in crypt-sha*, reject excessive rounds as error rather than clamping

the reference implementation clamps rounds to [1000,999999999]. we
further limited rounds to at most 9999999 as a defense against extreme
run times, but wrongly clamped instead of treating out-of-bounds
values as an error, thereby producing implementation-specific hash
results. fixing this should not break anything since values of rounds
this high are not useful anyway.

diff --git a/src/crypt/crypt_sha256.c b/src/crypt/crypt_sha256.c
index d5f0b786df252fae553271f276f61ed8c7f9e87d..e885dc68e3c5b7260c0d1aace28872f837bf4322 100644 (file)
--- a/src/crypt/crypt_sha256.c
+++ b/src/crypt/crypt_sha256.c
@@ -230,7 +230,7 @@ static char *sha256crypt(const char *key, const char *setting, char *output)
                if (u < ROUNDS_MIN)
                        r = ROUNDS_MIN;
                else if (u > ROUNDS_MAX)
-                       r = ROUNDS_MAX;
+                       return 0;
                else
                        r = u;
                /* needed when rounds is zero prefixed or out of bounds */

diff --git a/src/crypt/crypt_sha512.c b/src/crypt/crypt_sha512.c
index 1294e98be78f5c364e8b744c535bd5d25b43a2f3..39970cafe87154ddddac5238d2ba3ff2c62859a5 100644 (file)
--- a/src/crypt/crypt_sha512.c
+++ b/src/crypt/crypt_sha512.c
@@ -252,7 +252,7 @@ static char *sha512crypt(const char *key, const char *setting, char *output)
                if (u < ROUNDS_MIN)
                        r = ROUNDS_MIN;
                else if (u > ROUNDS_MAX)
-                       r = ROUNDS_MAX;
+                       return 0;
                else
                        r = u;
                /* needed when rounds is zero prefixed or out of bounds */