From ipfw@ya3.so-net.ne.jp  Wed May 30 10:25:32 2001
Return-Path: <ipfw@ya3.so-net.ne.jp>
Received: from mgate09.so-net.ne.jp (mgate09.so-net.ne.jp [210.139.254.156])
	by hub.freebsd.org (Postfix) with ESMTP id E97AB37B424
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 May 2001 10:25:31 -0700 (PDT)
	(envelope-from ipfw@ya3.so-net.ne.jp)
Received: from mail.ya3.so-net.ne.jp (mspool11.so-net.ne.jp [210.139.248.11])
	by mgate09.so-net.ne.jp (8.8.8+3.0Wbeta9/3.6W01050922) with ESMTP id CAA06805
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 31 May 2001 02:25:30 +0900 (JST)
Received: from localhost (pdf49cf.kngwnt01.ap.so-net.ne.jp [202.223.73.207])
	by mail.ya3.so-net.ne.jp  with ESMTP id f4UHPT126620
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 31 May 2001 02:25:29 +0900 (JST)
Message-Id: <20010531022504E.koya@pluto.math.yokohama-cu.ac.jp>
Date: Thu, 31 May 2001 02:25:04 +0900
From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Sender: Yoshihiro Koya <koya@math.yokohama-cu.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Too short salt of Blowfish of 4.3-STABLE
X-Send-Pr-Version: 3.113

>Number:         27775
>Category:       bin
>Synopsis:       Too short salt of Blowfish of 4.3-STABLE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    markm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 30 10:30:01 PDT 2001
>Closed-Date:    Thu May 31 01:08:44 PDT 2001
>Last-Modified:  Thu May 31 01:09:13 PDT 2001
>Originator:     Yoshihiro Koya
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
Dept. of Math. Sci, Yokohama City Univ.
>Environment:
System: FreeBSD presario.my.domain 4.3-STABLE FreeBSD 4.3-STABLE #0: Thu May 31 01:27:03 JST 2001 root@presario.my.domain:/usr/obj/usr/src/sys/presario i386
local_passwd.c:
     $FreeBSD: src/usr.bin/passwd/local_passwd.c,v 1.24.2.1 2000/09/20 11:19:55 green Exp $
>Description:
	Salt for blowfish generated by passwd(1) is too short.
>How-To-Repeat:
	Use passwd with blowfish hashing scheme.
  Then you would obtain something like
foo:$2a$04$wJnEuWLj..............OFE3dSydtf7u8rFWbuNGJ7rH0YNUYsW:1010:20::0:0:User &:/tmp:/bin/csh
  (The above user foo and his password is an experimental one. :-)
>Fix:
local_passwd.c of rev. 1.27 seems to work well.
Please MFC.	

Index: local_passwd.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/passwd/local_passwd.c,v
retrieving revision 1.27
retrieving revision 1.24.2.1
diff -u -r1.27 -r1.24.2.1
--- local_passwd.c	2001/03/11 16:37:30	1.27
+++ local_passwd.c	2000/09/20 11:19:55	1.24.2.1
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/usr.bin/passwd/local_passwd.c,v 1.27 2001/03/11 16:37:30 markm Exp $
+ * $FreeBSD: src/usr.bin/passwd/local_passwd.c,v 1.24.2.1 2000/09/20 11:19:55 green Exp $
  */
 
 #ifndef lint
@@ -100,7 +100,7 @@
 #ifdef LOGIN_CAP
 	login_cap_t * lc;
 #endif
-	char buf[_PASSWORD_LEN+1], salt[32];
+	char buf[_PASSWORD_LEN+1], salt[10];
 	struct timeval tv;
 
 	if (!nis)
@@ -182,11 +182,7 @@
 	to64(&salt[0], random(), 3);
 	to64(&salt[3], tv.tv_usec, 3);
 	to64(&salt[6], tv.tv_sec, 2);
-	to64(&salt[8], random(), 5);
-	to64(&salt[13], random(), 5);
-	to64(&salt[17], random(), 5);
-	to64(&salt[22], random(), 5);
-	salt[27] = '\0';
+	salt[8] = '\0';
 #endif
 	return (crypt(buf, salt));
 }
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Thu May 31 00:43:24 PDT 2001 
Responsible-Changed-Why:  

He did the deed 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27775 
State-Changed-From-To: open->closed 
State-Changed-By: markm 
State-Changed-When: Thu May 31 01:08:44 PDT 2001 
State-Changed-Why:  
Committed, thanks! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27775 
>Unformatted:
