* Szabolcs Nagy <nsz@port70.net> [2012-08-28 22:09:42 +0200]:
> * Rich Felker <dalias@aerifal.cx> [2012-08-19 22:12:23 -0400]:
> > On Mon, Aug 20, 2012 at 03:58:54AM +0200, Szabolcs Nagy wrote:
> > > sha and md5 crypt does not decode the salt
> > > it is directly passed to a hash function
> > 
> > Ah, that makes it uglier then, because presumably some of these
> > malformed things you mentioned are "valid" salt.
> > 
> 
> i modified my sha crypt implementation so it is very strict
> about the rounds= part of the salt and checks for key length
> 

removed the unrolling, modified key limit and added salt check:

@@ -60,20 +61,17 @@
 	f = s->h[5];
 	g = s->h[6];
 	h = s->h[7];
-#define ROUND(a,b,c,d,e,f,g,h,i) \
-		t1 = h + S1(e) + Ch(e,f,g) + K[i] + W[i]; \
-		t2 = S0(a) + Maj(a,b,c); \
-		d += t1; \
-		h = t1 + t2;
-	for (i = 0; i < 64; ) {
-		ROUND(a,b,c,d,e,f,g,h,i); i++;
-		ROUND(h,a,b,c,d,e,f,g,i); i++;
-		ROUND(g,h,a,b,c,d,e,f,i); i++;
-		ROUND(f,g,h,a,b,c,d,e,i); i++;
-		ROUND(e,f,g,h,a,b,c,d,i); i++;
-		ROUND(d,e,f,g,h,a,b,c,i); i++;
-		ROUND(c,d,e,f,g,h,a,b,i); i++;
-		ROUND(b,c,d,e,f,g,h,a,i); i++;
+	for (i = 0; i < 64; i++) {
+		t1 = h + S1(e) + Ch(e,f,g) + K[i] + W[i];
+		t2 = S0(a) + Maj(a,b,c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + t1;
+		d = c;
+		c = b;
+		b = a;
+		a = t1 + t2;
 	}
 	s->h[0] += a;
 	s->h[1] += b;
@@ -168,7 +166,7 @@
 }
 
 /* key limit is not part of the original design, added for DoS protection */
-#define KEY_MAX 65535
+#define KEY_MAX 256
 #define SALT_MAX 16
 #define ROUNDS_DEFAULT 5000
 #define ROUNDS_MIN 1000
@@ -241,8 +239,10 @@
 		sprintf(rounds, "rounds=%u$", r);
 	}
 
-// TODO: reject bad characters in the salt that may cause /etc/shadow parsing problems
-	for (i = 0; i < SALT_MAX && salt[i] && salt[i] != '$'; i++);
+	for (i = 0; i < SALT_MAX && salt[i] && salt[i] != '$'; i++)
+		/* reject characters that interfere with /etc/shadow parsing */
+		if (salt[i] == '\n' || salt[i] == ':')
+			return 0;
 	slen = i;
 
 	/* B = sha(key salt key) */