Browse Source

improved checking for invalid hashes. from solar designer

OPENBSD_5_6
tedu 10 years ago
parent
commit
50bce974c2
1 changed files with 10 additions and 6 deletions
  1. +10
    -6
      src/lib/libc/crypt/bcrypt.c

+ 10
- 6
src/lib/libc/crypt/bcrypt.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: bcrypt.c,v 1.37 2014/04/08 20:14:25 tedu Exp $ */
/* $OpenBSD: bcrypt.c,v 1.38 2014/04/19 15:17:59 tedu Exp $ */
/* /*
* Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
@ -97,11 +97,12 @@ bcrypt_hashpass(const char *key, const char *salt, char *encrypted,
char arounds[3]; char arounds[3];
/* Discard "$" identifier */ /* Discard "$" identifier */
if (*salt != '$')
return -1;
salt++; salt++;
if (*salt > BCRYPT_VERSION) {
if (*salt != BCRYPT_VERSION)
return -1; return -1;
}
/* Check for minor versions */ /* Check for minor versions */
if (salt[1] != '$') { if (salt[1] != '$') {
@ -110,6 +111,8 @@ bcrypt_hashpass(const char *key, const char *salt, char *encrypted,
case 'b': /* cap input length at 72 bytes */ case 'b': /* cap input length at 72 bytes */
minor = salt[1]; minor = salt[1];
salt++; salt++;
if (salt[1] != '$')
return -1;
break; break;
default: default:
return -1; return -1;
@ -141,7 +144,8 @@ bcrypt_hashpass(const char *key, const char *salt, char *encrypted,
return -1; return -1;
/* We dont want the base64 salt but the raw data */ /* We dont want the base64 salt but the raw data */
decode_base64(csalt, BCRYPT_MAXSALT, salt);
if (decode_base64(csalt, BCRYPT_MAXSALT, salt))
return -1;
salt_len = BCRYPT_MAXSALT; salt_len = BCRYPT_MAXSALT;
if (minor <= 'a') if (minor <= 'a')
key_len = (u_int8_t)(strlen(key) + (minor >= 'a' ? 1 : 0)); key_len = (u_int8_t)(strlen(key) + (minor >= 'a' ? 1 : 0));
@ -284,7 +288,7 @@ decode_base64(u_int8_t *buffer, size_t len, const char *b64data)
c3 = CHAR64(*(p + 2)); c3 = CHAR64(*(p + 2));
if (c3 == 255) if (c3 == 255)
break;
return -1;
*bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
if (bp >= buffer + len) if (bp >= buffer + len)
@ -292,7 +296,7 @@ decode_base64(u_int8_t *buffer, size_t len, const char *b64data)
c4 = CHAR64(*(p + 3)); c4 = CHAR64(*(p + 3));
if (c4 == 255) if (c4 == 255)
break;
return -1;
*bp++ = ((c3 & 0x03) << 6) | c4; *bp++ = ((c3 & 0x03) << 6) | c4;
p += 4; p += 4;


Loading…
Cancel
Save