shadow-utils/shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch

From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sat, 14 Aug 2021 13:24:34 -0400
Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()

If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
use SHA_ROUNDS_DEFAULT.

Previously, the code fell through, calling shadow_random(-1, -1). This
ultimately set rounds = (unsigned long) -1, which ends up being a very
large number! This then got capped to SHA_ROUNDS_MAX later in the
function.

The new behavior matches BCRYPT_get_salt_rounds().

Bug: https://bugs.gentoo.org/808195
Fixes: https://github.com/shadow-maint/shadow/issues/393
---
 libmisc/salt.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/libmisc/salt.c b/libmisc/salt.c
index 91d528fd..30eefb9c 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
 			rounds = SHA_ROUNDS_DEFAULT;
 		}
+		else {
+			if (-1 == min_rounds) {
+				min_rounds = max_rounds;
+			}
 
-		if (-1 == min_rounds) {
-			min_rounds = max_rounds;
-		}
+			if (-1 == max_rounds) {
+				max_rounds = min_rounds;
+			}
 
-		if (-1 == max_rounds) {
-			max_rounds = min_rounds;
-		}
+			if (min_rounds > max_rounds) {
+				max_rounds = min_rounds;
+			}
 
-		if (min_rounds > max_rounds) {
-			max_rounds = min_rounds;
+			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 		}
-
-		rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 	} else if (0 == *prefered_rounds) {
 		rounds = SHA_ROUNDS_DEFAULT;
 	} else {
-- 
2.31.1
libmisc: fix default value in SHA_get_salt_rounds() Resolves: #1993919 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> 2021-08-17 07:50:48 +00:00			`From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001`
			`From: Mike Gilbert <floppym@gentoo.org>`
			`Date: Sat, 14 Aug 2021 13:24:34 -0400`
			`Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()`

			`If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,`
			`use SHA_ROUNDS_DEFAULT.`

			`Previously, the code fell through, calling shadow_random(-1, -1). This`
			`ultimately set rounds = (unsigned long) -1, which ends up being a very`
			`large number! This then got capped to SHA_ROUNDS_MAX later in the`
			`function.`

			`The new behavior matches BCRYPT_get_salt_rounds().`

			`Bug: https://bugs.gentoo.org/808195`
			`Fixes: https://github.com/shadow-maint/shadow/issues/393`
			`---`
			`libmisc/salt.c \| 21 +++++++++++----------`
			`1 file changed, 11 insertions(+), 10 deletions(-)`

			`diff --git a/libmisc/salt.c b/libmisc/salt.c`
			`index 91d528fd..30eefb9c 100644`
			`--- a/libmisc/salt.c`
			`+++ b/libmisc/salt.c`
			`@@ -223,20 +223,21 @@ static /@observer@/const unsigned long SHA_get_salt_rounds (/@null@/int *pre`
			`if ((-1 == min_rounds) && (-1 == max_rounds)) {`
			`rounds = SHA_ROUNDS_DEFAULT;`
			`}`
			`+ else {`
			`+ if (-1 == min_rounds) {`
			`+ min_rounds = max_rounds;`
			`+ }`

			`- if (-1 == min_rounds) {`
			`- min_rounds = max_rounds;`
			`- }`
			`+ if (-1 == max_rounds) {`
			`+ max_rounds = min_rounds;`
			`+ }`

			`- if (-1 == max_rounds) {`
			`- max_rounds = min_rounds;`
			`- }`
			`+ if (min_rounds > max_rounds) {`
			`+ max_rounds = min_rounds;`
			`+ }`

			`- if (min_rounds > max_rounds) {`
			`- max_rounds = min_rounds;`
			`+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds);`
			`}`
			`-`
			`- rounds = (unsigned long) shadow_random (min_rounds, max_rounds);`
			`} else if (0 == *prefered_rounds) {`
			`rounds = SHA_ROUNDS_DEFAULT;`
			`} else {`
			`--`
			`2.31.1`