5 files changed, 14 insertions, 15 deletions

diff --git a/src/websockets/qdefaultmaskgenerator_p.cpp b/src/websockets/qdefaultmaskgenerator_p.cpp
index 1035e8f..7763868 100644
--- a/src/websockets/qdefaultmaskgenerator_p.cpp
+++ b/src/websockets/qdefaultmaskgenerator_p.cpp
@@ -48,7 +48,7 @@
     malicious scripts to attack bad behaving proxies.
     For more information about the importance of good masking,
     see \l {"Talking to Yourself for Fun and Profit" by Lin-Shung Huang et al}.
-    The default mask generator uses the cryptographically insecure qrand() function.
+    The default mask generator uses the reasonably secure QRandomGenerator::global()->generate() function.
     The best measure against attacks mentioned in the document above,
     is to use QWebSocket over a secure connection (\e wss://).
     In general, always be careful to not have 3rd party script access to
@@ -58,8 +58,7 @@
 */
 
 #include "qdefaultmaskgenerator_p.h"
-#include <QDateTime>
-#include <limits>
+#include <QRandomGenerator>
 
 QT_BEGIN_NAMESPACE
 
@@ -83,25 +82,26 @@ QDefaultMaskGenerator::~QDefaultMaskGenerator()
 }
 
 /*!
-    Seeds the QDefaultMaskGenerator using qsrand().
-    When seed() is not called, no seed is used at all.
-
     \internal
 */
 bool QDefaultMaskGenerator::seed() Q_DECL_NOEXCEPT
 {
-    qsrand(static_cast<uint>(QDateTime::currentMSecsSinceEpoch()));
     return true;
 }
 
 /*!
-    Generates a new random mask using the insecure qrand() method.
+    Generates a new random mask using the insecure QRandomGenerator::global()->generate() method.
 
     \internal
 */
 quint32 QDefaultMaskGenerator::nextMask() Q_DECL_NOEXCEPT
 {
-    return quint32((double(qrand()) / RAND_MAX) * std::numeric_limits<quint32>::max());
+    quint32 value = QRandomGenerator::global()->generate();
+    while (Q_UNLIKELY(value == 0)) {
+        // a mask of zero has a special meaning
+        value = QRandomGenerator::global()->generate();
+    }
+    return value;
 }
 
 QT_END_NAMESPACE
diff --git a/src/websockets/qmaskgenerator.cpp b/src/websockets/qmaskgenerator.cpp
index 064ada2..40f8594 100644
--- a/src/websockets/qmaskgenerator.cpp
+++ b/src/websockets/qmaskgenerator.cpp
@@ -50,7 +50,7 @@
     malicious scripts from attacking badly behaving proxies.
     For more information about the importance of good masking,
     see \l {"Talking to Yourself for Fun and Profit" by Lin-Shung Huang et al}.
-    By default QWebSocket uses the cryptographically insecure qrand() function.
+    By default QWebSocket uses the reasonably secure QRandomGenerator::global()->generate() function.
     The best measure against attacks mentioned in the document above,
     is to use QWebSocket over a secure connection (\e wss://).
     In general, always be careful to not have 3rd party script access to
diff --git a/src/websockets/qwebsocket.cpp b/src/websockets/qwebsocket.cpp
index ba343e4..de5ac22 100644
--- a/src/websockets/qwebsocket.cpp
+++ b/src/websockets/qwebsocket.cpp
@@ -63,8 +63,8 @@
     In that case, non-secure WebSocket connections fail. The best way to mitigate against
     this problem is to use WebSocket over a secure connection.
 
-    \warning To generate masks, this implementation of WebSockets uses the cryptographically
-    insecure qrand() function.
+    \warning To generate masks, this implementation of WebSockets uses the reasonably
+    secure QRandomGenerator::global()->generate() function.
     For more information about the importance of good masking,
     see \l {"Talking to Yourself for Fun and Profit" by Lin-Shung Huang et al}.
     The best measure against attacks mentioned in the document above,
diff --git a/src/websockets/qwebsocket_p.cpp b/src/websockets/qwebsocket_p.cpp
index bee2afa..1d23c84 100644
--- a/src/websockets/qwebsocket_p.cpp
+++ b/src/websockets/qwebsocket_p.cpp
@@ -1014,7 +1014,7 @@ void QWebSocketPrivate::processHandshake(QTcpSocket *pSocket)
                 if (!ok)
                     errorDescription =
                       QWebSocket::tr("Accept-Key received from server %1 does not match the client key %2.")
-                            .arg(acceptKey).arg(accept);
+                            .arg(acceptKey, accept);
             } else {
                 errorDescription =
                     QWebSocket::tr("QWebSocketPrivate::processHandshake: Invalid statusline in response: %1.")
diff --git a/src/websockets/qwebsocketserver.h b/src/websockets/qwebsocketserver.h
index f846290..9dc286b 100644
--- a/src/websockets/qwebsocketserver.h
+++ b/src/websockets/qwebsocketserver.h
@@ -65,8 +65,6 @@ class Q_WEBSOCKETS_EXPORT QWebSocketServer : public QObject
     Q_DISABLE_COPY(QWebSocketServer)
     Q_DECLARE_PRIVATE(QWebSocketServer)
 
-    Q_ENUMS(SslMode)
-
 public:
     enum SslMode {
 #ifndef QT_NO_SSL
@@ -74,6 +72,7 @@ public:
 #endif
         NonSecureMode = 1
     };
+    Q_ENUM(SslMode)
 
     explicit QWebSocketServer(const QString &serverName, SslMode secureMode,
                               QObject *parent = Q_NULLPTR);