Date: Wed, 6 Feb 2002 01:04:21 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Alfred Perlstein <bright@mu.org> Cc: Mark Murray <mark@grondar.za>, des@freebsd.org, cvs-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.c Message-ID: <20020205220421.GC8579@nagual.pp.ru> In-Reply-To: <20020205135820.U59017@elvis.mu.org> References: <20020205184059.GA6785@nagual.pp.ru> <200202051949.g15Jnhs12003@greenpeace.grondar.org> <20020205205907.GA8005@nagual.pp.ru> <20020205214703.GA8579@nagual.pp.ru> <20020205134833.T59017@elvis.mu.org> <20020205215540.GB8579@nagual.pp.ru> <20020205135820.U59017@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 05, 2002 at 13:58:20 -0800, Alfred Perlstein wrote: > > > > My patch for this thing just literally replace random() with > > arc4random() and remove srandomdev(). > > this makes sense, what is the problem with doing so? Mark initially says that pam_unix code not needs true cryptographical randomness and more simple salt formulae can be used. He promise to come with fix. But in his fix he just remove srandomdev() and left random() in place cause the bug I demonstrate now. I see absolutely no advantage of using random() (deprecated in libraries) for salt instead of safe arc4random() like in my patch. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020205220421.GC8579>