*** security:

- generation of SHA encrypted passwords (chpasswd, gpasswd, newusers,
  chgpasswd; and also passwd if configured without PAM support).
  The number of rounds and number of salt bytes was fixed to their lower
  allowed values (resp. configurable and 8), hence voiding some of the
  advantages of this encryption method. Dictionary attacks with
  precomputed tables were easier than expected, but still harder than with
  the MD5 (or DES) methods.

	* NEWS, libmisc/salt.c (SHA_salt_size): Seed the RNG, and fix a
	overflow. These caused the SHA salt size to always be 8 bytes,
	instead of being in the 8-16 range. Thanks to Peter Vrabec
	pvrabec@redhat.com for noticing.
	* NEWS, libmisc/salt.c (SHA_salt_rounds): Seed the RNG with
	seedRNG instead of srand, and fix the same overflow. This caused
	the number of rounds to always be the smallest one.
This commit is contained in:
nekral-guest 2008-05-20 13:34:06 +00:00
parent 9c69fe73b1
commit a917ba4fb9
3 changed files with 25 additions and 5 deletions

View File

@ -1,3 +1,13 @@
2008-05-20 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, libmisc/salt.c (SHA_salt_size): Seed the RNG, and fix a
overflow. These caused the SHA salt size to always be 8 bytes,
instead of being in the 8-16 range. Thanks to Peter Vrabec
pvrabec@redhat.com for noticing.
* NEWS, libmisc/salt.c (SHA_salt_rounds): Seed the RNG with
seedRNG instead of srand, and fix the same overflow. This caused
the number of rounds to always be the smallest one.
2008-05-20 Nicolas François <nicolas.francois@centraliens.net>
* man/newusers.8.xml man/groupmems.8.xml man/groupdel.8.xml

9
NEWS
View File

@ -2,6 +2,15 @@ $Id$
shadow-4.1.1 -> shadow-4.1.2 UNRELEASED
*** security:
- generation of SHA encrypted passwords (chpasswd, gpasswd, newusers,
chgpasswd; and also passwd if configured without PAM support).
The number of rounds and number of salt bytes was fixed to their lower
allowed values (resp. configurable and 8), hence voiding some of the
advantages of this encryption method. Dictionary attacks with
precomputed tables were easier than expected, but still harder than with
the MD5 (or DES) methods.
*** general:
- packaging
* Distribute the chfn, chsh, and userdel PAM configuration file.

View File

@ -90,9 +90,10 @@ static void seedRNG (void)
*/
static unsigned int SHA_salt_size (void)
{
double rand_rounds = 9 * random ();
rand_rounds /= RAND_MAX;
return 8 + rand_rounds;
double rand_size;
seedRNG ();
rand_size = (double) 9.0 * random () / RAND_MAX;
return 8 + rand_size;
}
/* ! Arguments evaluated twice ! */
@ -131,8 +132,8 @@ static const char *SHA_salt_rounds (int *prefered_rounds)
if (min_rounds > max_rounds)
max_rounds = min_rounds;
srand (time (NULL));
rand_rounds = (max_rounds-min_rounds+1) * random ();
seedRNG ();
rand_rounds = (double) (max_rounds-min_rounds+1.0) * random ();
rand_rounds /= RAND_MAX;
rounds = min_rounds + rand_rounds;
} else if (0 == *prefered_rounds)