Date: Tue, 5 Feb 2002 14:10:29 -0800 From: Alfred Perlstein <bright@mu.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Mark Murray <mark@grondar.za>, des@freebsd.org, cvs-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.c Message-ID: <20020205141029.V59017@elvis.mu.org> In-Reply-To: <20020205220421.GC8579@nagual.pp.ru>; from ache@nagual.pp.ru on Wed, Feb 06, 2002 at 01:04:21AM %2B0300 References: <20020205184059.GA6785@nagual.pp.ru> <200202051949.g15Jnhs12003@greenpeace.grondar.org> <20020205205907.GA8005@nagual.pp.ru> <20020205214703.GA8579@nagual.pp.ru> <20020205134833.T59017@elvis.mu.org> <20020205215540.GB8579@nagual.pp.ru> <20020205135820.U59017@elvis.mu.org> <20020205220421.GC8579@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
* Andrey A. Chernov <ache@nagual.pp.ru> [020205 14:04] wrote: > On Tue, Feb 05, 2002 at 13:58:20 -0800, Alfred Perlstein wrote: > > > > > > My patch for this thing just literally replace random() with > > > arc4random() and remove srandomdev(). > > > > this makes sense, what is the problem with doing so? > > Mark initially says that pam_unix code not needs true cryptographical > randomness and more simple salt formulae can be used. He promise to come > with fix. But in his fix he just remove srandomdev() and left random() in > place cause the bug I demonstrate now. I see absolutely no advantage of > using random() (deprecated in libraries) for salt instead of safe > arc4random() like in my patch. Mark, can you comment? I've read that you said an application shouldn't depend on state of random() when making pam calls, but this doesn't sound very good, it should at least be documented, better yet avoided... -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductable donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020205141029.V59017>