From 49de41577e22f26f71caed8f4791bdb8b6839db0 Mon Sep 17 00:00:00 2001 From: Geoff Rehmet Date: Mon, 19 Sep 1994 19:26:39 +0000 Subject: [PATCH] More elegant fix for short settings. (Our existing fixes already plugged the security holes involved.) Submitted by: Geoff Rehmet after consultation with David Burren --- secure/lib/libcrypt/crypt-des.c | 30 +++++++++++++++++++----------- secure/lib/libcrypt/crypt.c | 30 +++++++++++++++++++----------- 2 files changed, 38 insertions(+), 22 deletions(-) diff --git a/secure/lib/libcrypt/crypt-des.c b/secure/lib/libcrypt/crypt-des.c index 6d2250661065..18a45669599a 100644 --- a/secure/lib/libcrypt/crypt-des.c +++ b/secure/lib/libcrypt/crypt-des.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: crypt.c,v 1.3 1994/09/07 07:16:44 pst Exp $ + * $Id: crypt.c,v 1.4 1994/09/07 07:47:08 pst Exp $ * * This is an original implementation of the DES and the crypt(3) interfaces * by David Burren . @@ -592,14 +592,6 @@ crypt(char *key, char *setting) if (!des_initialised) des_init(); - /* - * Need to check if setting is "*" - otherwise - * crypt(k, "*") gives back "*" - */ - for(i = 0 ; i < 2; i++) - if(setting[i] == '\0') - { setting[i] = 'A'; break ; } - /* * Copy the key, shifting each character up by one bit @@ -642,7 +634,16 @@ crypt(char *key, char *setting) return(NULL); } strncpy(output, setting, 9); - p = output + 9; + + /* + * Double check that we weren't given a short setting. + * If we were, the above code will probably have created + * wierd values for count and salt, but we don't really care. + * Just make sure the output string doesn't have an extra + * NUL in it. + */ + output[9] = '\0'; + p = output + strlen(output); } else { /* * "old"-style: @@ -655,7 +656,14 @@ crypt(char *key, char *setting) | ascii_to_bin(setting[0]); output[0] = setting[0]; - output[1] = setting[1]; + /* + * If the encrypted password that the salt was extracted from + * is only 1 character long, the salt will be corrupted. We + * need to ensure that the output string doesn't have an extra + * NUL in it! + */ + output[1] = setting[1] ? setting[1] : output[0]; + p = output + 2; } setup_salt(salt); diff --git a/secure/lib/libcrypt/crypt.c b/secure/lib/libcrypt/crypt.c index 6d2250661065..18a45669599a 100644 --- a/secure/lib/libcrypt/crypt.c +++ b/secure/lib/libcrypt/crypt.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: crypt.c,v 1.3 1994/09/07 07:16:44 pst Exp $ + * $Id: crypt.c,v 1.4 1994/09/07 07:47:08 pst Exp $ * * This is an original implementation of the DES and the crypt(3) interfaces * by David Burren . @@ -592,14 +592,6 @@ crypt(char *key, char *setting) if (!des_initialised) des_init(); - /* - * Need to check if setting is "*" - otherwise - * crypt(k, "*") gives back "*" - */ - for(i = 0 ; i < 2; i++) - if(setting[i] == '\0') - { setting[i] = 'A'; break ; } - /* * Copy the key, shifting each character up by one bit @@ -642,7 +634,16 @@ crypt(char *key, char *setting) return(NULL); } strncpy(output, setting, 9); - p = output + 9; + + /* + * Double check that we weren't given a short setting. + * If we were, the above code will probably have created + * wierd values for count and salt, but we don't really care. + * Just make sure the output string doesn't have an extra + * NUL in it. + */ + output[9] = '\0'; + p = output + strlen(output); } else { /* * "old"-style: @@ -655,7 +656,14 @@ crypt(char *key, char *setting) | ascii_to_bin(setting[0]); output[0] = setting[0]; - output[1] = setting[1]; + /* + * If the encrypted password that the salt was extracted from + * is only 1 character long, the salt will be corrupted. We + * need to ensure that the output string doesn't have an extra + * NUL in it! + */ + output[1] = setting[1] ? setting[1] : output[0]; + p = output + 2; } setup_salt(salt);