libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results.  Just use
arc4random.

While here, use an explicit_bzero instead of memset where the intent is clearly
to zero out a secret (clear_passphrase).

1 files changed, 4 insertions, 5 deletions

diff --git a/lib/libradius/radlib.c b/lib/libradius/radlib.c
index 3b6460e26f0d0..e01c486a1ba63 100644
--- a/lib/libradius/radlib.c
+++ b/lib/libradius/radlib.c
@@ -79,7 +79,7 @@ static void
 clear_password(struct rad_handle *h)
 {
 	if (h->pass_len != 0) {
-		memset(h->pass, 0, h->pass_len);
+		explicit_bzero(h->pass, h->pass_len);
 		h->pass_len = 0;
 	}
 	h->pass_pos = 0;
@@ -852,8 +852,8 @@ rad_create_request(struct rad_handle *h, int code)
 	if (code == RAD_ACCESS_REQUEST) {
 		/* Create a random authenticator */
 		for (i = 0;  i < LEN_AUTH;  i += 2) {
-			long r;
-			r = random();
+			uint32_t r;
+			r = arc4random();
 			h->out[POS_AUTH+i] = (u_char)r;
 			h->out[POS_AUTH+i+1] = (u_char)(r >> 8);
 		}
@@ -1051,10 +1051,9 @@ rad_auth_open(void)
 
 	h = (struct rad_handle *)malloc(sizeof(struct rad_handle));
 	if (h != NULL) {
-		srandomdev();
 		h->fd = -1;
 		h->num_servers = 0;
-		h->ident = random();
+		h->ident = arc4random();
 		h->errmsg[0] = '\0';
 		memset(h->pass, 0, sizeof h->pass);
 		h->pass_len = 0;