On Thu, Apr 24, 2008 at 01:54:45AM +0000, Brandon Enright wrote:
>
> The problem here is that the rng is being seeded with time every time it
> is called.
I don't think it is. Here is the code with more context:
if (badrandomwarning == 0) {
badrandomwarning++;
/* error("WARNING: your system apparently does not offer /dev/urandom or /dev/random. Reverting to less secure version."); */
/* Seed our random generator */
gettimeofday(&tv, NULL);
srand((tv.tv_sec ^ tv.tv_usec) ^ getpid());
}
badrandomwarning is a static variable. So this block should only be
called once. And when I uncomment the error message, I indeed only
see it printed once.
HOWEVER, removing the srand() does seem to fix the issue on Windows.
But I'm not really included to do that unless we have to, because I'd
rather the library not require that of callers.
I just tried removing the /dev/random stuff on Linux, and Linux still
seems to generate good IPs using the same srand()/rand() code. So it
may be something specific to Windows or maybe their srand()/rand()
implementation.
I've only had a few minutes to look at this, but it isn't clear what
the problem is.
Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Apr 23 2008
Intro
