in crypt-sha*, reject excessive rounds as error rather than clamping

the reference implementation clamps rounds to [1000,999999999]. we
further limited rounds to at most 9999999 as a defense against extreme
run times, but wrongly clamped instead of treating out-of-bounds
values as an error, thereby producing implementation-specific hash
results. fixing this should not break anything since values of rounds
this high are not useful anyway.

diff --git a/src/crypt/crypt_sha256.c b/src/crypt/crypt_sha256.c
index d5f0b78..e885dc6 100644 (file)
--- a/src/crypt/crypt_sha256.c
+++ b/src/crypt/crypt_sha256.c
@@ -230,7 +230,7 @@ static char *sha256crypt(const char *key, const char *setting, char *output)
                if (u < ROUNDS_MIN)
                        r = ROUNDS_MIN;
                else if (u > ROUNDS_MAX)
-                       r = ROUNDS_MAX;
+                       return 0;
                else
                        r = u;
                /* needed when rounds is zero prefixed or out of bounds */

diff --git a/src/crypt/crypt_sha512.c b/src/crypt/crypt_sha512.c
index 1294e98..39970ca 100644 (file)
--- a/src/crypt/crypt_sha512.c
+++ b/src/crypt/crypt_sha512.c
@@ -252,7 +252,7 @@ static char *sha512crypt(const char *key, const char *setting, char *output)
                if (u < ROUNDS_MIN)
                        r = ROUNDS_MIN;
                else if (u > ROUNDS_MAX)
-                       r = ROUNDS_MAX;
+                       return 0;
                else
                        r = u;
                /* needed when rounds is zero prefixed or out of bounds */