[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSHA salts <4 characters don't appear to work (ITS#3169)
Fixed in HEAD. Thanks, Kurt
At 11:13 AM 6/2/2004, zarkon@law.harvard.edu wrote:
>Full_Name: John Klein
>Version: 2.2.11
>OS: Solaris 2.8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (140.247.204.24)
>
>
>After upgrading from 2.1.22, discovered that SSHA passwords salted with fewer
>than four characters no longer appeared to be recognized by the server. We were
>able to eliminate this restriction by modifying passwd.c with the attached
>patch. I would actually prefer not to do this, since it looks dangerous (the
>check is related to a crash bug), so a more elegant solution would be a good
>plan (reading the salt_size dynamically somehow instead of making it a
>constant?).
>
>--- libraries/liblutil/passwd.c 2004-05-27 17:07:34.000004000 -0400
>+++ libraries/liblutil/passwd.c 2004-05-27 17:08:49.787157000 -0400
>@@ -460,10 +460,12 @@
> unsigned char *orig_pass = NULL;
>
> /* safety check */
>+ /* Bogus safety check 1 disabled.
> if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <
> sizeof(SHA1digest)+SALT_SIZE) {
> return LUTIL_PASSWD_ERR;
> }
>+ */
>
> /* decode base64 password */
> orig_pass = (unsigned char *) ber_memalloc( (size_t) (
>@@ -473,10 +475,12 @@
>
> rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
>
>+ /* Bogus safety check 2 disabled
> if (rc < (int)(sizeof(SHA1digest)+SALT_SIZE)) {
> ber_memfree(orig_pass);
> return LUTIL_PASSWD_ERR;
> }
>+ */
>
> /* hash credentials with salt */
> lutil_SHA1Init(&SHA1context);