rand() is used for random number generation.
KeePass Command Line Interface
Brought to you by:
hightowe,
perlsaiyan
Menu
▾
▴
#30 rand() is used for random number generation.
kpcli uses rand() for random number generation, which is not cryptographically secure. See http://perldoc.perl.org/functions/rand.html
Why was this closed, and marked as invalid? Is there something I'm missing about rand() in the code?
The following patch will fix this bug. Requires Math::Random::ISAAC, available as "libmath-random-isaac-perl" on Debian/Ubuntu.
Thanks for the patch. I impemented it, but I made it optional instead of required and did so by inserting this line at about the 85th line of code:
runtime_load_module(\%OPTIONAL_PM,'Math::Random::ISAAC',[qw(rand)]);
This will be part of the next release.
Thanks for implementing the patch. What does it mean to be optional? If the module is installed, it will be used, otherwise it won't?
Yes
Hmm. That's better than nothing, but less than optimal. The goal here is to get a cryptographically secure RNG into the Perl script, seeing as though we're dealing with a cryptographic application.
Upon further investigation, I don't think your patch works as submitted because it appears that the main::rand() is not overridden by Math::Random::ISAAC (see the GVGV::GV lines)...
$ perl -MDevel::Peek -MList::Util=first -e ' print Dump(\&rand) . "\n";'
SV = IV(0x645ee8) at 0x645ef8
REFCNT = 1
FLAGS = (TEMP,ROK)
RV = 0x645cb8
SV = PVCV(0x662318) at 0x645cb8
REFCNT = 2
FLAGS = (DYNFILE)
COMP_STASH = 0x645b20 "main"
ROOT = 0x0
GVGV::GV = 0x664180 "main" :: "rand"
FILE = "-e"
DEPTH = 0
FLAGS = 0x1000
OUTSIDE_SEQ = 0
PADLIST = 0x0
OUTSIDE = 0x0 (null)
$ perl -MDevel::Peek -MList::Util=first -e 'use Math::Random::ISAAC qw(rand); print Dump(\&rand) . "\n";'
SV = IV(0x156aee8) at 0x156aef8
REFCNT = 1
FLAGS = (TEMP,ROK)
RV = 0x156acb8
SV = PVCV(0x1587338) at 0x156acb8
REFCNT = 2
FLAGS = (DYNFILE)
COMP_STASH = 0x156ab20 "main"
ROOT = 0x0
GVGV::GV = 0x1594260 "main" :: "rand"
FILE = "-e"
DEPTH = 0
FLAGS = 0x1000
OUTSIDE_SEQ = 0
PADLIST = 0x0
OUTSIDE = 0x0 (null)
and compare to:
$ perl -MDevel::Peek -MList::Util=first -e 'print Dump(\&localtime) . "\n";'
SV = IV(0x235eee8) at 0x235eef8
REFCNT = 1
FLAGS = (TEMP,ROK)
RV = 0x235ecb8
SV = PVCV(0x237b328) at 0x235ecb8
REFCNT = 2
FLAGS = (DYNFILE)
COMP_STASH = 0x235eb20 "main"
ROOT = 0x0
GVGV::GV = 0x237d190 "main" :: "localtime"
FILE = "-e"
DEPTH = 0
FLAGS = 0x1000
OUTSIDE_SEQ = 0
PADLIST = 0x0
OUTSIDE = 0x0 (null)
$ perl -MDevel::Peek -MList::Util=first -e 'use Time::Piece; print Dump(\&localtime) . "\n";'
SV = IV(0x1abbca8) at 0x1abbcb8
REFCNT = 1
FLAGS = (TEMP,ROK)
RV = 0x1c5abc8
SV = PVCV(0x1c6c958) at 0x1c5abc8
REFCNT = 2
FLAGS = (ANON,CLONED,CVGV_RC,DYNFILE)
COMP_STASH = 0x1b2b898 "Time::Piece"
START = 0x1c2be78 ===> 1
ROOT = 0x1c2ba50
GVGV::GV = 0x1c2a0b0 "Time::Piece" :: "ANON"
FILE = "/usr/lib/perl/5.18/Time/Piece.pm"
DEPTH = 0
FLAGS = 0x14c0
OUTSIDE_SEQ = 812
PADLIST = 0x1c60d30
PADNAME = 0x1c2a020(0x1c13890) PAD = 0x1c5ab80(0x1afeb90)
1. 0x1c29fa8<1> FAKE "$c" flags=0x1 index=1
OUTSIDE = 0x0 (null)
SV = 0
Might be worth reporting to http://www.perlmonks.org/bare/?node_id=465675
Your patch uses Math::Random::ISAAC not Crypt::Random::ISAAC and I can't find Crypt::Random::ISAAC in the wild now, and especially not packaged in Debian.
You're right. I had made the assumption Debian renamed it. But, that doesn't appear to be the case. Found:
Despite it not having the ability to directly overload the rand() function, I figured out how to apply Math::Random::ISAAC as an optional module for kpcli without too much additional code. That feature is in version 3.1, which I just uploaded to SourceForge.