From owner-freebsd-bugs@FreeBSD.ORG Sun Jun 8 23:40:08 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBA6E37B401 for ; Sun, 8 Jun 2003 23:40:08 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67C0343FB1 for ; Sun, 8 Jun 2003 23:40:08 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h596e7Up088018 for ; Sun, 8 Jun 2003 23:40:07 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h596e7it088017; Sun, 8 Jun 2003 23:40:07 -0700 (PDT) Date: Sun, 8 Jun 2003 23:40:07 -0700 (PDT) Message-Id: <200306090640.h596e7it088017@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Alan Amesbury Subject: Re: bin/44808: opiepasswd makes bad seed for existing user X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alan Amesbury List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 06:40:09 -0000 The following reply was made to PR bin/44808; it has been noted by GNATS. From: Alan Amesbury To: freebsd-gnats-submit@FreeBSD.org Cc: sakamoto@hlla.is.tsukuba.ac.jp Subject: Re: bin/44808: opiepasswd makes bad seed for existing user Date: Mon, 9 Jun 2003 01:32:38 -0500 This behaviour is also present in 4.8-RELEASE. Hideki Sakamoto's patch seems to correct the behaviour, though. (It wouldn't apply cleanly, possibly due to minor formatting differences in the source files or something. Easily corrected, though.) This is a severe bug for those of us who use OPIE. I'm curious why newseed.c seems to build its value based on the previous seed. It would seem to make more sense to use random(3) (not rand(3)!) and verify that 1) the new value doesn't equal the old, and 2) the seed size conforms with OPIE's seed size requirements. I'd write such functionality, but I'm a bit out of my depth when it comes to serious crypto. In case it's needed, the exact patch applied against the newseed.c in 4.8-RELEASE is: ---------- Patch for newseed.c ---------- *** newseed.c.orig Mon Jul 15 09:48:47 2002 --- newseed.c Mon Jun 9 01:13:25 2003 *************** *** 54,65 **** max *= 10; if ((i = strtoul(++c, (char **)0, 10)) < max) { ! if (++i >= max) ! i = 1; ! ! snprintf(c, end - c, "%d", i); ! seed[OPIE_SEED_MAX] = 0; ! return 0; } } --- 54,64 ---- max *= 10; if ((i = strtoul(++c, (char **)0, 10)) < max) { ! if (++i < max) { ! snprintf(c, end - c + 2, "%d", i); ! seed[OPIE_SEED_MAX] = 0; ! return 0; ! } } } -------- End patch for newseed.c -------- Again, I take no credit for it... and thanks to Hideki for coming up with it in the first place! -- Alan Amesbury - - - "Deep Thoughts," by Jack Handey - - - You know something that would really make me applaud? A guy gets stuck in quicksand, then sinks, then suddenly comes shooting out, riding on water skis! How do they do that?!