New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#C,C++# 指南4.3条修订建议 #65
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1、问题描述
rand类使用srand()初始化也会产生一些逻辑漏洞,比如以下示例:
如果使用该随机数生成验证码时,可能会导致产生生成的随机数相同,从而产生的多个验证码相同,导致逻辑漏洞的产生。
而且rand本身随机性就不高,可直接禁用该函数。
2、解决建议
可以使用libsodium库提供的一组函数,来产生不可预测的数据。可以使用该库的随机数生成函数来生成安全随机数,
如示例(网上copy的,没验证过):
#include "sodium.h"
int foo() {
char myString[32];
int myInt;
randombytes_buf(myString, 32);
/* myString will be a string of 32 random bytes /
myInt = randombytes_uniform(10);
/ myInt will be a random number between 0 and 9 */
}
The text was updated successfully, but these errors were encountered: