Hello community,
here is the log from the commit of package libxcrypt
checked in at Mon Oct 6 18:22:47 CEST 2008.
--------
--- libxcrypt/libxcrypt.changes 2008-06-26 15:54:04.000000000 +0200
+++ /mounts/work_src_done/STABLE/libxcrypt/libxcrypt.changes 2008-09-28 01:39:33.000000000 +0200
@@ -1,0 +2,5 @@
+Sun Sep 28 01:38:22 CEST 2008 - kukuk@suse.de
+
+- Add missing gensalt security fixes (was [bnc#408719])
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
New:
----
gensalt-fixes.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libxcrypt.spec ++++++
--- /var/tmp/diff_new_pack.s17477/_old 2008-10-06 18:21:21.000000000 +0200
+++ /var/tmp/diff_new_pack.s17477/_new 2008-10-06 18:21:21.000000000 +0200
@@ -2,9 +2,16 @@
# spec file for package libxcrypt (Version 3.0.1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
-# This file and all modifications and additions to the pristine
-# package are under the same license as the package itself.
#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
@@ -16,10 +23,11 @@
Group: System/Libraries
AutoReqProv: on
Version: 3.0.1
-Release: 1
+Release: 25
Summary: Crypt Library for DES, MD5, Blowfish and others
Source: libxcrypt-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-build
+Patch: gensalt-fixes.diff
%description
Libxcrypt is a replacement for libcrypt, which comes with the GNU C
@@ -47,8 +55,10 @@
%prep
%setup -q
+%patch
%build
+automake
./configure CFLAGS="$RPM_OPT_FLAGS -Wno-cast-align" \
--prefix=%{_prefix} \
--libdir=/%{_lib} --disable-static
@@ -85,6 +95,8 @@
%{_libdir}/libxcrypt.so
%changelog
+* Sun Sep 28 2008 kukuk@suse.de
+- Add missing gensalt security fixes (was [bnc#408719])
* Thu Jun 26 2008 kukuk@suse.de
- Remove old obsolete libxcrypt.so.1
* Tue Apr 15 2008 kukuk@suse.de
++++++ gensalt-fixes.diff ++++++
2008-09-28 Thorsten Kukuk
* src/xcrypt-private.h: Add prototype for _xcrypt_gensalt_sha256_rn
and _xcrypt_gensalt_sha512_rn.
* src/crypt_gensalt.c: Add new gensalt functions.
* src/xcrypt.c: Use gensalt functions for sha512 and sha256.
* src/gensalt-test.c: Enable test cases for sha256 and sha512.
2008-07-16 Thorsten Kukuk
* src/xcrypt.c (__xcrypt_gensalt_r): Handle special
MD5 case.
* src/gensalt-test.c: New test case.
* src/Makefile.am: Add gensalt-test as new test case.
--- src/Makefile.am 25 Oct 2007 13:16:41 -0000 1.15
+++ src/Makefile.am 16 Jul 2008 12:21:19 -0000 1.16
@@ -16,7 +16,7 @@
EXTRA_DIST = libxcrypt.map cert.sh cert.input
-TESTS = cert.sh bigcrypt-test
+TESTS = cert.sh bigcrypt-test gensalt-test
include_HEADERS = xcrypt.h
noinst_HEADERS = crypt-private.h libc-symbols.h ufc-crypt.h xcrypt-private.h
@@ -30,7 +30,9 @@
libxcrypt_la_SOURCES = crypt-entry.c crypt.c crypt_util.c \
crypt_gensalt.c xcrypt.c bigcrypt.c
-noinst_PROGRAMS = cert bigcrypt-test
+noinst_PROGRAMS = cert bigcrypt-test gensalt-test
cert_LDADD = libxcrypt.la
bigcrypt_test_LDADD = libxcrypt.la
+gensalt_test_LDADD = libxcrypt.la
+
--- src/crypt_gensalt.c 19 Oct 2007 13:32:40 -0000 1.5
