Insufficient Entropy (CWE ID 331)

Question

Insufficient Entropy (CWE ID 331)

Opened this issue 9 years ago · 0 comments

GoogleCodeExporter commented 9 years ago

Hi,

When I am using your lib (code) in my project and preform VeraCode scan for 
security testing then found many flaws. One of the common flaw is "Insufficient 
Entropy (CWE ID 331)".

This flaw comes in class: crypt.h on line no: 113 and 118.

Code is below:

    if (++calls == 1)
    {
        srand((unsigned)(time(NULL) ^ ZCR_SEED2));
    }
    init_keys(passwd, pkeys, pcrc_32_tab);
    for (n = 0; n < RAND_HEAD_LEN-2; n++)
    {
        c = (rand() >> 7) & 0xff;
        header[n] = (unsigned char)zencode(pkeys, pcrc_32_tab, c, t);
    }


Please update me if any resolution is available for security flaws or suggest 
me if any correction is required.

Thanks in Advance.

Original issue reported on code.google.com by shivanig...@gmail.com on 7 Apr 2015 at 11:16