mount_smbfs gives error when stored crypted pw is used
Matthias Apitz
guru at unixarea.de
Wed Jun 7 12:35:42 UTC 2017
I have located the bug in /usr/src/contrib/smbfs/lib/smb/subr.c
The printf(3C) calls have been added for debugging; the bug is the
addition of 13 after crypting every char which let the mask used in ^ operation
exceeding 256, i.e. more than one byte, if the string to be crypted is long
enough. The two lines added:
if (pos > 256)
pos = pos-256;
fixes this issue and the crypting/decypting works fine; see below;
I'll later file a PR and propose the patch;
matthias
char *
smb_simplecrypt(char *dst, const char *src)
{
int ch, pos;
char *dp;
printf("smb_simplecrypt(): pw: [%s]\n", src);
if (dst == NULL) {
dst = malloc(4 + 2 * strlen(src));
if (dst == NULL)
return NULL;
}
dp = dst;
*dst++ = '$';
*dst++ = '$';
*dst++ = '1';
pos = 27;
while (*src) {
ch = *src++;
printf("ch [%c] --> ", ch);
if (isascii(ch))
ch = (isupper(ch) ? ('A' + (ch - 'A' + 13) % 26) :
islower(ch) ? ('a' + (ch - 'a' + 13) % 26) : ch);
ch ^= pos;
pos += 13;
if (pos > 256)
pos = pos-256;
sprintf(dst, "%02x", ch);
printf("0x%02x next ^mask (pos): 0x%02x\n", ch, pos);
dst += 2;
}
*dst = 0;
return dp;
}
$ ./smbpw
smb_simplecrypt(): pw: [1234567890-1-1234567]
ch [1] --> 0x2a next ^mask (pos): 0x28
ch [2] --> 0x1a next ^mask (pos): 0x35
ch [3] --> 0x06 next ^mask (pos): 0x42
ch [4] --> 0x76 next ^mask (pos): 0x4f
ch [5] --> 0x7a next ^mask (pos): 0x5c
ch [6] --> 0x6a next ^mask (pos): 0x69
ch [7] --> 0x5e next ^mask (pos): 0x76
ch [8] --> 0x4e next ^mask (pos): 0x83
ch [9] --> 0xba next ^mask (pos): 0x90
ch [0] --> 0xa0 next ^mask (pos): 0x9d
ch [-] --> 0xb0 next ^mask (pos): 0xaa
ch [1] --> 0x9b next ^mask (pos): 0xb7
ch [-] --> 0x9a next ^mask (pos): 0xc4
ch [1] --> 0xf5 next ^mask (pos): 0xd1
ch [2] --> 0xe3 next ^mask (pos): 0xde
ch [3] --> 0xed next ^mask (pos): 0xeb
ch [4] --> 0xdf next ^mask (pos): 0xf8
ch [5] --> 0xcd next ^mask (pos): 0x05
ch [6] --> 0x33 next ^mask (pos): 0x12
ch [7] --> 0x25 next ^mask (pos): 0x1f
cp: [$$12a1a06767a6a5e4ebaa0b09b9af5e3eddfcd3325]
smb_simpledecrypt(): hash: [$$12a1a06767a6a5e4ebaa0b09b9af5e3eddfcd3325] gives clear [1234567890-1-1234567]
--
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20170607/63e3adf9/attachment.sig>
More information about the freebsd-current
mailing list