[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSHA salts <4 characters don't appear to work (ITS#3169)



Fixed in HEAD.  Thanks, Kurt

At 11:13 AM 6/2/2004, zarkon@law.harvard.edu wrote:
>Full_Name: John Klein
>Version: 2.2.11
>OS: Solaris 2.8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (140.247.204.24)
>
>
>After upgrading from 2.1.22, discovered that SSHA passwords salted with fewer
>than four characters no longer appeared to be recognized by the server. We were
>able to eliminate this restriction by modifying passwd.c with the attached
>patch. I would actually prefer not to do this, since it looks dangerous (the
>check is related to a crash bug), so a more elegant solution would be a good
>plan (reading the salt_size dynamically somehow instead of making it a
>constant?).
>
>--- libraries/liblutil/passwd.c 2004-05-27 17:07:34.000004000 -0400
>+++ libraries/liblutil/passwd.c 2004-05-27 17:08:49.787157000 -0400
>@@ -460,10 +460,12 @@
>        unsigned char *orig_pass = NULL;
> 
>        /* safety check */
>+        /* Bogus safety check 1 disabled.
>        if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <
>                sizeof(SHA1digest)+SALT_SIZE) {
>                return LUTIL_PASSWD_ERR;
>        }
>+        */
> 
>        /* decode base64 password */
>        orig_pass = (unsigned char *) ber_memalloc( (size_t) (
>@@ -473,10 +475,12 @@
> 
>        rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
> 
>+        /* Bogus safety check 2 disabled
>        if (rc < (int)(sizeof(SHA1digest)+SALT_SIZE)) {
>                ber_memfree(orig_pass);
>                return LUTIL_PASSWD_ERR;
>        }
>+        */
>  
>        /* hash credentials with salt */
>        lutil_SHA1Init(&SHA1context);