From owner-freebsd-security@FreeBSD.ORG Sat Jan 8 04:19:39 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6877C16A4CE for ; Sat, 8 Jan 2005 04:19:39 +0000 (GMT) Received: from internet1.mccd.edu (internet1.mccd.edu [198.189.251.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F93C43D49 for ; Sat, 8 Jan 2005 04:19:39 +0000 (GMT) (envelope-from alexander.s@mccd.edu) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 Date: Fri, 7 Jan 2005 20:20:15 -0800 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Missing functionality in Blowfish for crypt(3) Thread-Index: AcT1OVpPK3e1ZMmjREKsvL0yApjMBA== From: "Steven Alexander" To: Subject: Missing functionality in Blowfish for crypt(3) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 04:19:39 -0000 VGhlIGJsb3dmaXNoIGNyeXB0KDMpIG1lY2hhbmlzbSBzdXBwb3J0cyB0aGUgdXNlIG9mIGEgImNv c3QgdmFsdWUiIGZvciBwYXNzd29yZCBlbmNyeXB0aW9uLiAgVGhlIGNvc3QgdmFsdWUgaXMgZW5j b2RlZCBpbnRvIHRoZSBlbmNyeXB0ZWQgcGFzc3dvcmQgdGhhdCBpcyBzdG9yZWQgaW4gbWFzdGVy LnBhc3N3ZC4gIE9uIE9wZW5CU0QsIHRoaXMgY29zdCB2YWx1ZSBjYW4gYmUgc2V0IGluIGxvZ2lu LmNvbmYuICBGcmVlQlNEIGRvZXMgbm90IGN1cnJlbnRseSBzdXBwb3J0IHRoZSBjb3N0IHZhbHVl LiAgVGhlIGNvc3QgdmFsdWUgaXMgdGhlIGJhc2UtMiBsb2dhcml0aG0gb2YgdGhlIG51bWJlciBv ZiByb3VuZHMgb2YgZW5jcnlwdGlvbiB0byB1c2Ugc28gcm91bmRzPTE8PGNvc3Q7ICBUaGlzIGZ1 bmN0aW9uYWxpdHkgY2FuIGJlIHN1cHBvcnRlZCB0aHJvdWdoIG1vZGlmaWNhdGlvbnMgdG8gL3Vz ci9iaW4vcGFzc3dkICh3aGljaCBhY3R1YWxseSBtZWFucyBhIGNoYW5nZSB0byBQQU0pIG9yIHRo cm91Z2ggbW9kaWZpY2F0aW9ucyB0byBsaWJjcnlwdC4NCg0KSW4gb3JkZXIgdG8gcGF0Y2ggL3Vz ci9iaW4vcGFzc3dkLCBpdCBtdXN0IGJlIG1vZGlmaWVkIHRvIHByb3ZpZGUgYSBzcGVjaWFsbHkg Zm9ybWF0dGVkIHNhbHQgdmFsdWUgZm9yIHRoZSBlbmNyeXB0aW9uIG9mIG5ldyBwYXNzd29yZHMu ICBTcGVjaWZpY2FsbHksICQyYSRDT1NUJCBtdXN0IGJlIHByZXBlbmRlZCB0byB0aGUgZ2VuZXJh dGVkIHNhbHQgdmFsdWUuICAiMmEiIGlzIHRoZSBtYWpvciBhbmQgbWlub3IgdmVyc2lvbiBmb3Ig Ymxvd2Zpc2gvYmNyeXB0LiAgQWdhaW4sIHRoaXMgbWVhbnMgY2hhbmdpbmcgUEFNLg0KIA0KU2lu Y2UgcGFzc3dkIHNob3VsZCBub3QgaGF2ZSB0byBrZWVwIHVwIHdpdGggYW55IGZvcm1hdHRpbmcg cmVxdWlyZW1lbnRzIGZvciBhbnkgbGliY3J5cHQgbWVjaGFuaXNtLCBJIG1vZGlmaWVkIGxpYmNy