Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Invalid
Priority: Not Evaluated
Fix Version/s: None
Affects Version/s: 5.13.1
Component/s: Network: Sockets
Labels:
None

Platform/s:

All

Description

qtbase/src/network/ssl/qsslsocket_qt.cpp contains the code:

static QByteArray _q_PKCS12_salt()
{
    QByteArray salt;
    salt.resize(8);
    for (int i = 0; i < salt.size(); ++i)
        salt[i] = (qrand() & 0xff);
    return salt;
}

The problem is that qrand is a simple wrapper around rand and does not generate cryptographically secure random numbers. I believe this should be replaced with:

static QByteArray _q_PKCS12_salt()
{
    // Note that QRandomGenerator::system() is usually cryptographically safe.
    const quint64 salt = QRandomGenerator::system()->generate64();
    return QByteArray{reinterpret_cast<const char*>(&salt), sizeof(salt)};
}

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Timur Pocheptsov

Reporter:: Martin Bonner

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18 Nov '19 09:45

Updated:: 18 Nov '19 14:54

Resolved:: 18 Nov '19 10:58

Gerrit Reviews

There are no open Gerrit changes