On Thu, Apr 09, 2009 at 10:22:40PM +0200, Marco d'Itri wrote: > > Additionally, the code is buggy and not very random: > > > > srand(time(NULL) + getpid()); > > > > This needs to at least use /dev/urandom, or sec+usec as done in shadow. > Initializing the rand(3) seed with the time and maybe the PID is a > common tecnique. > The result is only used to generate the salt, and I see no reason why > it needs to be cryptographically strong random. Do you?
Yes, because it defeats the purpose of creating a random salt. The salt is there to make it harder to generate precalculated "rainbow" tables. If the salt is predictable (since the range of time() and getpid() is small compared to other possible inputs), this makes the resulting hashes generated by mkpasswd weaker. To quote the srand manpage: "These sequences are repeatable by calling srand() with the same seed value." Since getpid will always be <32768, it hardly adds any real entropy to the time() output (basically +/- 5 hours). While all the possible salts across a given year is a lot (31536000 possible seeds in a year), it's still 2 orders of magnitude lower entropy than the range allowed by srand for seeding the PRNG (2^32 == 4294967296). -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
