Date: Sun, 8 Jun 2003 23:40:07 -0700 (PDT) From: Alan Amesbury <aka-CHKE7RJUQGNmU-freebsd.com@mailswitch.net> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/44808: opiepasswd makes bad seed for existing user Message-ID: <200306090640.h596e7it088017@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/44808; it has been noted by GNATS. From: Alan Amesbury <aka-CHKE7RJUQGNmU-freebsd.com@mailswitch.net> To: freebsd-gnats-submit@FreeBSD.org Cc: sakamoto@hlla.is.tsukuba.ac.jp Subject: Re: bin/44808: opiepasswd makes bad seed for existing user Date: Mon, 9 Jun 2003 01:32:38 -0500 This behaviour is also present in 4.8-RELEASE. Hideki Sakamoto's patch seems to correct the behaviour, though. (It wouldn't apply cleanly, possibly due to minor formatting differences in the source files or something. Easily corrected, though.) This is a severe bug for those of us who use OPIE. I'm curious why newseed.c seems to build its value based on the previous seed. It would seem to make more sense to use random(3) (not rand(3)!) and verify that 1) the new value doesn't equal the old, and 2) the seed size conforms with OPIE's seed size requirements. I'd write such functionality, but I'm a bit out of my depth when it comes to serious crypto. In case it's needed, the exact patch applied against the newseed.c in 4.8-RELEASE is: ---------- Patch for newseed.c ---------- *** newseed.c.orig Mon Jul 15 09:48:47 2002 --- newseed.c Mon Jun 9 01:13:25 2003 *************** *** 54,65 **** max *= 10; if ((i = strtoul(++c, (char **)0, 10)) < max) { ! if (++i >= max) ! i = 1; ! ! snprintf(c, end - c, "%d", i); ! seed[OPIE_SEED_MAX] = 0; ! return 0; } } --- 54,64 ---- max *= 10; if ((i = strtoul(++c, (char **)0, 10)) < max) { ! if (++i < max) { ! snprintf(c, end - c + 2, "%d", i); ! seed[OPIE_SEED_MAX] = 0; ! return 0; ! } } } -------- End patch for newseed.c -------- Again, I take no credit for it... and thanks to Hideki for coming up with it in the first place! -- Alan Amesbury - - - "Deep Thoughts," by Jack Handey - - - You know something that would really make me applaud? A guy gets stuck in quicksand, then sinks, then suddenly comes shooting out, riding on water skis! How do they do that?!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306090640.h596e7it088017>