misc: Do not call random()

Avoid calling random() and use ssh_get_random() instead.

CID #1412376

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

src/misc.c

@@ -1749,6 +1749,8 @@ int ssh_tmpname(char *template)
 {
     char *tmp = NULL;
     size_t i = 0;
+    int rc = 0;
+    uint8_t random[6];
 
     if (template == NULL) {
         goto err;
@@ -1767,17 +1769,18 @@ int ssh_tmpname(char *template)
         }
     }
 
-    srand(time(NULL));
+    rc = ssh_get_random(random, 6, 0);
+    if (!rc) {
+        SSH_LOG(SSH_LOG_WARNING,
+                "Could not generate random data\n");
+        goto err;
+    }
 
-    for (i = 0; i < 6; ++i) {
+    for (i = 0; i < 6; i++) {
-#ifdef _WIN32
+        /* Limit the random[i] < 32 */
-        /* in win32 MAX_RAND is 32767, thus we can not shift that far,
+        random[i] &= 0x1f;
-         * otherwise the last three chars are 0 */
+        /* For values from 0 to 9 use numbers, otherwise use letters */
-        int hexdigit = (rand() >> (i * 2)) & 0x1f;
+        tmp[i] = random[i] > 9 ? random[i] + 'a' - 10 : random[i] + '0';
-#else
-        int hexdigit = (rand() >> (i * 5)) & 0x1f;
-#endif
-        tmp[i] = hexdigit > 9 ? hexdigit + 'a' - 10 : hexdigit + '0';
     }
 
     return 0;