Issue #2278 has been updated by Matthew Dillon.
:Issue #2278 has been reported by Robin Carey. : :---------------------------------------- :Bug #2278: "Password hashing weakness in DF" (Matthias Schmidt) :http://bugs.dragonflybsd.org/issues/2278 After some coordination on IRC, Sam committed the linux sha256 and sha512 code ($5$ and $6$) and set the default to the new sha512 code. The broken sha256/512 code ($3$ and $4$) is still present in order to properly decrypt any passwords using the broken hash, but can no longer be used to encrypt new passwords. -Matt ---------------------------------------- Bug #2278: "Password hashing weakness in DF" (Matthias Schmidt) http://bugs.dragonflybsd.org/issues/2278 Author: Robin Carey Status: Closed Priority: Normal Assignee: Category: Target version: Further to the email posted by Matthias Schmidt to DragonFly users list (17/01/2012): I had a look at (GitWeb) the source code: lib/libcrypt/crypt-sha256.c and lib/libcrypt/crypt-sha512.c Both of those C files have bugs in them: "crypt-sha256.c:": .... /* Then the magic string */ SHA256_Update(&ctx, magic, sizeof(magic)); .... Should be strlen(magic) instead of sizeof(magic). ----- And practically the same bug in: "crypt-sha512.c": .... /* Then the magic string */ SHA512_Update(&ctx, magic, sizeof(magic)); ..... Should be strlen(magic) instead of sizeof(magic). ------ There might be other bugs - I didn't really check for any ..... -- Sincerely, Robin Carey BSc -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account
