oss-sec mailing list archives
Re: CVE request: crypt_blowfish 8-bit character mishandling
From: Solar Designer <solar () openwall com>
Date: Fri, 8 Jul 2011 01:31:03 +0400
On Thu, Jul 07, 2011 at 10:05:07AM +0200, Ludwig Nussel wrote:
mkpasswd (package whois) checks whether the crypted password starts with the originally requested prefix. Since crypt_gensalt now returns $2y for $2a mkpasswd fails. I'm not claiming mkpasswd's assumption on the behavior of crypt_gensalt is correct but it's not documented whether crypt_gensalt may change the prefix.
Thank you for letting me know. Yes, this prefix change in crypt_gensalt*() was a hack, which I didn't give much thought yet. It would have been nice to be able to switch to using $2y$ for crypt_gensalt*()-aware apps (including our pam_tcb) just by upgrading glibc, without changes to any other component nor to a config file, but I agree that we'll want to avoid surprises like that. I'll change my code to preserve the requested prefix. Another idea that I haven't given much thought yet is to encode, say, a 64-bit magic constant in the salt (leaving the remaining 64 bits out of the total of 128 for the actual salt), indicating that this is a newly generated "setting" string and enabling crypt(3) to treat $2a$ as $2y$ safely. Or we could in fact fully use this instead of $2y$, although that would reduce the salt space for all - not really a problem since 128 bits for a crypt(3) salt was excessive, but it doesn't sound good. This would have the advantage of being 100% compatible with OpenBSD's $2a$ hashes, including usage of the $2a$ prefix, yet carrying the desired extra bit for us. There's only a very slight chance of someone else's salt string inadvertently having our magic constant in it, which would exclude the hash from collision protection against hashes of the buggy algorithm. A drawback: this fails if a new version of crypt_gensalt*() is used with an older version of the hashing code (with the sign extension bug in it). $2y$ protects from that (the old code would refuse to process such "setting" strings). Alexander
Current thread:
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 06)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 07)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 07)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 08)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 07)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 07)
- <Possible follow-ups>
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 07)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 07)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 11)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 11)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 12)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 13)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 14)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 14)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Solar Designer (Jul 07)
- Re: CVE request: crypt_blowfish 8-bit character mishandling Ludwig Nussel (Jul 07)