oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: crypt_blowfish 8-bit character mishandling

From: Michael Matz <matz () suse de>
Date: Mon, 27 Jun 2011 17:44:42 +0200 (CEST)
Hi,

On Mon, 27 Jun 2011, Ludwig Nussel wrote:


Additionally, for the paranoid, when the option to treat 2a as 2x is 
disabled, disallow logins with passwords containing 0xff chars 
(possible attack).  Maybe only for 2a hashes, but not for 2y.  In 
order not to leak this fact via timings, perform the hashing anyway.  
(I'll consider making this built-in in a new version of 
crypt_blowfish, which should let us be more careful with timings.)


Ok, so we'd need two config options, one to toggle signedness bug compat 
mode (2a=2x) and one to disallow 0xff if compat mode is off.


What's this 0xff business that crept up recently?  It's all characters 
with the high bit set, not just 0xff, that pose problems.  Let's be 
precise with these issues.


Ciao,
Michael.
Previous By Date Next
Previous By Thread Next

Current thread: