----Original Message---- >From: Simon Josefsson >Message-Id: [EMAIL PROTECTED]
> Hi everyone! I was looking at the code for a TLS implementation, an > open source implementation "SecureW2" by Alfa & Ariss, see: > > http://www.securew2.com/uk/index.htm > > I found that it uses weak random numbers when generating the > pre-master-secret. The code is in "./Components/Common/release > 3/version 0/source/CommonTLS.c" and quoted below. > > It appear to be using the weak srand/rand functions seeded by the > milliseconds field from the system clock. That doesn't provide you > with 48 bytes of strong randomness, you are lucky to get even a few > bytes. I'm not impressed by the modulo 255 operation either! > // > // Random bytes > // > for( i=2; i < TLS_PMS_SIZE; i++ ) > pbPMS[i] = ( BYTE ) ( rand() % 255 ); Both that and the use of rand are indicators of serious lack of programming skill/experience. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
