Do not seed the random number generator each time, and use the time in

microseconds to avoid having the same salt for different passwords generated in the same second. This permits to avoid using the same salt for different passwords in newusers.
2008-02-03 17:23:58 +00:00 · 2008-02-03 17:23:58 +00:00 · 65ed10d75c
commit 65ed10d75c
parent aed929ae90
3 changed files with 27 additions and 1 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2008-02-03  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, libmisc/salt.c: Do not seed the random number generator
+	each time, and use the time in microseconds to avoid having the
+	same salt for different passwords generated in the same second.
+	This permits to avoid using the same salt for different passwords
+	in newusers.
+
 2008-02-03  Nicolas François  <nicolas.francois@centraliens.net>

 	* lib/pwio.c, lib/pwio.h: New function to find an user by
--- a/5
+++ b/5
@ -3,6 +3,10 @@ $Id$
 shadow-4.1.0 -> shadow-4.1.1						UNRELEASED

 *** general:
+- security
+  * Do not seed the random number generator each time, and use the time in
+    microseconds to avoid having the same salt for different passwords
+    generated in the same second.
 - packaging
  * Do not install the shadow library per default.
 - chage
@ -29,6 +33,7 @@ shadow-4.1.0 -> shadow-4.1.1						UNRELEASED
  * The new users are no more added to the list of members of their groups
    because the membership is already set by their primary group.
  * Added support for gshadow.
+  * Avoid using the same salt for different passwords.
 - passwd
  * Make sure that no more than one username argument was provided.
 - pwck
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@ -23,6 +23,7 @@
 #ifndef HAVE_L64A
 char *l64a(long value);
 #endif
+static void seedRNG (void);
 static char *gensalt (unsigned int salt_size);
 #ifdef USE_SHA_CRYPT
 static unsigned int SHA_salt_size (void);
@ -64,6 +65,18 @@ static char *l64a(long value)
 }
 #endif /* !HAVE_L64A */

+static void seedRNG (void)
+{
+	struct timeval tv;
+	static int seeded = 0;
+
+	if (0 == seeded) {
+		gettimeofday(&tv, NULL);
+		srandom (tv.tv_sec + tv.tv_usec);
+		seeded = 1;
+	}
+}
+
 /*
 * Add the salt prefix.
 */
@ -160,7 +173,7 @@ static char *gensalt (unsigned int salt_size)

 	assert (salt_size >= MIN_SALT_SIZE &&
 	        salt_size <= MAX_SALT_SIZE);
-	srandom ((unsigned int)time(NULL));
+	seedRNG ();
 	strcat (salt, l64a (random()));
 	do {
 		strcat (salt, l64a (random()));