SYSKEY2 code, and new random data source

Jeremy Allison jeremy at
Wed Feb 16 21:52:45 GMT 2000

Pete Chown wrote:
> There is also a replacement for Samba's random number generator, which
> produces a random stream based on the SYSKEY2 value.  The reason is
> that I discovered a security hole in the old one, assuming that I
> understood the code right.
> To begin with, assume that we are running on a Unix with a traditional
> rand() function (not Linux, for example).  On the first call to
> generate_random_buffer(), md4_buf is all zeroes.  The rand() function
> is then seeded with a value which we will assume for the moment is
> random.

This is incorrect. md4_buf is not zeros - it is filled with
data from various sources in the function do_reseed().

Can you look at the source more carefully and report if you
still think there's a problem please ?


	Jeremy Allison,
	Samba Team.

Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list