bugzilla-daemon at bugzilla.mindrot.org
2016-Sep-06 17:19 UTC
[Bug 2611] New: Add support for $2b$ prefixed hashes
https://bugzilla.mindrot.org/show_bug.cgi?id=2611 Bug ID: 2611 Summary: Add support for $2b$ prefixed hashes Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P3 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: dcarlson at squareup.com Created attachment 2870 --> https://bugzilla.mindrot.org/attachment.cgi?id=2870&action=edit patch to add support NOTE: refers to jbcrypt 0.4.0, but product is not selectable. We have run into a problem with the prefix of bcrypt-hashed passwords. Our generated hash values include the prefix $2b$, but our crypt library rejects these, only accepting hash formats with the prefix $2a$. Our current bcrypt java library (http://www.mindrot.org/projects/jBCrypt also https://github.com/jeremyh/jBCrypt) uses the modular crypt format (http://pythonhosted.org/passlib/modular_crypt_format.html) to store both the salt and the hash of the password. The python library we have selected uses bcrypt.c. In (http://www.openwall.com/lists/oss-security/2012/01/02/4), 'Alexander' describes that Christos Zoulas discovered a wrap-around error. This is also described in https://en.wikipedia.org/wiki/Crypt_(C). Either way, the actual behavior in the c libarary is not truncation, but wrapping in a way that can eliminate significant (all) entropy in the overflow case (overflow is of the len variable which is uint8). As a mitigation, some implementations use the $2b$ prefix which clarifies the behavior regarding long passwords (e.g. the actual behavior is now truncation). Implementations generally have addressed both the overflow and used the version bump to identify this change. The jbcrypt library uses "minor >= 'a'" comparisons in many positions, but the critical section seems to be a check: if (salt.charAt(0) != '$' || salt.charAt(1) != '2') { throw new IllegalArgumentException("Invalid salt version"); } if (salt.charAt(2) == '$') { off = 3; } else { minor = salt.charAt(2); if (minor != 'a' || salt.charAt(3) != '$') { throw new IllegalArgumentException("Invalid salt revision"); } off = 4; } This code only supports prefixes $2a$ and $2$. It appears that the java implementation does not have the wrapping problem from the C implementation, but for compatibility, we would prefer that the java implementation include support for both. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Oct-17 18:05 UTC
[Bug 2611] Add support for $2b$ prefixed hashes
https://bugzilla.mindrot.org/show_bug.cgi?id=2611 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |dtucker at zip.com.au Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- I don't know if Damien is accepting bug reports for this nowadays, but he's the only one that can do anything about it so reassiging for either actioning or closing. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 11:17 UTC
[Bug 2611] Add support for $2b$ prefixed hashes
https://bugzilla.mindrot.org/show_bug.cgi?id=2611 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|ASSIGNED |RESOLVED --- Comment #2 from Damien Miller <djm at mindrot.org> --- jbcrypt bugs are not tracked here -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:10 UTC
[Bug 2611] Add support for $2b$ prefixed hashes
https://bugzilla.mindrot.org/show_bug.cgi?id=2611 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Apparently Analagous Threads
- Branch 'as' - 13 commits - libswfdec/swfdec_as_context.c libswfdec/swfdec_as_context.h libswfdec/swfdec_as_frame.c libswfdec/swfdec_as_frame.h libswfdec/swfdec_as_interpret.c libswfdec/swfdec_as_object.c libswfdec/swfdec_as_object.h
- Character position command
- [Bug 2097] New: if gensalt's log_rounds parameter is set to 31 it does 0 (ZERO) rounds!
- [Bug 1982] New: different behavior compared to php (openwall version of bcrypt)
- Bug#481306: logcheck-database: Request for new rule: "syslog-ng : Configuration reload"