On Wed, Aug 29, 2012 at 01:35:06AM +0200, Szabolcs Nagy wrote:
> * Szabolcs Nagy <nsz@port70.net> [2012-08-28 22:09:42 +0200]:
> > * Rich Felker <dalias@aerifal.cx> [2012-08-19 22:12:23 -0400]:
> > > On Mon, Aug 20, 2012 at 03:58:54AM +0200, Szabolcs Nagy wrote:
> > > > sha and md5 crypt does not decode the salt
> > > > it is directly passed to a hash function
> > > 
> > > Ah, that makes it uglier then, because presumably some of these
> > > malformed things you mentioned are "valid" salt.
> > > 
> > 
> > i modified my sha crypt implementation so it is very strict
> > about the rounds= part of the salt and checks for key length
> > 
> 
> removed the unrolling, modified key limit and added salt check:

see the attached for my proposed changes.

rich