From 1b968f8b1b1a76d4f68407840075613fe357859f Mon Sep 17 00:00:00 2001
From: Timerix <timerix11@gmail.com>
Date: Sat, 25 Oct 2025 11:29:45 +0500
Subject: [PATCH] replaced seedFromTime with seedFromSystem

---
 .vscode/c_cpp_properties.json   |  1 +
 dependencies/BearSSL            |  2 +-
 src/client/ServerConnection.c   |  3 +--
 src/cryptography/RSA.c          |  4 ++--
 src/cryptography/cryptography.h | 10 ++++++++++
 src/cryptography/rng.c          | 10 ++++++++++
 src/main.c                      |  5 +++++
 7 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/.vscode/c_cpp_properties.json b/.vscode/c_cpp_properties.json
index 99d6d0c..38bc2de 100755
--- a/.vscode/c_cpp_properties.json
+++ b/.vscode/c_cpp_properties.json
@@ -6,6 +6,7 @@
             "includePath": [
                 "src",
                 "dependencies/BearSSL/inc",
+                "dependencies/BearSSL/src",
                 "dependencies/tlibc/include",
                 "${default}"
             ],
diff --git a/dependencies/BearSSL b/dependencies/BearSSL
index 3c04036..3d9be2f 160000
--- a/dependencies/BearSSL
+++ b/dependencies/BearSSL
@@ -1 +1 @@
-Subproject commit 3c040368f6791553610e362401db1efff4b4c5b8
+Subproject commit 3d9be2f60b7764e46836514bcd6e453abdfa864a
diff --git a/src/client/ServerConnection.c b/src/client/ServerConnection.c
index c3daad0..0691aa2 100644
--- a/src/client/ServerConnection.c
+++ b/src/client/ServerConnection.c
@@ -56,9 +56,8 @@ Result(ServerConnection*) ServerConnection_open(ClientCredential* client_credent
     
     conn->session_key = Array_alloc_size(__AES_SESSION_KEY_SIZE);
     br_hmac_drbg_context key_rng = { .vtable = &br_hmac_drbg_vtable };
-    rng_init_sha256_seedFromTime(&key_rng.vtable);
+    rng_init_sha256_seedFromSystem(&key_rng.vtable);
     br_hmac_drbg_generate(&key_rng, conn->session_key.data, conn->session_key.size);
-    // TODO: add more entropy to the key to prevent easy key cracking when attacker knows the time when connection request was sent to a server
 
     printf("connecting to server %s\n", server_link_cstr);
     try(conn->system_socket, i, socket_open_TCP());
diff --git a/src/cryptography/RSA.c b/src/cryptography/RSA.c
index 739e437..a403cf4 100644
--- a/src/cryptography/RSA.c
+++ b/src/cryptography/RSA.c
@@ -36,7 +36,7 @@ Result(void) RSA_generateKeyPairFromTime(u32 key_size,
 {
     Deferral(8);
     br_hmac_drbg_context time_based_rng = { .vtable = &br_hmac_drbg_vtable };
-    rng_init_sha256_seedFromTime(&time_based_rng.vtable);
+    rng_init_sha256_seedFromSystem(&time_based_rng.vtable);
     try_void(RSA_generateKeyPair(key_size, sk, pk, &time_based_rng.vtable));
     Return RESULT_VOID;
 }
@@ -176,7 +176,7 @@ Result(void) RSA_parsePrivateKey_base64(const str src, br_rsa_private_key* sk){
 void EncryptorRSA_construct(EncryptorRSA* ptr, const br_rsa_public_key* pk){
     ptr->pk = pk;
     ptr->rng.vtable = &br_hmac_drbg_vtable;
-    rng_init_sha256_seedFromTime(&ptr->rng.vtable);
+    rng_init_sha256_seedFromSystem(&ptr->rng.vtable);
 }
 
 void EncryptorRSA_encrypt(EncryptorRSA* ptr, Array(u8) src, Array(u8) dst, u32* encrypted_size){
diff --git a/src/cryptography/cryptography.h b/src/cryptography/cryptography.h
index 1df31b9..d053995 100755
--- a/src/cryptography/cryptography.h
+++ b/src/cryptography/cryptography.h
@@ -24,6 +24,16 @@ void hash_password(Array(u8) password, u8* out_buffer, i32 iterations);
 //                                  rng.c                                  //
 //////////////////////////////////////////////////////////////////////////////
 
+/// @brief Initialize prng context with sha256 hashing algorithm 
+///         and seed from system-provided cryptographic random bytes source.
+/// @param rng_vtable_ptr pointer to vtable field in prng context. The field must be initialized.
+/// EXAMPLE:
+/// ```
+/// br_hmac_drbg_context rng_ctx = { .vtable = &br_hmac_drbg_vtable };
+/// rng_init_sha256_seedFromTime(&rng_ctx.vtable);
+/// ```
+void rng_init_sha256_seedFromSystem(const br_prng_class** rng_vtable_ptr);
+
 /// @brief Initialize prng context with sha256 hashing algorithm and seed from CLOCK_REALTIME.
 /// @param rng_vtable_ptr pointer to vtable field in prng context. The field must be initialized.
 /// EXAMPLE:
diff --git a/src/cryptography/rng.c b/src/cryptography/rng.c
index 7fe2031..0865116 100644
--- a/src/cryptography/rng.c
+++ b/src/cryptography/rng.c
@@ -1,8 +1,18 @@
 #include "cryptography.h"
 #include "tlibc/time.h"
+#include "assert.h"
 
 void rng_init_sha256_seedFromTime(const br_prng_class** rng_vtable_ptr){
     nsec_t time_now = getTimeNsec();
     const br_prng_class* rng_vtable = *rng_vtable_ptr;
     rng_vtable->init(rng_vtable_ptr, &br_sha256_vtable, &time_now, sizeof(time_now));
 }
+
+void rng_init_sha256_seedFromSystem(const br_prng_class** rng_vtable_ptr){
+    br_prng_seeder seeder = br_prng_seeder_system(NULL);
+    assert(seeder != NULL && "Can't get system random seeder. Bearssl is compiled incorrectly.");
+
+    const br_prng_class* rng_vtable = *rng_vtable_ptr;
+    rng_vtable->init(rng_vtable_ptr, &br_sha256_vtable, NULL, 0);
+    seeder(rng_vtable_ptr);
+}
diff --git a/src/main.c b/src/main.c
index db23bbf..626ec6f 100755
--- a/src/main.c
+++ b/src/main.c
@@ -13,6 +13,11 @@ typedef enum ProgramMode {
 int main(const int argc, cstr const* argv){
     Deferral(32);
 
+    if(br_prng_seeder_system(NULL) == NULL){
+        printfe("Can't get system random seeder. Bearssl is compiled incorrectly.");
+        return 1;
+    }
+
     ProgramMode mode = Client;
     cstr server_endpoint_cstr;
     u32 key_size = 0;