eXB0IGluc3RlYWQuDQoNClRoZSBkaWZmIGlzIHBhc3RlZCBiZWxvdyBzdHJpY3RseSBmb3Igdmll d2luZywgdGhlIHV1ZW5jb2RlZCB2ZXJzaW9uIGlzIGJlbG93IHRoYXQuICBJbiBsaWJjcnlwdCwg SSB1c2UgZ2V0cHd1aWRfcihnZXR1aWQoKSwgLi4uKSB0byBnZXQgYSBwd2Qgc3RydWN0dXJlIGZv ciB0aGUgY3VycmVudCB1c2VyLiAgVGhlbiwgSSB1c2UgbG9naW5fZ2V0cHdjbGFzcygpIHRvIHJl dHVybiBhIGxvZ2luX2NhcF90IHN0cnVjdHVyZSBhbmQgdXNlIGxvZ2luX2dldGNhcG51bSguLi4s ImxuX3JvdW5kcyIsLi4uKSB0byBncmFiIHRoZSB2YWx1ZSBmb3IgbG5fcm91bmRzIGluIGxvZ2lu LmNvbmYuICANCiANClRoZSBvbmx5IGRyYXdiYWNrIHRvIHRoaXMgYXBwcm9hY2ggaXMgdGhhdCBp dCBncmFicyB0aGUgZW50cnkgZm9yIHRoZSBjdXJyZW50IHVzZXIgcmF0aGVyIHRoYW4gdGhlIHVz ZXIgd2hvc2UgcGFzc3dvcmQgaXMgYmVpbmcgY2hhbmdlZC4gIE5vcm1hbGx5LCByb290IHdpbGwg aGF2ZSBhIGhpZ2hlciBjb3N0IHZhbHVlIHRoYW4gbm9ybWFsIHVzZXJzLiAgSWYgcm9vdCBjaGFu Z2VzIGEgdXNlcidzIHBhc3N3b3JkLCB0aGUgcGFzc3dvcmQgd2lsbCBiZSBlbmNyeXB0ZWQgd2l0 aCBhIGhpZ2hlciBjb3N0IHRoYW4gaWYgdGhlIHVzZXIgY2hhbmdlZCBpdCB0aGVtc2VsdmVzLiAg VGhpcyBkb2Vzbid0IHNlZW0gdG8gYmUgYWxsIHRoYXQgYmFkLg0KIA0KVG8gc3VwcG9ydCB0aGlz IHBhdGNoLCAvZXRjL2xvZ2luLmNvbmYgbXVzdCBpbmNsdWRlIGFuIGVudHJ5IG9mIHRoZSBmb3Jt ICI6bG5fcm91bmRzPTEwOiIgYW5kIGNhcF9ta2RiIG11c3QgYmUgcnVuIG9uIC9ldGMvbG9naW4u Y29uZiB0byBhcHBseSB0aGUgY2hhbmdlLiAgVGhpcyBpcyBzbGlnaHRseSBkaWZmZXJlbnQgdGhh biB0aGUgd2F5IHRoaXMgZmVhdHVyZSBpcyB0dXJuZWQgb24gaW4gT3BlbkJTRC4NCiANClRoZSBw YXRjaCBjYW4gYmUgYXBwbGllZCBieToNCiANCmNkIC91c3Ivc3JjDQpwYXRjaCA8IC9wYXRoL3Rv L2xpYmNyeXB0LnBhdGNoDQogDQpJIGhhdmUgc3VibWl0dGVkIGEgY2hhbmdlIHJlcXVlc3QvUFIg Zm9yIHRoaXMgc28gdGhhdCBpdCBjYW4gYmUgY29uc2lkZXJlZCBmb3IgY29tbWl0bWVudC4gIA0K IA0KQXQgdGhlIG1vbWVudCwgdGhlIHBhdGNoIGlzIGFsc28gb24gbXkgd2Vic2l0ZSBhdDoNCiAN Cmh0dHA6Ly93d3cubWNjZC5lZHUvc3RhZmYvYWxleGFuZGVycy9saWJjcnlwdC5wYXRjaA0KaHR0 cDovL3d3dy5tY2NkLmVkdS9zdGFmZi9hbGV4YW5kZXJzL2xpYmNyeXB0LnV1DQogDQpNeSB0aGFu a3MgdG8gRGF2aWQgTWFnZGEgZm9yIHBvaW50aW5nIG91dCB0byBtZSB0aGUgZGlmZmVyZW5jZSBi ZXR3ZWVuIHRoZSBPcGVuQlNEIGFuZCBGcmVlQlNEIGltcGxlbWVudGF0aW9ucy4NCiANCkVuam95 Lg0KIA0KU3RldmVuDQogDQogDQogDQpbRGV0YWlscyBmb2xsb3ddDQogDQpNeSBzeXN0ZW0gaXM6 