From owner-cvs-all Tue Feb 5 14: 4:33 2002 Delivered-To: cvs-all@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 3ABDA37B420; Tue, 5 Feb 2002 14:04:27 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id g15M4Mx08854; Wed, 6 Feb 2002 01:04:22 +0300 (MSK) (envelope-from ache) Date: Wed, 6 Feb 2002 01:04:21 +0300 From: "Andrey A. Chernov" To: Alfred Perlstein Cc: Mark Murray , des@freebsd.org, cvs-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.c Message-ID: <20020205220421.GC8579@nagual.pp.ru> References: <20020205184059.GA6785@nagual.pp.ru> <200202051949.g15Jnhs12003@greenpeace.grondar.org> <20020205205907.GA8005@nagual.pp.ru> <20020205214703.GA8579@nagual.pp.ru> <20020205134833.T59017@elvis.mu.org> <20020205215540.GB8579@nagual.pp.ru> <20020205135820.U59017@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020205135820.U59017@elvis.mu.org> User-Agent: Mutt/1.3.27i Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Feb 05, 2002 at 13:58:20 -0800, Alfred Perlstein wrote: > > > > My patch for this thing just literally replace random() with > > arc4random() and remove srandomdev(). > > this makes sense, what is the problem with doing so? Mark initially says that pam_unix code not needs true cryptographical randomness and more simple salt formulae can be used. He promise to come with fix. But in his fix he just remove srandomdev() and left random() in place cause the bug I demonstrate now. I see absolutely no advantage of using random() (deprecated in libraries) for salt instead of safe arc4random() like in my patch. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message