From owner-freebsd-bugs@FreeBSD.ORG Wed Feb 27 18:10:02 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF5401065670 for ; Wed, 27 Feb 2008 18:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D379C8FC17 for ; Wed, 27 Feb 2008 18:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1RIA2tm038683 for ; Wed, 27 Feb 2008 18:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1RIA2vn038682; Wed, 27 Feb 2008 18:10:02 GMT (envelope-from gnats) Date: Wed, 27 Feb 2008 18:10:02 GMT Message-Id: <200802271810.m1RIA2vn038682@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Jaakko Heinonen Cc: Subject: Re: bin/121146: Adduser produces defective blowfish cipher password hashes on FreeBSD 7.0-RC3 amd64 and i386 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jaakko Heinonen List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 18:10:03 -0000 The following reply was made to PR bin/121146; it has been noted by GNATS. From: Jaakko Heinonen To: bug-followup@FreeBSD.org, erwinpeterarcor.de@FreeBSD.org Cc: Subject: Re: bin/121146: Adduser produces defective blowfish cipher password hashes on FreeBSD 7.0-RC3 amd64 and i386 Date: Wed, 27 Feb 2008 20:01:56 +0200 --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Increasing the salt size for pw(8) might fix the problem. See the attached patch. -- Jaakko --2fHTh5uZTiUOsy+g Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="pw-salt-size.diff" Index: pw_user.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw_user.c,v retrieving revision 1.61 diff -p -u -r1.61 pw_user.c --- pw_user.c 30 Mar 2007 12:57:25 -0000 1.61 +++ pw_user.c 27 Feb 2008 17:51:56 -0000 @@ -1029,22 +1029,24 @@ pw_shellpolicy(struct userconf * cnf, st return shell_path(cnf->shelldir, cnf->shells, sh ? sh : cnf->shell_default); } +#define SALTSIZE 32 + static char const chars[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ."; char * pw_pwcrypt(char *password) { int i; - char salt[12]; + char salt[SALTSIZE + 1]; static char buf[256]; /* * Calculate a salt value */ - for (i = 0; i < 8; i++) + for (i = 0; i < SALTSIZE; i++) salt[i] = chars[arc4random() % 63]; - salt[i] = '\0'; + salt[SALTSIZE] = '\0'; return strcpy(buf, crypt(password, salt)); } --2fHTh5uZTiUOsy+g--