libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results. Just use arc4random. While here, use an explicit_bzero instead of memset where the intent is clearly to zero out a secret (clear_passphrase).
2019-12-13 04:55:17 +00:00 · 2019-12-13 04:55:17 +00:00 · 827bab53d3
commit 827bab53d3
parent d335535e7a
1 changed files with 4 additions and 5 deletions
--- a/lib/libradius/radlib.c
+++ b/lib/libradius/radlib.c
@ -79,7 +79,7 @@ static void
 clear_password(struct rad_handle *h)
 {
 	if (h->pass_len != 0) {
-		memset(h->pass, 0, h->pass_len);
+		explicit_bzero(h->pass, h->pass_len);
 		h->pass_len = 0;
 	}
 	h->pass_pos = 0;
@ -852,8 +852,8 @@ rad_create_request(struct rad_handle *h, int code)
 	if (code == RAD_ACCESS_REQUEST) {
 		/* Create a random authenticator */
 		for (i = 0;  i < LEN_AUTH;  i += 2) {
-			long r;
-			r = random();
+			uint32_t r;
+			r = arc4random();
 			h->out[POS_AUTH+i] = (u_char)r;
 			h->out[POS_AUTH+i+1] = (u_char)(r >> 8);
 		}
@ -1051,10 +1051,9 @@ rad_auth_open(void)

 	h = (struct rad_handle *)malloc(sizeof(struct rad_handle));
 	if (h != NULL) {
-		srandomdev();
 		h->fd = -1;
 		h->num_servers = 0;
-		h->ident = random();
+		h->ident = arc4random();
 		h->errmsg[0] = '\0';
 		memset(h->pass, 0, sizeof h->pass);
 		h->pass_len = 0;