+2008-02-03 Nicolas François <nicolas.francois@centraliens.net>
+
+ * NEWS, libmisc/salt.c: Do not seed the random number generator
+ each time, and use the time in microseconds to avoid having the
+ same salt for different passwords generated in the same second.
+ This permits to avoid using the same salt for different passwords
+ in newusers.
+
2008-02-03 Nicolas François <nicolas.francois@centraliens.net>
* lib/pwio.c, lib/pwio.h: New function to find an user by
shadow-4.1.0 -> shadow-4.1.1 UNRELEASED
*** general:
+- security
+ * Do not seed the random number generator each time, and use the time in
+ microseconds to avoid having the same salt for different passwords
+ generated in the same second.
- packaging
* Do not install the shadow library per default.
- chage
* The new users are no more added to the list of members of their groups
because the membership is already set by their primary group.
* Added support for gshadow.
+ * Avoid using the same salt for different passwords.
- passwd
* Make sure that no more than one username argument was provided.
- pwck
#ifndef HAVE_L64A
char *l64a(long value);
#endif
+static void seedRNG (void);
static char *gensalt (unsigned int salt_size);
#ifdef USE_SHA_CRYPT
static unsigned int SHA_salt_size (void);
}
#endif /* !HAVE_L64A */
+static void seedRNG (void)
+{
+ struct timeval tv;
+ static int seeded = 0;
+
+ if (0 == seeded) {
+ gettimeofday(&tv, NULL);
+ srandom (tv.tv_sec + tv.tv_usec);
+ seeded = 1;
+ }
+}
+
/*
* Add the salt prefix.
*/
assert (salt_size >= MIN_SALT_SIZE &&
salt_size <= MAX_SALT_SIZE);
- srandom ((unsigned int)time(NULL));
+ seedRNG ();
strcat (salt, l64a (random()));
do {
strcat (salt, l64a (random()));
projects / shadow / commitdiff