[Bug 192277] New: crypt(3) regression
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jul 30 18:37:55 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192277
Bug ID: 192277
Summary: crypt(3) regression
Product: Base System
Version: 9.3-RELEASE
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: freebsd-bugs at FreeBSD.org
Reporter: lampa at fit.vutbr.cz
#include <stdio.h>
#include <unistd.h>
int main()
{
char *p;
p = crypt("12345678", "1234");
printf("hash = %s\n", p);
}
The result is sha512 hash =
$6$1234$YlCaDQ/VIZKWwIo2tmk5UTOuoVbHSCBk8.4kcEXuwEVM2CDbAJOGIIPDK5DYedDT0Es/Rj2CSoD8LCpLhu8gy1
According man page, it should return DES format hash. This is serious
regression, it can result in buffer overflow in old applications that don't
expect anything else (I have been beaten by one such). IMHO historically
incompatible behavior can happen only in Modular case. Both Modular and
Traditional format salt should result with DES format hash in default case
(without crypt_set_format) exactly like man page says:
man 3 crypt
Traditional crypt:
The algorithm used will depend upon whether crypt_set_format() has been
called and whether a global default format has been specified. Unless a
global default has been specified or crypt_set_format() has set the for-
mat to something else, the built-in default format is used. This is cur-
rently DES if it is available, or MD5 if not.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list