SYSKEY2 code, and new random data source
Jeremy Allison
jeremy at valinux.com
Wed Feb 16 21:52:45 GMT 2000
Pete Chown wrote:
> There is also a replacement for Samba's random number generator, which
> produces a random stream based on the SYSKEY2 value. The reason is
> that I discovered a security hole in the old one, assuming that I
> understood the code right.
>
> To begin with, assume that we are running on a Unix with a traditional
> rand() function (not Linux, for example). On the first call to
> generate_random_buffer(), md4_buf is all zeroes. The rand() function
> is then seeded with a value which we will assume for the moment is
> random.
This is incorrect. md4_buf is not zeros - it is filled with
data from various sources in the function do_reseed().
Can you look at the source more carefully and report if you
still think there's a problem please ?
Cheers,
Jeremy Allison,
Samba Team.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list