+++ src/crypt_gensalt.c 27 Sep 2008 23:23:38 -0000 1.8
@@ -8,6 +8,8 @@
*/
#include
+#include
+#include
#include
#ifndef __set_errno
@@ -75,39 +77,173 @@
return output;
}
-char *_xcrypt_gensalt_md5_rn(unsigned long count,
- __CONST char *input, int size, char *output, int output_size)
+char *
+_xcrypt_gensalt_md5_rn (unsigned long count __attribute__((unused)),
+ const char *input, int size,
+ char *output, int output_size)
{
- unsigned long value;
+ unsigned long value;
- if (size < 3 || output_size < 3 + 4 + 1 || (count && count != 1000)) {
- if (output_size > 0) output[0] = '\0';
- __set_errno((output_size < 3 + 4 + 1) ? ERANGE : EINVAL);
- return NULL;
+ if (size < 3 || output_size < 3 + 4 + 1)
+ {
+ if (output_size > 0)
+ output[0] = '\0';
+ errno = ERANGE;
+ return NULL;
+ }
+
+ output[0] = '$';
+ output[1] = '1';
+ output[2] = '$';
+ value = (unsigned long)(unsigned char)input[0] |
+ ((unsigned long)(unsigned char)input[1] << 8) |
+ ((unsigned long)(unsigned char)input[2] << 16);
+ output[3] = _xcrypt_itoa64[value & 0x3f];
+ output[4] = _xcrypt_itoa64[(value >> 6) & 0x3f];
+ output[5] = _xcrypt_itoa64[(value >> 12) & 0x3f];
+ output[6] = _xcrypt_itoa64[(value >> 18) & 0x3f];
+ output[7] = '\0';
+
+ if (size >= 6 && output_size >= 3 + 4 + 4 + 1) {
+ value = (unsigned long)(unsigned char)input[3] |
+ ((unsigned long)(unsigned char)input[4] << 8) |
+ ((unsigned long)(unsigned char)input[5] << 16);
+ output[7] = _xcrypt_itoa64[value & 0x3f];
+ output[8] = _xcrypt_itoa64[(value >> 6) & 0x3f];
+ output[9] = _xcrypt_itoa64[(value >> 12) & 0x3f];
+ output[10] = _xcrypt_itoa64[(value >> 18) & 0x3f];
+ output[11] = '\0';
+ }
+
+ return output;
+}
+
+char *
+_xcrypt_gensalt_sha256_rn (unsigned long count, const char *input, int size,
+ char *output, int output_size)
+{
+ unsigned long value;
+ char *buf;
+ char buf2[12];
+
+ if (count > 0)
+ {
+ if (asprintf (&buf, "$5$rounds=%ld$", count) < 0)
+ {
+ if (output_size > 0)
+ output[0] = '\0';
+ errno = ENOMEM;
+ return NULL;
+ }
+ }
+ else
+ {
+ if (asprintf (&buf, "$5$") < 0)
+ {
+ if (output_size > 0)
+ output[0] = '\0';
+ errno = ENOMEM;
+ return NULL;
}
+ }
- output[0] = '$';
- output[1] = '1';
- output[2] = '$';
- value = (unsigned long)(unsigned char)input[0] |
- ((unsigned long)(unsigned char)input[1] << 8) |
- ((unsigned long)(unsigned char)input[2] << 16);
- output[3] = _xcrypt_itoa64[value & 0x3f];
- output[4] = _xcrypt_itoa64[(value >> 6) & 0x3f];
- output[5] = _xcrypt_itoa64[(value >> 12) & 0x3f];
- output[6] = _xcrypt_itoa64[(value >> 18) & 0x3f];
- output[7] = '\0';
-
- if (size >= 6 && output_size >= 3 + 4 + 4 + 1) {
- value = (unsigned long)(unsigned char)input[3] |
- ((unsigned long)(unsigned char)input[4] << 8) |
- ((unsigned long)(unsigned char)input[5] << 16);
- output[7] = _xcrypt_itoa64[value & 0x3f];
- output[8] = _xcrypt_itoa64[(value >> 6) & 0x3f];
- output[9] = _xcrypt_itoa64[(value >> 12) & 0x3f];
- output[10] = _xcrypt_itoa64[(value >> 18) & 0x3f];
