Skip site navigation (1)Skip section navigation (2) 
Date:      Sat,  8 Jun 2002 12:32:08 -0700 (PDT)
From:      Nick Johnson <freebsd@spatula.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/39037: crypt-md5 may prematurely drop a source of entropy
Message-ID:  <20020608193208.BD119A94B@turing.morons.org>
next in thread | raw e-mail | index | archive | help 

>Number:         39037
>Category:       bin
>Synopsis:       crypt-md5 may prematurely drop a source of entropy
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 08 12:30:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Nick Johnson
>Release:        FreeBSD 4.5-RELEASE-p2 i386
>Organization:
Morons.org
>Environment:
System: FreeBSD turing.morons.org 4.5-RELEASE-p2 FreeBSD 4.5-RELEASE-p2 #4: Wed Apr 10 10:27:18 PDT 2002 root@turing.morons.org:/usr/src/sys/compile/TURING i386


	
>Description:
In crypt-md5.c, there is the following bit of code:

        /* Don't leave anything around in vm they could use. */
        memset(final,0,sizeof final);

        /* Then something really weird... */
        for (i = strlen(pw); i ; i >>= 1)
                if(i&1)
                    MD5Update(&ctx, final, 1);
                else
                    MD5Update(&ctx, pw, 1);

Note that "final" is referenced after it has been memset to all 0's.
The result is that rather than getting more noise from the md5 data
from previous steps, the same number (0) is always applied.  If this
is intentional, please disregard this PR :)

	
>How-To-Repeat:
Watch "final" with any of a variety of inputs; observe that it's always 0.
	
>Fix:

This PR is informational only, and shouldn't be taken to mean that this 
should be fixed in the current implementation.  Indeed, if it WERE 
changed, it would completely break any existing password files, as the
outcome of the function will definitely change.

Also note that this isn't terribly likely to reduce the security of the
algorithm, since MD5 is pretty irreversible to begin with.

I note this not to be a smartass, but should there be another revision of 
theh md5-style passwords (which would no doubt have a different magic)
this piece of code may be worth revisiting.

	


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020608193208.BD119A94B>