Date: Sun, 28 Jun 1998 00:00:18 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Just Another Perl Hacker <japh@gol.com> Cc: FreeBSD-bugs@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/7090: crypt(3) partially returns raw password when salt isn't null-terminated Message-ID: <990.898984818@critter.freebsd.dk> In-Reply-To: Your message of "28 Jun 1998 02:42:08 %2B0900." <oiulmvj0v.fsf@mew.gol.ad.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
>It is therefore FreeBSD's fault in not expecting non-terminated salts, >while providing a compatible API with an incompatible behaviour which >results the blatantly wrong output. You missed my point. No I didn't, I carefully surveyed the issue back in 1994 when I wrote the MD5 based crypt(3), and found that only very few programs were brain-damaged enough to peek into the internals of the crypt implementation this way. Most sane users simply pass the entrypted password they have found in the passwd file as salt arg to crypt, which means that the crypt(3) can chew it up any way it wants to, and you will work both with the "old DES", which you refer to, the "new DES" which takes a 9 character salt or the MD5 based "$1$" one which takes a 12 char salt or the OpenBSD "$2a$" SHS based with has a salt longer than the number of atoms in the universe... Remember: "Be conservative in what you send and liberal in what you expect". QED: xlock has no business knowing that salts are X characters for any value of X. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?990.898984818>