Menu
▾
▴
[Passwdsecure-devel] Re: SEWL passwdsecure -- other note
|
From: Andrew M. <ae...@bi...> - 2002-05-10 12:17:31
|
Richard,
Everything is working fine now, thank you very much for your help.
I plan to upload 4 files to the sorceforge area when I work out how to do it
correctly, these are:
authprocess.h
authprocess.c
readconfig.c
passwdsecure.c
Regards
AndrewM
Andrew McGlashan AACS
Director
Mobile: 04 2574 1827
Affinity Vision Australia Pty Ltd
ABN 91 099 273 855
This message contains privileged and confidential information intended only
for the use of the addressee named above. If you are not the intended
recipient of this message you are hereby notified that you must not
disseminate, copy or take any action in reliance on it. If you have
received this message in error please notify Affinity Vision Australia Pty
Ltd at ae...@bi... Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to be
the views of Affinity Vision Australia Pty Ltd
----- Original Message -----
From: "Harris, Richard" <ha...@ta...>
To: "'Andrew McGlashan'" <ae...@bi...>
Cc: <pas...@li...>; "Mario Piazzese"
<Mar...@se...>; "Bill Lucas" <bil...@se...>
Sent: Friday, May 10, 2002 5:08 PM
Subject: RE: SEWL passwdsecure -- other note
> Hi Andrew,
>
> Is it working now?
>
> The sprintf will put the '\0' on the end of hexStringDigit for you but I
> guess it doesn't hurt to do it explicitly.
>
> Richard
>
> -----Original Message-----
> From: Andrew McGlashan [mailto:ae...@bi...]
> Sent: Friday, 10 May 2002 5:08 PM
> To: Harris, Richard
> Cc: pas...@li...; Mario Piazzese; Bill Lucas
> Subject: Re: SEWL passwdsecure -- other note
>
>
> Updated .c files attached
>
> Richard,
>
> Thanks for your input. I have added an extra line to your supplied
MD5File
> function. After the 16 unsigned chars have been placed as 32 string chars
> (0-31), I added the string terminator char to array position 32 as
follows:
> hexStringDigest[32] = '\0';
>
> Regards
>
> AndrewM
>
> Andrew McGlashan AACS
> Director
>
> Mobile: 04 2574 1827
>
> Affinity Vision Australia Pty Ltd
> ABN 91 099 273 855
>
> This message contains privileged and confidential information intended
only
> for the use of the addressee named above. If you are not the intended
> recipient of this message you are hereby notified that you must not
> disseminate, copy or take any action in reliance on it. If you have
> received this message in error please notify Affinity Vision Australia Pty
> Ltd at ae...@bi... Any views expressed in this message are those of
the
> individual sender, except where the sender specifically states them to be
> the views of Affinity Vision Australia Pty Ltd
>
> ----- Original Message -----
> From: "Harris, Richard" <ha...@ta...>
> To: "'Andrew McGlashan'" <ae...@bi...>; "Harris, Richard"
> <ha...@ta...>
> Cc: "Bill Lucas" <bil...@se...>; "Mario Piazzese"
> <Mar...@se...>; <pas...@li...>
> Sent: Friday, May 10, 2002 3:18 PM
> Subject: RE: SEWL passwdsecure -- other note
>
>
> > Hi Andrew,
> >
> > Looking at the truss output the problem seem symtematic of a buffer
> overrun
> > or a stray pointer being accessed. I've had a look at authprocess.c and
> > found a couple of strong contenders.
> >
> > You've changed the way MD5File works so it returns the MD5 data as a hex
> > string, rather than the raw MD5 data. I assume you've done this for the
> > purposes of debugging so you can see the checksum more easily. You've
> made
> > a few mistakes in doing this.
> >
> > Firstly, in MD5File (if the digest is calculated correctly) you return
> > buffer2, unfortunately buffer2 is on the stack so as soon as you return
> from
> > MD5File the memory where you are pointing to will no longer exist.
Later
> on
> > you then call free on the returned value, this will cause all sorts of
> > confusion! Also digest is being created on the heap but you don't
return
> a
> > pointer to it so it creates a memory leak.