- output[11] = '\0';
+ if (size < 3 || output_size < (int)strlen (buf) + 4 + 1)
+ {
+ free (buf);
+ if (output_size > 0)
+ output[0] = '\0';
+ errno = ERANGE;
+ return NULL;
+ }
+
+ value = (unsigned long)(unsigned char)input[0] |
+ ((unsigned long)(unsigned char)input[1] << 8) |
+ ((unsigned long)(unsigned char)input[2] << 16);
+ buf2[0] = _xcrypt_itoa64[value & 0x3f];
+ buf2[1] = _xcrypt_itoa64[(value >> 6) & 0x3f];
+ buf2[2] = _xcrypt_itoa64[(value >> 12) & 0x3f];
+ buf2[3] = _xcrypt_itoa64[(value >> 18) & 0x3f];
+ buf2[4] = '\0';
+
+ if (size >= 6 && output_size >= (int)strlen (buf) + 4 + 4 + 1)
+ {
+ value = (unsigned long)(unsigned char)input[3] |
+ ((unsigned long)(unsigned char)input[4] << 8) |
+ ((unsigned long)(unsigned char)input[5] << 16);
+ buf2[4] = _xcrypt_itoa64[value & 0x3f];
+ buf2[5] = _xcrypt_itoa64[(value >> 6) & 0x3f];
+ buf2[6] = _xcrypt_itoa64[(value >> 12) & 0x3f];
+ buf2[7] = _xcrypt_itoa64[(value >> 18) & 0x3f];
+ buf2[8] = '\0';
+ }
+
+ snprintf (output, output_size, "%s%s", buf, buf2);
+ free (buf);
+
+ return output;
+}
+
+char *
+_xcrypt_gensalt_sha512_rn (unsigned long count, const char *input, int size,
+ char *output, int output_size)
+{
+ unsigned long value;
+ char *buf;
+ char buf2[12];
+
+ if (count > 0)
+ {
+ if (asprintf (&buf, "$6$rounds=%ld$", count) < 0)
+ {
+ if (output_size > 0)
+ output[0] = '\0';
+ errno = ENOMEM;
+ return NULL;
+ }
+ }
+ else
+ {
+ if (asprintf (&buf, "$6$") < 0)
+ {
+ if (output_size > 0)
+ output[0] = '\0';
+ errno = ENOMEM;
+ return NULL;
}
+ }
- return output;
+ if (size < 3 || output_size < (int)strlen (buf) + 4 + 1)
+ {
+ free (buf);
+ if (output_size > 0)
+ output[0] = '\0';
+ __set_errno(ERANGE);
+ return NULL;
+ }
+
+ value = (unsigned long)(unsigned char)input[0] |
+ ((unsigned long)(unsigned char)input[1] << 8) |
+ ((unsigned long)(unsigned char)input[2] << 16);
+ buf2[0] = _xcrypt_itoa64[value & 0x3f];
+ buf2[1] = _xcrypt_itoa64[(value >> 6) & 0x3f];
+ buf2[2] = _xcrypt_itoa64[(value >> 12) & 0x3f];
+ buf2[3] = _xcrypt_itoa64[(value >> 18) & 0x3f];
+ buf2[4] = '\0';
+
+ if (size >= 6 && output_size >= (int)strlen (buf) + 4 + 4 + 1)
+ {
+ value = (unsigned long)(unsigned char)input[3] |
+ ((unsigned long)(unsigned char)input[4] << 8) |
+ ((unsigned long)(unsigned char)input[5] << 16);
+ buf2[4] = _xcrypt_itoa64[value & 0x3f];
+ buf2[5] = _xcrypt_itoa64[(value >> 6) & 0x3f];
+ buf2[6] = _xcrypt_itoa64[(value >> 12) & 0x3f];
+ buf2[7] = _xcrypt_itoa64[(value >> 18) & 0x3f];
+ buf2[8] = '\0';
+ }
+
+ snprintf (output, output_size, "%s%s", buf, buf2);
+ free (buf);
+
+ return output;
}
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ src/gensalt-test.c 27 Sep 2008 23:23:38 -0000 1.2
@@ -0,0 +1,109 @@
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "xcrypt.h"
+
+#ifndef RANDOM_DEVICE
+#define RANDOM_DEVICE "/dev/urandom"
+#endif
+
+static int
+read_loop (int fd, char *buffer, int count)
+{
+ int offset, block;
+
+ offset = 0;
+ while (count > 0)
+ {