DQogDQpGcmVlQlNEIGtlcm5lbC53YXlzaWRlLmNvbSA1LjMtUkVMRUFTRSBGcmVlQlNEIDUuMy1S RUxFQVNFICM2OiBGcmkgRGVjIDMxIDE5OjQ4OjI0IFBTVCAyMDA0ICAgICByb290QGtlcm5lbC53 YXlzaWRlLmNvbTovdXNyL3NyYy9zeXMvaTM4Ni9jb21waWxlL0dFTkVSSUMgIGkzODYNCiANCiAN CmRpZmYgLWMgLi9zZWN1cmUvbGliL2xpYmNyeXB0L2NyeXB0LWJsb3dmaXNoLmMgLi9zZWN1cmUv bGliL2xpYmNyeXB0LW5ldy9jcnlwdC1ibG93ZmlzaC5jDQoqKiogLi9zZWN1cmUvbGliL2xpYmNy eXB0L2NyeXB0LWJsb3dmaXNoLmMgTW9uIEp1biAgMiAxMjoxNzoyNCAyMDAzDQotLS0gLi9zZWN1 cmUvbGliL2xpYmNyeXB0LW5ldy9jcnlwdC1ibG93ZmlzaC5jIEZyaSBKYW4gIDcgMTk6NDM6MzEg MjAwNQ0KKioqKioqKioqKioqKioqDQoqKiogNTUsNjAgKioqKg0KLS0tIDU1LDYzIC0tLS0NCiAg I2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KICAjaW5jbHVkZSA8c3RyaW5nLmg+DQogICNpbmNsdWRl IDxwd2QuaD4NCisgI2luY2x1ZGUgPGxpYnV0aWwuaD4NCisgI2luY2x1ZGUgPGxvZ2luX2NhcC5o Pg0KKyANCiAgI2luY2x1ZGUgImJsb3dmaXNoLmgiDQogICNpbmNsdWRlICJjcnlwdC5oIg0KICAN CioqKioqKioqKioqKioqKg0KKioqIDE0NCwxNDkgKioqKg0KLS0tIDE0NywxNTcgLS0tLQ0KICAg dV9pbnQ4X3QgY3NhbHRbQkNSWVBUX01BWFNBTFRdOw0KICAgdV9pbnQzMl90IGNkYXRhW0JDUllQ VF9CTE9DS1NdOw0KICAgc3RhdGljIGNvbnN0IGNoYXIgICAgICptYWdpYyA9ICIkMmEkMDQkIjsN CisgDQorICBzdHJ1Y3QgcGFzc3dkIHB3LCAqcHdkOw0KKyAgY2hhciBwd2J1ZlsxMDI0XTsNCisg DQorICBsb2dpbl9jYXBfdCAqbGM7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgDQogICAgLyogRGVmYXVsdHMgKi8NCiAgIG1pbnIgPSAnYSc7DQoqKioqKioqKioqKioqKioN CioqKiAxOTMsMTk4ICoqKioNCi0tLSAyMDEsMjM4IC0tLS0NCiAgDQogICAgLyogRGlzY2FyZCBu dW0gcm91bmRzICsgIiQiIGlkZW50aWZpZXIgKi8NCiAgICBzYWx0ICs9IDM7DQorICB9DQorICBl bHNlDQorICB7DQorICAgLyogV2UncmUgY3J5cHRpbmcgYSBuZXcgcGFzc3dvcmQuICBXZSB3YW50 IHRvIGdldCB0aGUNCisgICAgICBsbl9yb3VuZHMgdmFsdWUgdGhhdCBpcyBzdG9yZWQgaW4gbG9n aW4uY29uZg0KKyAgICAgIGFuZCB1c2UgaXQgdG8gaW5pdGlhbGl6ZSB0aGUgcm91bmRzIHZhbHVl LiAgDQorICAgICAgICAgICAgICAgICAgICBsbl9yb3VuZHMgaXMgdGhlIGJhc2UgMiBsb2dhcml0 aG0gb2YgdGhlIA0KKyAgICAgIGRlc2lyZWQgcm91bmRzIHZhbHVlLiAgKi8NCisgICANCisgICAg ICBpZihnZXRwd3VpZF9yKGdldHVpZCgpLCAmcHcsIHB3YnVmLCBzaXplb2YocHdidWYpLCAmcHdk KSA9PSAwKQ0KKyAgICAgIHsNCisgICBpZiggKGxjID0gbG9naW5fZ2V0cHdjbGFzcyhwd2QpKSAh