[Pkg-shadow-devel] Bug#677275: passwd: RAND_MAX is for rand() only, and on some systems random() can exceed RAND_MAX
Nicolas François
nicolas.francois at centraliens.net
Mon Aug 5 12:26:56 UTC 2013
Hello,
On Wed, Jun 13, 2012 at 02:16:56PM +0300, Alexander Gattin wrote:
>
> Probably, we should use RAND_MAX on GNU (both
> Linux and Hurd), and 0x7fffffff on all other
> systems?
Lets just assume we cannot assume anything.
random() is used to compute the size of salt and number of rounds for SHA
encrypted passwords.
I introduced a RANDOM_MAX set to 0x7FFFFFFF (this seems to be valid for
all the mentioned systems anyway)
If random() returns an higher value, I will use the biggest salt or max
number of rounds.
If random() has a lower max value, I will favor higher numbers by counting
down from the max value instead of adding to the min value.
This will be a flawed random, but will favor the biggest salt with the
highest number of rounds (i.e. when the rainbow tables will be the most
difficult to compute).
I applied the attached patch.
Does it sounds OK to both of you?
Best Regards,
--
Nekral
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shadow_debian_677275.patch
Type: text/x-diff
Size: 3215 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20130805/2c59445c/attachment.patch>
More information about the Pkg-shadow-devel
mailing list