From owner-freebsd-bugs Sat Jun 8 12:30:10 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 78A6E37B405 for ; Sat, 8 Jun 2002 12:30:02 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g58JU2r41273; Sat, 8 Jun 2002 12:30:02 -0700 (PDT) (envelope-from gnats) Received: from turing.morons.org (cpe-66-1-148-96.ca.sprintbbd.net [66.1.148.96]) by hub.freebsd.org (Postfix) with ESMTP id 7075237B405 for ; Sat, 8 Jun 2002 12:24:19 -0700 (PDT) Received: by turing.morons.org (Postfix, from userid 0) id BD119A94B; Sat, 8 Jun 2002 12:32:08 -0700 (PDT) Message-Id: <20020608193208.BD119A94B@turing.morons.org> Date: Sat, 8 Jun 2002 12:32:08 -0700 (PDT) From: Nick Johnson Reply-To: Nick Johnson To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/39037: crypt-md5 may prematurely drop a source of entropy Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 39037 >Category: bin >Synopsis: crypt-md5 may prematurely drop a source of entropy >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 08 12:30:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Nick Johnson >Release: FreeBSD 4.5-RELEASE-p2 i386 >Organization: Morons.org >Environment: System: FreeBSD turing.morons.org 4.5-RELEASE-p2 FreeBSD 4.5-RELEASE-p2 #4: Wed Apr 10 10:27:18 PDT 2002 root@turing.morons.org:/usr/src/sys/compile/TURING i386 >Description: In crypt-md5.c, there is the following bit of code: /* Don't leave anything around in vm they could use. */ memset(final,0,sizeof final); /* Then something really weird... */ for (i = strlen(pw); i ; i >>= 1) if(i&1) MD5Update(&ctx, final, 1); else MD5Update(&ctx, pw, 1); Note that "final" is referenced after it has been memset to all 0's. The result is that rather than getting more noise from the md5 data from previous steps, the same number (0) is always applied. If this is intentional, please disregard this PR :) >How-To-Repeat: Watch "final" with any of a variety of inputs; observe that it's always 0. >Fix: This PR is informational only, and shouldn't be taken to mean that this should be fixed in the current implementation. Indeed, if it WERE changed, it would completely break any existing password files, as the outcome of the function will definitely change. Also note that this isn't terribly likely to reduce the security of the algorithm, since MD5 is pretty irreversible to begin with. I note this not to be a smartass, but should there be another revision of theh md5-style passwords (which would no doubt have a different magic) this piece of code may be worth revisiting. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message