> >
> > To do it your way MD5File should be:
> >
> > #ifdef USE_MD5
> > char* MD5File(char* filename)
> > {
> > FILE* file;
> > if ((file = fopen (filename, "rb")) == NULL)
> > {
> >
> > #ifdef DEBUG
> > fprintf(stderr, "Problem opening file: %s ...\n", filename);
> > #endif
> >
> > return (char*)NULL;
> > }
> > else {
> > MD5_CTX context;
> > int len;
> > unsigned char buffer[1024];
> > unsigned char digest[16];
> > unsigned int i;
> > char* hexStringDigest;
> >
> > MD5Init (&context);
> > while (len = fread (buffer, 1, 1024, file))
> > MD5Update (&context, buffer, len);
> > MD5Final (digest, &context);
> >
> > fclose (file);
> >
> > /* 33 chars, 32 for hexString, and 1 for NULL */
> > hexStringDigest = (char*)malloc(sizeof(char)*33);
> > checkMalloc((void*)hexStringDigest);
> >
> > for (i = 0; i < 16; i++)
> > {
> > sprintf(hexStringDigest + i*2, "%02x", digest[i] );
> > }
> >
> > return hexStringDigest;
> > }
> > }
> > #endif
> >
> > I havn't got a machine to compile this on to test but it looks all
right.
> >
> > The other big problem is with md5thusfar. At line 144 you define
> md5thusfar
> > as a char* and then (at line 220) you call strncpy to it before it is
> > initialised. It might be pointing at anything at this stage.
> >
> > You need to change line 220 from:
> > strncpy(md5thusfar, file[0], 32);
> > to:
> > md5thusfar = (char*)malloc(sizeof(char)*33);
> > checkMalloc((void*)md5thusfar);
> > strncpy(md5thusfar, file[0], 32);
> > md5thusfar[32] = '\0';
> >
> > Note the last line, if file[0] is 32 or more characters long then
> md5thusfar
> > won't finish with a null, so trouble will ensue.
> >
> > That's all of the problems I can see in authprocess.c at the moment. If
> you
> > fix those problems you should be in with a much better shot of getting
it
> to
> > work.
> >
> > Regards,
> > Richard
> >
> > PS: As a formatting point when you have something like:
> > <tab>func(first_arg,
> > <tab> second_arg);
> > You shouldn't change it to
> > <tab>func(first_arg,
> > <tab><tab>second_arg);
> > As the arguments won't line up if someone is using different sized tab
> > stops. You should always tab to specify indents and space to line up a
> > command the spreads multiple lines. The same applies for if/while
> > conditions and for statements.
> >
> > PPS: I've made you an admin of the sourceforge project.
> >
> >
> > -----Original Message-----
> > From: Andrew McGlashan [mailto:ae...@bi...]
> > Sent: Thursday, 9 May 2002 10:45 AM
> > To: Harris, Richard
> > Cc: Bill Lucas; Mario Piazzese
> > Subject: Fw: SEWL passwdsecure -- other note
> > Importance: High
> >
> >
> > Richard,
> >
> > I have made this email high priority as SE Water has a number of uses
that
> > will need to use the passwdsecure tool. Bill has even suggested that I
be
> > listed as a maintainer to try to progress this quicker; I would really
> like
> > some more help.
> >
> > Okay, I have looked at FILECMP again -- I broke it with my former
MD5CHECK
> > works. I have since re-worked that but I still have some problems. The
> > FILEICMP looks okay after all, although I haven't actually tested it; I
> > didn't look at it closely enough to understand it before.
> >
> > The problem I am having now with the re-worked FILECMP / MD5CHECK
section
> > having been done has to do with the getPsinfo function; it is dropping
out
> > without completing all checks. I don't know why it dumps out, but here
is
> > the statement that is failing:
> >
> > sizeRead = fread(buf+sizeReadTotal, 1,
sizeof(psinfo_t)-sizeReadTotal,
> > fileinfo);
> >
> > Other information (from the non-Linux code):
> > > Checking file types / sizes...
