You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
zmq::generate_random() is called from many places but zmq::seed_random() is never called, meaning zmq::generate_random() calls an unseeded rand() and probably generates the same pseudo-random sequence every time. This may have an impact for example on the ws:// protocol. Moreover, using now() + pid is a poor seed (if zmq::seed_random() is ever called) - should use rand_s() as seed in zmq::seed_random(), or empty zmq::seed_random() and only use rand_s() in zmq::generate_random()
rand_s() incidentally returns an uint32_t which would avoid the current gymnastics consisting in calling rand() twice. Also the mere existence of zmq::seed_random()/zmq::generate_random() could be construed as an attempt to get better numbers than rand() - otherwise why not just call rand()? - therefore the second option, no-op zmq::seed_random() and use rand_s() in zmq::generate_random() makes sense.
On platforms where rand_s isn't available, maybe use libsodium if configured, at least for the seed, and make sure zmq::seed_random() is called once.
The text was updated successfully, but these errors were encountered:
zmq::generate_random() is called from many places but zmq::seed_random() is never called, meaning zmq::generate_random() calls an unseeded rand() and probably generates the same pseudo-random sequence every time. This may have an impact for example on the ws:// protocol. Moreover, using now() + pid is a poor seed (if zmq::seed_random() is ever called) - should use rand_s() as seed in zmq::seed_random(), or empty zmq::seed_random() and only use rand_s() in zmq::generate_random()
rand_s() incidentally returns an uint32_t which would avoid the current gymnastics consisting in calling rand() twice. Also the mere existence of zmq::seed_random()/zmq::generate_random() could be construed as an attempt to get better numbers than rand() - otherwise why not just call rand()? - therefore the second option, no-op zmq::seed_random() and use rand_s() in zmq::generate_random() makes sense.
On platforms where rand_s isn't available, maybe use libsodium if configured, at least for the seed, and make sure zmq::seed_random() is called once.
The text was updated successfully, but these errors were encountered: