Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 25 Mar 2016 14:12:35 +0200
From: Timo Teräs <timo.teras@....fi>
To: musl@...ts.openwall.com
Cc: Timo Teräs <timo.teras@....fi>
Subject: [PATCH] crypt_blowfish: allow short salt strings

assume the remainder of the salt to be zero bits.
---
 src/crypt/crypt_blowfish.c | 2 ++
 1 file changed, 2 insertions(+)

Any comments if this makes sense?

There seems to be some test suites that even verify that short
salt strings should succeed.

See: http://bugs.alpinelinux.org/issues/5141

diff --git a/src/crypt/crypt_blowfish.c b/src/crypt/crypt_blowfish.c
index d3f7985..d1f5588 100644
--- a/src/crypt/crypt_blowfish.c
+++ b/src/crypt/crypt_blowfish.c
@@ -365,6 +365,7 @@ static const unsigned char BF_atoi64[0x60] = {
 #define BF_safe_atoi64(dst, src) \
 { \
 	tmp = (unsigned char)(src); \
+	if (tmp == 0 || tmp == '$') break; \
 	if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
 	tmp = BF_atoi64[tmp]; \
 	if (tmp > 63) return -1; \
@@ -624,6 +625,7 @@ static char *BF_crypt(const char *key, const char *setting,
 		return NULL;
 	}
 
+	memset(data.binary.salt, 0, sizeof data.binary.salt);
 	count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
 	if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
 		return NULL;
-- 
2.7.4

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.