PSBOVUxMKQ0KKyAgICAgew0KKyAgICAgICAgICAgICAgbG9nciA9IChpbnQpbG9naW5fZ2V0Y2Fw bnVtKGxjLCAibG5fcm91bmRzIiwgbG9nciwgbG9ncik7DQorICAgICAgIHJvdW5kcyA9IDEgPDwg bG9ncjsNCisgICAgICAgaWYocm91bmRzIDwgQkNSWVBUX01JTlJPVU5EUykNCisgICAgICAgew0K KyAgICBwcmludGYoImxuX3JvdW5kcyBpbiBsb2dpbi5jb25mIGlzIHRvbyBzbWFsbFxuIik7DQor ICAgIHJldHVybiBlcnJvcjsNCisgICAgICAgfQ0KKyAgICAgICAgICAgICAgICAgfQ0KKyAgIGVs c2UNCisgICB7DQorICAgICAgIHByaW50ZigiY291bGQgbm90IGxvb2sgdXAgY2FwYWJpbGl0eVxu Iik7DQorICAgICAgIHJldHVybiBlcnJvcjsNCisgICB9DQorICAgICAgICAgICAgIH0NCisgICAg ICBlbHNlDQorICAgICAgew0KKyAgIHByaW50ZigiQ291bGQgbm90IGxvb2sgdXAgY3VycmVudCB1 c2VyICVkXG4iLCBnZXR1aWQoKSk7DQorICAgcmV0dXJuIGVycm9yOw0KKyAgICAgICAgICAgICB9 DQogICB9DQogIA0KIA0KIA0KYmVnaW4gNjQ0IGxpYmNyeXB0LnBhdGNoDQpNOSZFRjlCYE04UmBO K1ctRThXNVI5Ml1MOjYoTzsmRUI4VylZPCcwTzhXKVk8JzBNOEZRTz1WOUk8VkBODQpNOFJgTitX LUU4VzVSOTJdTDo2KE87JkVCOFcpWTwnME07RjVXK1YtUj43IVQrNilMO1c9Rjo3LUgrRiwqDQpN KkJISigiWE88VjVDPTcpRStWUUk4Ql1MOjYpQzxHRVA9Il1DPEdFUD0iVUI7Jl1XOUZFUzoiWUMi NFVPDQpNO0IhKj02WEAoIyhALDMoWiwzPFosQzBALENgUCxQSE0rMlRAK0JdUzk2LVU8RjRPOyZF QitWUUk4Ri1SDQpNPjchVCs2WUU9Ul1DPEdFUD0iVUI7Jl1XOUZFUzoiWUMiNDlSOjIhKjg2WEAo IzxALDNEWi0jLFosUyRADQpNLENgUC0wSEoqQkhKKkJISipCSEoqQkhKKkJIKipCSEooIzRVKyM4 UCgiSEoqQkgqKzJUTSgjNFUrIzhTDQpNKCJUTSsyVCooImBDOjZZQzsnNUQ5MmBcPFdFUytXMVk8 JjVTK0ZAXiJCYEAoVkVOOFZRVTkmNEAvJy1UDQpNPEZFTjlSWUgvQEhAKCItSTtGLUw9NjFFKCNR UD1WME46I1gqKlJgQzo2WUM7JzVEOTJgXDsmRUI9NzFJDQpNOyJZSC9ASEsoIi1JO0YtTD02MUUo I1FMO1Y9STtFXUM4N2BOOiNYKipSYCooImBDOjZZQzsnNUQ5MmBCDQpNOEZRTz1WOUk8VkBOOiIo KigiYEM6NllDOyc1RDkyYEI4VylZPCcwTjoiKCooImAqKkJISipCSEoqQkhKDQpNKkJISipCSEoi QkhKKkJgUS0jMEwsMzBZKCJISipCSCorMlRNKCMkVC1SUFEtMzxAKzJUTSswSEAoYEVVDQpNN1ZF Tj0jQT89IiFDPFYlTD0lTSIwVSk5NCUxPzM0JTg0VCUsNSVUWyJCYEAiNzU/OjZZVCxTKT89IiFD DQpNOSYlVDg1TSIwVSk5NCUxPzBEUS8wVE0zNzNMKigiYCk8VzFBPSZFQygmLU87Ry1UKCYtSDg3 KEAoImBADQpNKCJJTTg2PUk4UmBdKCIoRCxGJEQsIzBEKENMKipSYCoqUmApPFcxUj02LVQoJyFB PFctVzkiIVA9UlBADQpNKkchVzkjTCoqUmApOFZBQTxCIVA9VilVOUVMUSwjKFQ3M0wqKlJgKipS YCk7Jl1HOjZZPzhWJVA3VzBADQpNKkZRQy5QSEAoImBAKCJgQCgiYEAoImBAKCJgQCgiYEAoImBA