> > >
> > > int sizeRead /* always 336 if successful */
> > > int sizeReadTotal /* always 0 */
> > >
> > >
> > > unsigned char buf[sizeof(psinfo_t)]
> > >
> >
> > Now it fails after a number of iterations. I did remove a single check
> from
> > one require group and it got through to an additional require group. I
> was
> > going to include the output file with the debug information, but I don't
> > have it with me right now. Let me know if you need it and I will
> endeavour
> > to get it to you.
> >
> > I did adjust the following in the getPsinfo function:
> > from FILE* fileinfo;
> > to FILE *fileinfo;
> > I assume that was simply a typo. The change didn't help or seem to
effect
> > anything. I also made sure that every fopen had an fclose; I thought
that
> > maybe there were too many files open or something like that. Maybe
there
> is
> > still something in this as it was quite late when I packed it in last
> night.
> >
> > The Makefile in the attached source has a DEBUG entry added to the
CFLAGS
> > line, so it always makes the debug version for now. My 'do_conf'
doesn't
> > include the MD5 directory, however, it uses the found OpenSSL libraries
> and
> > thus the configure defines USE_MD5.
> >
> > AndrewM
> >
> > Andrew McGlashan AACS
> > Director
> >
> > Mobile: 04 2574 1827
> >
> > Affinity Vision Australia Pty Ltd
> > ABN 91 099 273 855
> >
> > This message contains privileged and confidential information intended
> only
> > for the use of the addressee named above. If you are not the intended
> > recipient of this message you are hereby notified that you must not
> > disseminate, copy or take any action in reliance on it. If you have
> > received this message in error please notify Affinity Vision Australia
Pty
> > Ltd at ae...@bi... Any views expressed in this message are those of
> the
> > individual sender, except where the sender specifically states them to
be
> > the views of Affinity Vision Australia Pty Ltd
> >
> > ----- Original Message -----
> > From: <And...@se...>
> > To: <ae...@bi...>
> > Sent: Thursday, May 09, 2002 1:12 AM
> > Subject: SEWL passwdsecure -- other note
> >
> >
> > >
> > > The following statement fails consistently for unknown reasons.....,
> > > but only after so many reads...
> > >
> > > sizeRead = fread(buf+sizeReadTotal, 1, sizeof(psinfo_t)-sizeReadTotal,
> > > fileinfo);
> > >
> > >
> > > Checking file types / sizes...
> > >
> > > int sizeRead /* always 336 if successful */
> > > int sizeReadTotal /* always 0 */
> > >
> > >
> > > unsigned char buf[sizeof(psinfo_t)]
> > >
> >
> >
> >
>
****************************************************************************
> *******
> > The information in this e-mail message and any files transmitted with it
> > are intended to be confidential and for the use of only the individual
or
> > entity to whom they are addressed. The message and files may be
> > protected by legal professional privilege, or other legal rules. The
> > confidentiality of and privilege applying to this message and
> > files is not waived if this message or files has been sent to you by
> mistake.
> > If the reader of this message or files is not the intended recipient,
you
> are
> > notified that retention, distribution or copying of this message and
files
> are
> > strictly prohibited. If you receive this message or files in error,
> please
> > notify us immediately by telephone or return e-mail and delete all
copies
> > from your computer system. It is the recipient's responsibility to check
> this
> > message and files for viruses.
> >
> > Thank you.
> >
>
****************************************************************************
> *******
> >
>
>
> *******************************************************
> PLEASE NOTE: This internet email message
> has been checked for viruses and appropriate
> content to ensure it complies with TABCORP's
> electronic communication policy.
> *******************************************************
>
>
>
>
****************************************************************************
*******
> The information in this e-mail message and any files transmitted with it
> are intended to be confidential and for the use of only the individual or
> entity to whom they are addressed. The message and files may be
> protected by legal professional privilege, or other legal rules. The
> confidentiality of and privilege applying to this message and
> files is not waived if this message or files has been sent to you by
mistake.
> If the reader of this message or files is not the intended recipient, you
are
> notified that retention, distribution or copying of this message and files
are
> strictly prohibited. If you receive this message or files in error,
please
> notify us immediately by telephone or return e-mail and delete all copies
> from your computer system. It is the recipient's responsibility to check
this
> message and files for viruses.
>
> Thank you.
>
****************************************************************************
*******
>
|
