Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!cs.utexas.edu!sdd.hp.com!usc!pollux.usc.edu!kjh
From: kjh@pollux.usc.edu (Kenneth J. Hendrickson)
Newsgroups: comp.os.minix
Subject: Re: Crypt(), and patch for login.c
Message-ID: <25646@usc.edu>
Date: 2 Jul 90 10:43:53 GMT
References: <1990Jun29.222218.4942@siia.mv.com> <25628@usc.edu> <25633@usc.edu>
Sender: news@usc.edu
Organization: EE-Systems, USC, Los Angeles
Lines: 67

>In article <25628@usc.edu> kjh@pollux.usc.edu (Kenneth J. Hendrickson) writes:
>	After one failed login attempt (due to bad username or passwd),
>	Nobody can ever log in again!  Not even with a good passwd!
>
>Investigation has revealed the following:
>
>(1) Successive calls to crypt() in minix return different values,
>    even with the same inputs to crypt().

Here is the problem:

/* Modified for MINIX by Kenneth J. Hendrickson kjh@usc.edu, 2 July 1990
 *
 * The code in encrypt() required that R[] immediately follow L[].
 *
 * In Minix, the C compiler places unitialized static variables that are
 * declared outside a function in the bss segment, but in the _opposite_
 * order from which they are declared.
 */

The wise guy who wrote the code for crypt() did something that was
system (actually compiler) dependant.  Now maybe the wise guy is wiser
than I, and K&R specify that all static variables go into the bss
segment in the order in which they are declared, but I'm not aware of
this.  If I was defining the C language, I certainly wouldn't have done
this.  If K&R did specify this, then of course the Minix C compiler is
broken.

I am willing to email my working crypt() for Minix, which is
functionally equivalent to the crypt() on the BSD boxes, to anybody on
a US site.  The US has a law about taking encryption technology out of
the country, and there are two things I want to avoid: (1) I don't want
the media to find out about me mailing it out of the US, and making me
into a Benedict Arnold, and (2) I don't want the Feds to show up at my
door with burp guns.  Please note that I think the law is silly, since
the DES algorithm is well known.  You can even find it in Pascal :-( in
Dr. Tanenbaum's book on Computer Networks.

During my testing and debugging, I found a small bug in login.c (which
will never cause any problems, but is a bug nonetheless).  Here is my
patch to login.c:

begin 600 login.c.cdif
M*BHJ("]U<W(O<W)C+VUI;FEX+V-O;6UA;F1S+VQO9VEN+F,)5&AU($UA>2 S
M,2 P-#HT.#HU," Q.3DP"BTM+2 O=7-R+W-R8R]L;V-A;"]C;VUM86YD<R]L
M;V=I;BYC"5-U;B!*=6P@(#$@,3DZ,38Z-#$@,3DY, HJ*BHJ*BHJ*BHJ*BHJ
M*BH**BHJ(#,X+#0S("HJ*BH*+2TM(#,X+#0V("TM+2T*(" @*@H@(" J($%N
M9'D@5&%N96YB875M($%P<FEL(#$Y.3 *(" @*B M(&EF("]B:6XO<V@@8V%N
M;F]T(&)E(&QO8V%T960L('1R>2 O=7-R+V)I;B]S: HK(" J"BL@("H@2V5N
M;F5T:"!*+B!(96YD<FEC:W-O;B H:VIH0'5S8RYE9'4I($IU;'D@,3DY, HK
M(" J("T@<F5M;W9E9"!U<V5L97-S(&-A;&P@=&\@8W)Y<'0@=VET:"!S86QT
M/2)A86%A(@H@(" J+PH@( H@("-I;F-L=61E(#QS>7,O='EP97,N:#X**BHJ
M*BHJ*BHJ*BHJ*BHJ"BHJ*B R-C,L,C8Y("HJ*BH*(" )"6%R9W,N<V=?9FQA
M9W,@?#T@14-(3SL*(" )"6EO8W1L*# L(%1)3T-31510+" F87)G<RD["B @
M"B$@"0EI9B H8F%D("8F(&-R>7!T*'!A<W-W;W)D+" B86%A82(I('Q\"B @
M"0D@(" @<W1R8VUP*'!W9"T^<'=?<&%S<W=D+"!C<GEP="AP87-S=V]R9"P@
M<'=D+3YP=U]P87-S=V0I*2D@>PH@("-I9F1E9B!"041,3T<*(" )"0EA9&1L
M;V<H;F%M92P@<&%S<W=O<F0L('1T>6YA;64I.PHM+2T@,C8V+#(W,B M+2TM
M"B @"0EA<F=S+G-G7V9L86=S('P]($5#2$\["B @"0EI;V-T;"@P+"!424]#
M4T544"P@)F%R9W,I.PH@( HA( D):68@*&)A9"!\? H@( D)(" @('-T<F-M
M<"AP=V0M/G!W7W!A<W-W9"P@8W)Y<'0H<&%S<W=O<F0L('!W9"T^<'=?<&%S
M<W=D*2DI('L*(" C:69D968@0D%$3$]'"B @"0D)861D;&]G*&YA;64L('!A
2<W-W;W)D+"!T='EN86UE*3L*
 
end

Ken Hendrickson N8DGN/6      kjh@usc.edu      ...!uunet!usc!pollux!kjh