Re: CVE request: crypt_blowfish 8-bit character mishandling

[Ludwig Nussel <ludwig.nussel () suse de>]

Solar Designer wrote:
> [...]
> Also, it brings up the question: why merely use $2a$ running the new
> code rather than fully emulate the bug even for newly set passwords,
> which would make all passwords work, even on other networked machines?
> Sure, that would be even nastier for security, so maybe you managed to
> strike a balance well.  But nevertheless the question is there.  One of
> your options results in full backwards compatibility at a security cost
> (for the local system), but the other somehow chooses to strike a
> balance between compatibility and security without achieving either of
> these fully (for a network of systems).
>
> Maybe you can afford to drop BLOWFISH_2y to avoid those inconsistencies?
> I imagine that people won't know to enable this option unless/until they
> have already run into an issue anyway (that is, someone is already
> unable to log in).  At this point, they could likely upgrade the rest of
> their networked systems as well... or downgrade this one. ;-(

I'm not sure I understand what you are suggesting. Keep using the buggy
algorithm for new passwords and keep storing them as 2a as long as
BLOWFISH_2a2x is turned on?

cu
Ludwig

--
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix 
Imendörffer, HRB 16746 (AG Nürnberg)