Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 04:16:10 +0300
From: Solar Designer <>
Subject: Re: wrong comment in sha512crypt_fmt_plug.c

On Thu, Feb 12, 2015 at 06:05:01PM +0300, Aleksey Cherepanov wrote:
> It looks like there is a wrong comment in cryptsha512_fmt_plug.c :
> 		/* For every character in the password add the entire password.  */
> 		for (cnt = 0; cnt < 16 + ((unsigned char*)crypt_out[index])[0]; ++cnt)
> 			SHA512_Update(&alt_ctx, cur_salt->salt, cur_salt->len);
> It is #18 according to
> "
> 18. repeast the following 16+A[0] times, where A[0] represents the first
>     byte in digest A interpreted as an 8-bit unsigned value
>       add the salt to digest DS
> "
> The comment is from the original code:
>   /* For every character in the password add the entire password.  */
>   for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
>     sha512_process_bytes (salt, salt_len, &alt_ctx);

Ouch.  This is actually a (minor) security shortcoming in SHA-crypt.
I wonder why they're doing this - it doesn't appear to be in md5crypt.
As far as I can tell, they do it for no reason at all.

I brought this to Twitter:

<solardiz> SHA-crypt running time depends not only on password length, but also on password characters. See algorithm step 18.
<solardiz> Also, SHA-crypt reference source code comment corresponding to step 18 doesn't match the spec and the code.
<@solardiz> @0xdeadb @kragen The unusual aspect about SHA-crypt's timing leak is that it's in an algorithm step that wasn't needed at all
<@solardiz> @0xdeadb @kragen Luckily, it's mitigated by having the salt mixed in as well, so it can't be exploited without stealing/inferring the salt


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.