it in the * format of a UUID to at least return some uniform answer */ char out[37]; + union { + unsigned char randbuf[16]; + unsigned short s[8]; + } r; - /* generate something like this: - * cefa7a9c-1dd2-11b2-8350-880020adbeef ("%08x-%04x-%04x-%04x-%012x") */ - snprintf(out, sizeof(out), "%04x%04x-%04x-%04x-%04x-%04x%04x%04x", - rand() % 65536, rand() % 65536, - rand() % 65536, rand() % 65536, - rand() % 65536, rand() % 65536, - rand() % 65536, rand() % 65536); + if (RAND_bytes(r.randbuf, 16) >= 0) { + snprintf(out, sizeof(out), + "%04x%04x-%04x-%04x-%04x-%04x%04x%04x", + r.s[0], r.s[1], r.s[2], r.s[3], + r.s[4], r.s[5], r.s[6], r.s[7]); + } else { + /* generate something like this: + * cefa7a9c-1dd2-11b2-8350-880020adbeef + * ("%08x-%04x-%04x-%04x-%012x") */ + snprintf(out, sizeof(out), + "%04x%04x-%04x-%04x-%04x-%04x%04x%04x", + rand() % 65536, rand() % 65536, + rand() % 65536, rand() % 65536, + rand() % 65536, rand() % 65536, + rand() % 65536, rand() % 65536); + } #endif return strdup(out); } diff --git a/monetdb5/modules/atoms/uuid.c b/monetdb5/modules/atoms/uuid.c --- a/monetdb5/modules/atoms/uuid.c +++ b/monetdb5/modules/atoms/uuid.c @@ -31,6 +31,9 @@ #ifdef HAVE_UUID_UUID_H #include <uuid/uuid.h> #endif +#ifndef HAVE_UUID +#include <openssl/rand.h> /* for RAND_bytes */ +#endif #ifdef HAVE_UUID #define UUID_SIZE ((int) sizeof(uuid_t)) /* size of a UUID */ @@ -178,7 +181,8 @@ UUIDgenerateUuid(uuid **retval) #ifdef HAVE_UUID uuid_generate(u->u); #else - { + if (RAND_bytes(u->u, 16) < 0) { + /* if it failed, use rand */ int i, r; for (i = 0; i < UUID_SIZE;) { diff --git a/monetdb5/modules/mal/mal_mapi.c b/monetdb5/modules/mal/mal_mapi.c --- a/monetdb5/modules/mal/mal_mapi.c +++ b/monetdb5/modules/mal/mal_mapi.c @@ -44,6 +44,7 @@ #include <sys/types.h> #include <stream_socket.h> #include <mapi.h> +#include <openssl/rand.h> /* RAND_bytes() */ #ifdef _WIN32 /* Windows specific */ # include <winsock.h> @@ -86,12 +87,18 @@ static void generateChallenge(str buf, i /* don't seed the randomiser here, or you get the same challenge * during the same second */ - size = rand(); + if (RAND_bytes((unsigned char *) &size, (int) sizeof(size)) < 0) + size = rand(); size = (size % (max - min)) + min; - for (i = 0; i < size; i++) { - bte = rand(); - bte %= 62; - buf[i] = seedChars[bte]; + if (RAND_bytes((unsigned char *) buf, (int) size) >= 0) { + for (i = 0; i < size; i++) + buf[i] = seedChars[((unsigned char *) buf)[i] % 62]; + } else { + for (i = 0; i < size; i++) { + bte = rand(); + bte %= 62; + buf[i] = seedChars[bte]; + } } buf[i] = '\0'; } diff --git a/tools/merovingian/utils/utils.c b/tools/merovingian/utils/utils.c --- a/tools/merovingian/utils/utils.c +++ b/tools/merovingian/utils/utils.c @@ -45,6 +45,7 @@ # include <time.h> # endif #endif +#include <openssl/rand.h> /* RAND_bytes */ /** * Parses the given file stream matching the keys from list. If a match @@ -314,12 +315,22 @@ void generateSalt(char *buf, unsigned int len) { unsigned int c; - unsigned int size = (unsigned int)rand(); - unsigned int fill = len * 0.75; - unsigned int min = len * 0.42; + unsigned int size; + unsigned int fill; + unsigned int min; + + if (RAND_bytes((unsigned char *) &size, (int) sizeof(size)) < 0) + size = (unsigned int)rand(); + fill = len * 0.75; + min = len * 0.42; size = (size % (fill - min)) + min; - for (c = 0; c < size; c++) - buf[c] = seedChars[rand() % 62]; + if (RAND_bytes((unsigned char *) buf, (int) size) >= 0) { + for (c = 0; c < size; c++) + buf[c] = seedChars[((unsigned char *) buf)[c] % 62]; + } else { + for (c = 0; c < size; c++) + buf[c] = seedChars[rand() % 62]; + } for ( ; c < len; c++) buf[c] = '\0'; } _______________________________________________ checkin-list mailing list checkin-list@monetdb.org https://www.monetdb.org/mailman/listinfo/checkin-list