Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 14 Jul 2011 16:37:36 +0200
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, Michael Matz <matz@...e.de>,
	Thorsten Kukuk <kukuk@...e.de>, Andreas Jaeger <aj@...e.de>,
	Zefram <zefram@...h.org>
Subject: Re: CVE request: crypt_blowfish 8-bit character mishandling

Solar Designer wrote:
> # The password hashing method and iteration count to use for group
> # passwords that may be set with gpasswd(1).
> #
> CRYPT_PREFIX		$2a$
> CRYPT_ROUNDS		8
>
> so again, only a config file change is needed here.  If you've been
> hard-coding "$2a$", you haven't been taking full advantage of
> crypt_gensalt*().

Well, you need to modify that in %post to automatically get 2y for
new passwords then. Which is kind of ugly as that's a file the admin
may have modified.

Anyways, we have the prefix configurable in /etc/default/password
too (CRYPT=blowfish). So no magic config file editing needed. The
programs parsing that file all do the blowfish=>2a mapping
themselves though as there is no lib unfortunately. So we have to
touch several packages to s/2a/2y/. That's what I meant with
"hard-coding".

>> Nevertheless if we miss to patch any package there would be still the
>> chance of someone generating 2a hashes with a different algorithm than
>> what the system uses to verify them later though.
>
> Yes.  And I fully expect some hashes of this kind to be generated by the
> various PHP apps, which have to generate salts on their own.  There's no
> perfect solution to this, I'm afraid.
>
>> So implementing your
>> original idea and have crypt_gensalt change the prefix wouldn't be
>> that bad after all. That bears the risk to break some programs like
>> mkpasswd but they would at least fail with an error rather than
>> generating unusable hashes.
>
> It's not obvious which is worse (and the "unusable hashes" would only be
> such for passwords with 8-bit chars, and not fully unusable but just not
> usable yet until other systems or parts of the system are updated and
> the "$2a$" to "$2x$" compatibility mode is disabled).  It's a tradeoff
> either way.  So I don't intend to revert to that older trick, which
> we've already moved away from.

Ok. Meanwhile I've found that libxcrypt's crypt_gensalt actually
also may change the prefix. It has a fallback to DES if the
requested prefix isn't available as plugin. So mkpasswd was broken
in that regard always. That error never happened though as mkpasswd
didn't support any prefix libxcrypt didn't support too.

> I am tempted to just release the current code as 1.2 now.  We won't
> arrive at a perfect solution anyway, because it doesn't exist.  And we
> need to let other projects upgrade to better/safer code (dealing with
> one-correct to many-buggy collisions) sooner rather than later.

Indeed.

cu
Ludwig

-- 
  (o_   Ludwig Nussel
  //\
  V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix 
Imendörffer, HRB 16746 (AG Nürnberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.