use a much more random salt; prompted by ast@domdv.de

2 files changed, 3 insertions, 6 deletions

diff --git a/usr.sbin/httpd/src/support/htpasswd.c b/usr.sbin/httpd/src/support/htpasswd.c
index 84bcd0fbf9b..d4567b2db51 100644
--- a/usr.sbin/httpd/src/support/htpasswd.c
+++ b/usr.sbin/httpd/src/support/htpasswd.c
@@ -214,8 +214,7 @@ static int mkrecord(char *user, char *record, size_t rlen, char *passwd,
 	break;
 
     case ALG_APMD5: 
-        (void) srand((int) time((time_t *) NULL));
-        ap_to64(&salt[0], rand(), 8);
+        ap_to64(&salt[0], arc4random(), 8);
         salt[8] = '\0';
 
 	ap_MD5Encode((const unsigned char *)pw, (const unsigned char *)salt,
@@ -229,8 +228,7 @@ static int mkrecord(char *user, char *record, size_t rlen, char *passwd,
 
     case ALG_CRYPT:
     default:
-        (void) srand((int) time((time_t *) NULL));
-        ap_to64(&salt[0], rand(), 8);
+        ap_to64(&salt[0], arc4random(), 8);
         salt[8] = '\0';
 
 	ap_cpystrn(cpw, (char *)crypt(pw, salt), sizeof(cpw) - 1);
diff --git a/usr.sbin/httpd/support/htpasswd.c b/usr.sbin/httpd/support/htpasswd.c
index 17efe5b004a..a7c12e003b5 100644
--- a/usr.sbin/httpd/support/htpasswd.c
+++ b/usr.sbin/httpd/support/htpasswd.c
@@ -109,8 +109,7 @@ void add_password(char *user, FILE *f) {
             unlink(tn);
         exit(1);
     }
-    (void)srand((int)time((time_t *)NULL));
-    to64(&salt[0],rand(),2);
+    to64(&salt[0],arc4random(),2);
     cpw = crypt(pw,salt);
     free(pw);
     fprintf(f,"%s:%s\n",user,cpw);