Bug:
srandomdev() can't be used in libraries because it touch internal RNG
state which may be used by user program which not want true randomness but
pseudo one.
Fix:
srandomdev() removed, random() replaced by arc4random() which initialize
itself from true randomness automatically.
--- pam_unix.c.old Sat Jan 19 21:29:49 2002
+++ pam_unix.c Sun Jan 20 21:42:47 2002
@@ -502,15 +502,14 @@
syslog(LOG_ERR, "cannot set password cipher");
login_close(lc);
/* Salt suitable for anything */
- srandomdev();
gettimeofday(&tv, 0);
- to64(&salt[0], random(), 3);
+ to64(&salt[0], arc4random(), 3);
to64(&salt[3], tv.tv_usec, 3);
to64(&salt[6], tv.tv_sec, 2);
- to64(&salt[8], random(), 5);
- to64(&salt[13], random(), 5);
- to64(&salt[17], random(), 5);
- to64(&salt[22], random(), 5);
+ to64(&salt[8], arc4random(), 5);
+ to64(&salt[13], arc4random(), 5);
+ to64(&salt[17], arc4random(), 5);
+ to64(&salt[22], arc4random(), 5);
salt[27] = '\0';
pwd->pw_passwd = crypt(pass, salt);
@@ -596,15 +595,14 @@
syslog(LOG_ERR, "cannot set password cipher");
login_close(lc);
/* Salt suitable for anything */
- srandomdev();
gettimeofday(&tv, 0);
- to64(&salt[0], random(), 3);
+ to64(&salt[0], arc4random(), 3);
to64(&salt[3], tv.tv_usec, 3);
to64(&salt[6], tv.tv_sec, 2);
- to64(&salt[8], random(), 5);
- to64(&salt[13], random(), 5);
- to64(&salt[17], random(), 5);
- to64(&salt[22], random(), 5);
+ to64(&salt[8], arc4random(), 5);
+ to64(&salt[13], arc4random(), 5);
+ to64(&salt[17], arc4random(), 5);
+ to64(&salt[22], arc4random(), 5);
salt[27] = '\0';
if (suser_override)
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
