From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9743 Path: news.gmane.org!not-for-mail From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Newsgroups: gmane.linux.lib.musl.general Subject: [PATCH] crypt_blowfish: allow short salt strings Date: Fri, 25 Mar 2016 14:12:35 +0200 Message-ID: <1458907955-8698-1-git-send-email-timo.teras@iki.fi> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org X-Trace: ger.gmane.org 1458907986 2034 80.91.229.3 (25 Mar 2016 12:13:06 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 25 Mar 2016 12:13:06 +0000 (UTC) Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= To: musl@lists.openwall.com Original-X-From: musl-return-9756-gllmg-musl=m.gmane.org@lists.openwall.com Fri Mar 25 13:13:05 2016 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1ajQbv-0006iV-79 for gllmg-musl@m.gmane.org; Fri, 25 Mar 2016 13:13:03 +0100 Original-Received: (qmail 5485 invoked by uid 550); 25 Mar 2016 12:12:59 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 5424 invoked from network); 25 Mar 2016 12:12:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id; bh=b2SdaCKlFfh9Z+9ovAIIuW1hP1NUhrD2TBeaFCdd6Wg=; b=ti7ZLCHqNqyQ+dvpEyxJPn8a7Yf6szZFKIkdyDnV6gO/am/irNWidU1o/l9B7S9JIw Mn3W3F5qs2rK34UEZfGvClQl2zmja3k+rxXXKtiE5Ma9S/opR3kDnIsd890axpzcMYg5 NuaiL/SriLUbj0nu4AqVNeFOKEJ5kzVXtP5LcSxvWxy+VmB/ToDajDT5iS/s0lZSKCv9 txaf37dZdsu55iCRZZGHnOp6HVcX1VF7PjUq83yEkZa0e2qTXv5V2/4kaGH5UtXKW/6d 4jsbFcnySxVNNHlw4I0HYhB4oM/8O9PXFw5MadPTxssCtderhIRBIRA9f4dBY0YUOer1 GtIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=b2SdaCKlFfh9Z+9ovAIIuW1hP1NUhrD2TBeaFCdd6Wg=; b=BqfsnE1kpq6MGKcuC2tpSB1J7zk4eso3QzMqSehzb0+u+mfyWhrVKfLRwBI4/0VzWG zbtRw5p1w6g6bzoYgUq36YXrUvB3BhsVaYP+Ipf7Fei8CEHa8Jovz1euvdsL4H9JsmQk yMVn33Y6ASXf0oBJYc41AKGsbhdl82oIqz2A6bET/CAMrpX60fsldL4yK0mK/evaKxZt 6FUA0pgUazn+5nbLdsWiMWrOM9X1/x7u/VMbq+cbHYA8h0JwVIakR42ODXqyLrFpVxZH irO4v6ONp8EvPtppZ6tJji+celbu0kHZh0xpp5B+f9Sz/AzQ92uUjSPglgol31EtDdbQ AoDw== X-Gm-Message-State: AD7BkJKS7VvFxGS084a0/ZwolTayJEbqNf0sSln2+VlDfVyjsuN4v8JukRHEsv30tqeOhQ== X-Received: by 10.112.35.130 with SMTP id h2mr5681630lbj.52.1458907963553; Fri, 25 Mar 2016 05:12:43 -0700 (PDT) Original-Sender: =?UTF-8?Q?Timo_Ter=C3=A4s?= X-Mailer: git-send-email 2.7.4 Xref: news.gmane.org gmane.linux.lib.musl.general:9743 Archived-At: assume the remainder of the salt to be zero bits. --- src/crypt/crypt_blowfish.c | 2 ++ 1 file changed, 2 insertions(+) Any comments if this makes sense? There seems to be some test suites that even verify that short salt strings should succeed. See: http://bugs.alpinelinux.org/issues/5141 diff --git a/src/crypt/crypt_blowfish.c b/src/crypt/crypt_blowfish.c index d3f7985..d1f5588 100644 --- a/src/crypt/crypt_blowfish.c +++ b/src/crypt/crypt_blowfish.c @@ -365,6 +365,7 @@ static const unsigned char BF_atoi64[0x60] = { #define BF_safe_atoi64(dst, src) \ { \ tmp = (unsigned char)(src); \ + if (tmp == 0 || tmp == '$') break; \ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ tmp = BF_atoi64[tmp]; \ if (tmp > 63) return -1; \ @@ -624,6 +625,7 @@ static char *BF_crypt(const char *key, const char *setting, return NULL; } + memset(data.binary.salt, 0, sizeof data.binary.salt); count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0')); if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) { return NULL; -- 2.7.4