KCJgQCgiYEAoImBAKCJgQCgiYEAiQmBADQpNIjBETypCISQ5NjlBPTZRVDxSYEorUEhAKGBFTTo2 WVIoI1RAKVYkRy5QSEoqQkhKKkJISipCSEoqQkhKDQpNKkJIKipCSEooIyRZLFJQUS4zQEAqQkhK KkBITSsyVEAsQ2BRKyMoUy4iYE0rMlRNIkJgQCJCYEAiMERPDQpNKkIhJDo3LUM4NylEKCZZVTsy IVI7VzVOOScsQCpSYEIpIihAOjYxRTtHMUk5RkVFPEJgSitQSEAoYEQpDQpNPFYlTD0iYEsvMmBT LlBISyhgRV0iQkxAIjY1TDxWNCoqUmApPlBISyhgRCkrUkhANVY0RzxGNEA4VylZDQpNPCcxSTtG PEA4MiFOOTc8QDwmJVM8Vz1PPEYwTigiITc5MiFXODZZVCgnMU8oJj1FPSIhVDomNCoqUmApDQpN IjJgQCgmUU43VylPPTZZRDxSIVY4NlFVOTIhVDomJVQoJkVTKCctVDtXKUU5IiFJO0IhTDtWPUk7 QllDDQpNO1ZZRiJCTEAiMERAKCIhQTtGMEA9Ny1FKCZFVCgnMU8oJkVOOjcxSTg2UUk+RjRAPSZB RSgnKU89NllEDQpNPFIhVjg2UVU5MlhAKGBISygiYEAoImBAKCJgQCgiYEAoImBAKCJgQCgiIUw7 RV1SO1c1TjknLEA6NyxADQpNPSZBRSgmKUE8VjRALEIhTDtWPUE8RkVUOiZUQDtWOEA9JkFFKGBI SyhgRCkoImBAOSY1Uzo3KUU5IiFSDQpNO1c1TjknLEA9RiVMPTY0TigiYEorUEhLKGBEKSJCTEAi MmBAKCIhSTlCQUc5NzFQPVc1STklXVIqJj1FDQpNPSc1STkiQEkrImBGPCc8TCgnIVc4RzVGKyIh Uzo3SUU7VjhIPCc9Qj02OEkrImBGPCc9RCoyYF0vMmBQDQpNKjBISyhgREAoImBAPlBISyhgRCk6 NjhIKCJBTDhSYF0oJlFPOVZFTjdWPUU9JyFXOFZRQTxXLEg8Jz1EDQpNKjJEQCgzVEAzRTUsMyJE KipSYCkoImApPlBISyhgREAoImBAKCJgQCgiYEAoIiFMO1Y9UigjVEAqJkVODQpNPSJFTDtWPUk7 RV1HOTcxQzg3IU49NlRIOyYsTCgiKUw7RV1SO1c1TjknLEIrIiFMO1Y9UisiIUw7Vj1SDQpNKjNM KipSYCkiMmBAKCIhUjtXNU45JyxALzJgUSgjUFwoJlFPOVcoWyJCTEAiMERAKCJgQDo2OEg8Rl1V DQpNO0YxUygjUEAwRC0yNjUhNDdUVSkzRSkvNTRZJDRSRCoqUmApIjJgQCgiIVsiQkxAIjBEKTwn KUk7RzFGDQpNKiIpTDtFXVI7VzVOOScsQDo2WEA7Jl1HOjZYTjhWXU45QiFJPFIhVDtWXEA8VlVB OyZRPDtCKEkuUEhLDQpNKGBEKSI3KUU9JzVSO0IhRTxHKU88Q0wqKlJgKSIyYEAoIiFdIkJMQCgi YEAoImBAKCJgQCgiYEAoImBADQpNKCdUKipSYCkiNjVMPFY0KipSYCkiN0wqKlJgKSIyYEAoIiFQ PEZFTj0mOEgoRi1PPTZRRCgmWU89IiFMDQpNO1ZdSygnNVAoJi1BPCYlQjo2UUk9J0U8O0IoSS5Q SEsoYEQpKCJgQCgnKUU9JzVSO0IhRTxHKU88Q0wqDQpNKlJgKSI3VCoqUmBAKCJgQCgiYEAoImBA KCIhXSJCTEAiMmBAKCIhRTsnLUUiQkxAIjJgQCgiIVsiQkxADQpNIjBFUDxGRU49JjhIKEQtTz02 UUQoJllPPSIhTDtWXUsoJzVQKCYtVTxHKUU7RzBAPTctRTxCYEU5JVFODQpNKEJQQDlWNVQ9NkVE KiJESS5QSEsoYEQpPEY1VD03KU4oJjVSPEZdUi5QSEsoImBAKCJgQCgiYEAoImBADQouKCdUKigi YCk/MEhAKGBIQChgSGANCmANCmVuZA0KDQogIA0KDQo=