Details
-
Bug
-
Resolution: Invalid
-
Not Evaluated
-
None
-
5.13.1
-
None
Description
qtbase/src/network/ssl/qsslsocket_qt.cpp contains the code:
static QByteArray _q_PKCS12_salt() { QByteArray salt; salt.resize(8); for (int i = 0; i < salt.size(); ++i) salt[i] = (qrand() & 0xff); return salt; }
The problem is that qrand is a simple wrapper around rand and does not generate cryptographically secure random numbers. I believe this should be replaced with:
static QByteArray _q_PKCS12_salt() { // Note that QRandomGenerator::system() is usually cryptographically safe. const quint64 salt = QRandomGenerator::system()->generate64(); return QByteArray{reinterpret_cast<const char*>(&salt), sizeof(salt)}; }