Red Hat Bugzilla – Bug 679530
crypt(3) incorrect key length
Last modified: 2011-05-19 10:01:26 EDT
Description of problem: The crypt(3) man page states: In the SHA implementation the entire key is significant (instead of only the first 8 bytes in MD5). This is incorrect. Both MD5 and SHA consider the entire key; it's DES that only uses the first 8 bytes. This was fixed upstream in man-pages-3.25; see the attached patch. Version-Release number of selected component (if applicable): man-pages-3.22-12.el6 Additional info: From the man-pages-3.25/Changes file: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ crypt.3 Petr Baudis Correct note on key portion significance As Marcel Moreaux notes: The Linux manpage for crypt()[1] contains the following statement as the last sentence of the NOTES section: In the SHA implementation the entire key is significant (instead of only the first 8 bytes in MD5). It should probably say "DES" where it says "MD5" (and maybe "MD5/SHA" where it says "SHA"), because in MD5 password hashing, the entire key is significant, not just the first 8 bytes. This patch fixes the wording. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Created attachment 480226 [details] patch to update crypt(3) man page
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0679.html