+ block = read(fd, &buffer[offset], count);
+
+ if (block < 0)
+ {
+ if (errno == EINTR)
+ continue;
+ return block;
+ }
+ if (!block)
+ return offset;
+
+ offset += block;
+ count -= block;
+ }
+
+ return offset;
+}
+
+static char *
+make_crypt_salt (const char *crypt_prefix, int crypt_rounds)
+{
+#define CRYPT_GENSALT_OUTPUT_SIZE (7 + 22 + 1)
+ int fd;
+ char entropy[16];
+ char *retval;
+ char output[CRYPT_GENSALT_OUTPUT_SIZE];
+
+ fd = open (RANDOM_DEVICE, O_RDONLY);
+ if (fd < 0)
+ {
+ fprintf (stderr, "Can't open %s for reading: %s\n",
+ RANDOM_DEVICE, strerror (errno));
+ return NULL;
+ }
+
+ if (read_loop (fd, entropy, sizeof(entropy)) != sizeof(entropy))
+ {
+ close (fd);
+ fprintf (stderr, "Unable to obtain entropy from %s\n",
+ RANDOM_DEVICE);
+ return NULL;
+ }
+
+ close (fd);
+
+ retval = crypt_gensalt_r (crypt_prefix, crypt_rounds, entropy,
+ sizeof (entropy), output, sizeof(output));
+
+ memset (entropy, 0, sizeof (entropy));
+
+ if (!retval)
+ {
+ fprintf (stderr,
+ "Unable to generate a salt, check your crypt settings.\n");
+ return NULL;
+ }
+
+ return strdup (retval);
+}
+
+static char *salt_input[] =
+ { "", "$1$", "$2a$" , "$5$", "$6$" };
+
+int
+main(void)
+{
+ int i;
+
+ for (i = 0; i < (int) (sizeof (salt_input) / sizeof (salt_input[0])); i++)
+ {
+ char *salt = make_crypt_salt (salt_input[i], 0);
+
+ if (salt_input[i][0] != '\0')
+ {
+ if (strncmp (salt_input[i], salt, strlen (salt_input[i])) != 0)
+ {
+ fprintf (stderr, "ERROR: input=%s, output=%s\n",
+ salt_input[i], salt);
+ return 1;
+ }
+ }
+ }
+
+ return 0;
+}
--- src/xcrypt-private.h 30 Oct 2007 11:21:09 -0000 1.6
+++ src/xcrypt-private.h 27 Sep 2008 23:07:21 -0000 1.7
@@ -29,6 +29,14 @@
char *output, int output_size);
extern char *_xcrypt_gensalt_md5_rn (unsigned long count, __const char *input,
int size, char *output, int output_size);
+extern char *_xcrypt_gensalt_sha256_rn (unsigned long count,
+ __const char *input,
+ int size, char *output,
+ int output_size);
+extern char *_xcrypt_gensalt_sha512_rn (unsigned long count,
+ __const char *input,
+ int size, char *output,
+ int output_size);
extern struct crypt_data _ufc_foobar;
--- src/xcrypt.c 25 Oct 2007 12:59:51 -0000 1.2
+++ src/xcrypt.c 27 Sep 2008 23:07:21 -0000 1.5
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007 Thorsten Kukuk
+/* Copyright (C) 2007, 2008 Thorsten Kukuk
Author: Thorsten Kukuk
This program is free software; you can redistribute it and/or modify
@@ -192,7 +192,16 @@
struct plugin_t *plugin = get_plugin (hash_id);
if (plugin == NULL || plugin->gensalt_r == NULL)
- use = _xcrypt_gensalt_traditional_rn;
+ {
+ if (hash_id[0] == '1') /* Special case: MD5 */
+ use = _xcrypt_gensalt_md5_rn;
+ else if (hash_id[0] == '5') /* sha256 */
+ use = _xcrypt_gensalt_sha256_rn;
+ else if (hash_id[0] == '6') /* sha512 */
+ use = _xcrypt_gensalt_sha512_rn;
+ else
+ use = _xcrypt_gensalt_traditional_rn;
+ }
else
use = plugin->gensalt_r;
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org