Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 04:16:10 +0300
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: wrong comment in sha512crypt_fmt_plug.c

On Thu, Feb 12, 2015 at 06:05:01PM +0300, Aleksey Cherepanov wrote:
> It looks like there is a wrong comment in cryptsha512_fmt_plug.c :
> 
> 		/* For every character in the password add the entire password.  */
> 		for (cnt = 0; cnt < 16 + ((unsigned char*)crypt_out[index])[0]; ++cnt)
> 			SHA512_Update(&alt_ctx, cur_salt->salt, cur_salt->len);
> 
> It is #18 according to
> http://www.akkadia.org/drepper/SHA-crypt.txt
> "
> 18. repeast the following 16+A[0] times, where A[0] represents the first
>     byte in digest A interpreted as an 8-bit unsigned value
> 
>       add the salt to digest DS
> "
> 
> The comment is from the original code:
>   /* For every character in the password add the entire password.  */
>   for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
>     sha512_process_bytes (salt, salt_len, &alt_ctx);

Ouch.  This is actually a (minor) security shortcoming in SHA-crypt.
I wonder why they're doing this - it doesn't appear to be in md5crypt.
As far as I can tell, they do it for no reason at all.

I brought this to Twitter:

<solardiz> SHA-crypt running time depends not only on password length, but also on password characters. See algorithm step 18. http://www.akkadia.org/drepper/SHA-crypt.txt
<solardiz> Also, SHA-crypt reference source code comment corresponding to step 18 doesn't match the spec and the code. http://www.openwall.com/lists/john-dev/2015/02/12/2
<@...ardiz> @0xdeadb @kragen The unusual aspect about SHA-crypt's timing leak is that it's in an algorithm step that wasn't needed at all
<@...ardiz> @0xdeadb @kragen Luckily, it's mitigated by having the salt mixed in as well, so it can't be exploited without stealing/inferring the salt

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