From owner-freebsd-bugs  Sat Jun 27 15:08:20 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA09309
          for freebsd-bugs-outgoing; Sat, 27 Jun 1998 15:08:20 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged))
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA09298;
          Sat, 27 Jun 1998 15:08:15 -0700 (PDT)
          (envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id AAA00992;
	Sun, 28 Jun 1998 00:00:24 +0200 (CEST)
To: Just Another Perl Hacker <japh@gol.com>
cc: FreeBSD-bugs@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/7090: crypt(3) partially returns raw password when salt isn't null-terminated 
In-reply-to: Your message of "28 Jun 1998 02:42:08 +0900."
             <oiulmvj0v.fsf@mew.gol.ad.jp> 
Date: Sun, 28 Jun 1998 00:00:18 +0200
Message-ID: <990.898984818@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>It is therefore FreeBSD's fault in not expecting non-terminated salts,
>while providing a compatible API with an incompatible behaviour which
>results the blatantly wrong output.  You missed my point.

No I didn't, I carefully surveyed the issue back in 1994 when I
wrote the MD5 based crypt(3), and found that only very few programs
were brain-damaged enough to peek into the internals of the crypt
implementation this way.

Most sane users simply pass the entrypted password they have found
in the passwd file as salt arg to crypt, which means that the
crypt(3) can chew it up any way it wants to, and you will work both
with the "old DES", which you refer to, the "new DES" which takes
a 9 character salt or the MD5 based "$1$" one which takes a 12 char
salt or the OpenBSD "$2a$" SHS based with has a salt longer than
the number of atoms in the universe...

Remember: "Be conservative in what you send and liberal in what you
expect".

QED: xlock has no business knowing that salts are X characters for any
value of X.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message