[DragonFlyBSD - Bug #2278] (Closed) "Password hashing weakness in DF" (Matthias Schmidt)

Samuel J. Greear via Redmine bugtracker-admin at leaf.dragonflybsd.org
Fri Jan 20 10:39:12 PST 2012


Issue #2278 has been updated by Samuel J. Greear.

Status changed from New to Closed

I have deprecated that code, but the bugs will have to stick around until we tear it out to ensure peoples passwords keep working.
----------------------------------------
Bug #2278: "Password hashing weakness in DF" (Matthias Schmidt)
http://bugs.dragonflybsd.org/issues/2278

Author: Robin Carey
Status: Closed
Priority: Normal
Assignee: 
Category: 
Target version: 


Further to the email posted by Matthias Schmidt to DragonFly users list
(17/01/2012):


I had a look at (GitWeb) the source code:

lib/libcrypt/crypt-sha256.c

and

lib/libcrypt/crypt-sha512.c


Both of those C files have bugs in them: "crypt-sha256.c:":

....
/* Then the magic string */
SHA256_Update(&ctx, magic, sizeof(magic));
....

Should be strlen(magic) instead of sizeof(magic).
-----

And practically the same bug in: "crypt-sha512.c":

....
/* Then the magic string */
SHA512_Update(&ctx, magic, sizeof(magic));
.....

Should be strlen(magic) instead of sizeof(magic).
------

There might be other bugs - I didn't really check for any .....

-- 
Sincerely,

Robin Carey BSc


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account





More information about the Bugs mailing list