Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 28 Jun 1998 00:00:18 +0200
From:      Poul-Henning Kamp <phk@critter.freebsd.dk>
To:        Just Another Perl Hacker <japh@gol.com>
Cc:        FreeBSD-bugs@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG
Subject:   Re: bin/7090: crypt(3) partially returns raw password when salt isn't null-terminated 
Message-ID:  <990.898984818@critter.freebsd.dk>
In-Reply-To: Your message of "28 Jun 1998 02:42:08 %2B0900." <oiulmvj0v.fsf@mew.gol.ad.jp> 

next in thread | previous in thread | raw e-mail | index | archive | help

>It is therefore FreeBSD's fault in not expecting non-terminated salts,
>while providing a compatible API with an incompatible behaviour which
>results the blatantly wrong output.  You missed my point.

No I didn't, I carefully surveyed the issue back in 1994 when I
wrote the MD5 based crypt(3), and found that only very few programs
were brain-damaged enough to peek into the internals of the crypt
implementation this way.

Most sane users simply pass the entrypted password they have found
in the passwd file as salt arg to crypt, which means that the
crypt(3) can chew it up any way it wants to, and you will work both
with the "old DES", which you refer to, the "new DES" which takes
a 9 character salt or the MD5 based "$1$" one which takes a 12 char
salt or the OpenBSD "$2a$" SHS based with has a salt longer than
the number of atoms in the universe...

Remember: "Be conservative in what you send and liberal in what you
expect".

QED: xlock has no business knowing that salts are X characters for any
value of X.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?990.898984818>