diff options
| author | tedu <> | 2014-02-17 08:58:50 +0000 |
|---|---|---|
| committer | tedu <> | 2014-02-17 08:58:50 +0000 |
| commit | 7de623d702efe388f877216d35d1f14a131cf460 (patch) | |
| tree | de24f6fad469f4e6dc649e82ab1f17bd74d9f6ed /src/lib | |
| parent | 0391a1ece83006777421dc662660d027d9ba626a (diff) | |
| download | openbsd-7de623d702efe388f877216d35d1f14a131cf460.tar.gz openbsd-7de623d702efe388f877216d35d1f14a131cf460.tar.bz2 openbsd-7de623d702efe388f877216d35d1f14a131cf460.zip | |
sticking strlen into a char leads to wraparound at 256. fix this and
introduce a new 'b' hash minor. still generate 'a' minors for now.
reported by solar designer. diff by some combination of solar and jca.
ok deraadt
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libc/crypt/bcrypt.c | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/src/lib/libc/crypt/bcrypt.c b/src/lib/libc/crypt/bcrypt.c index f27e77eb5f..1d7352e3f8 100644 --- a/src/lib/libc/crypt/bcrypt.c +++ b/src/lib/libc/crypt/bcrypt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: bcrypt.c,v 1.26 2013/12/19 14:31:07 deraadt Exp $ */ | 1 | /* $OpenBSD: bcrypt.c,v 1.27 2014/02/17 08:58:50 tedu Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> | 4 | * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> |
| @@ -168,7 +168,8 @@ bcrypt(const char *key, const char *salt) | |||
| 168 | blf_ctx state; | 168 | blf_ctx state; |
| 169 | u_int32_t rounds, i, k; | 169 | u_int32_t rounds, i, k; |
| 170 | u_int16_t j; | 170 | u_int16_t j; |
| 171 | u_int8_t key_len, salt_len, logr, minor; | 171 | size_t key_len; |
| 172 | u_int8_t salt_len, logr, minor; | ||
| 172 | u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt"; | 173 | u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt"; |
| 173 | u_int8_t csalt[BCRYPT_MAXSALT]; | 174 | u_int8_t csalt[BCRYPT_MAXSALT]; |
| 174 | u_int32_t cdata[BCRYPT_BLOCKS]; | 175 | u_int32_t cdata[BCRYPT_BLOCKS]; |
| @@ -185,8 +186,8 @@ bcrypt(const char *key, const char *salt) | |||
| 185 | /* Check for minor versions */ | 186 | /* Check for minor versions */ |
| 186 | if (salt[1] != '$') { | 187 | if (salt[1] != '$') { |
| 187 | switch (salt[1]) { | 188 | switch (salt[1]) { |
| 188 | case 'a': | 189 | case 'a': /* 'ab' should not yield the same as 'abab' */ |
| 189 | /* 'ab' should not yield the same as 'abab' */ | 190 | case 'b': /* cap input length at 72 bytes */ |
| 190 | minor = salt[1]; | 191 | minor = salt[1]; |
| 191 | salt++; | 192 | salt++; |
| 192 | break; | 193 | break; |
| @@ -220,7 +221,19 @@ bcrypt(const char *key, const char *salt) | |||
| 220 | /* We dont want the base64 salt but the raw data */ | 221 | /* We dont want the base64 salt but the raw data */ |
| 221 | decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt); | 222 | decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt); |
| 222 | salt_len = BCRYPT_MAXSALT; | 223 | salt_len = BCRYPT_MAXSALT; |
| 223 | key_len = strlen(key) + (minor >= 'a' ? 1 : 0); | 224 | if (minor <= 'a') |
| 225 | key_len = (u_int8_t)(strlen(key) + (minor >= 'a' ? 1 : 0)); | ||
| 226 | else { | ||
| 227 | /* strlen() returns a size_t, but the function calls | ||
| 228 | * below result in implicit casts to a narrower integer | ||
| 229 | * type, so cap key_len at the actual maximum supported | ||
| 230 | * length here to avoid integer wraparound */ | ||
| 231 | key_len = strlen(key); | ||
| 232 | if (key_len > 72) | ||
| 233 | key_len = 72; | ||
| 234 | if (minor >= 'a') | ||
| 235 | key_len++; /* include the NUL */ | ||
| 236 | } | ||
| 224 | 237 | ||
| 225 | /* Setting up S-Boxes and Subkeys */ | 238 | /* Setting up S-Boxes and Subkeys */ |
| 226 | Blowfish_initstate(&state); | 239 | Blowfish_initstate(&state); |