[Bug 2611] New: Add support for $2b$ prefixed hashes

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Sep 7 03:19:03 AEST 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=2611

            Bug ID: 2611
           Summary: Add support for $2b$ prefixed hashes
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dcarlson at squareup.com

Created attachment 2870
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2870&action=edit
patch to add support

NOTE: refers to jbcrypt 0.4.0, but product is not selectable.

We have run into a problem with the prefix of bcrypt-hashed passwords.
Our generated hash values include the prefix $2b$, but our crypt
library rejects these, only accepting hash formats with the prefix
$2a$.
Our current bcrypt java library
(http://www.mindrot.org/projects/jBCrypt also
https://github.com/jeremyh/jBCrypt) uses the modular crypt format
(http://pythonhosted.org/passlib/modular_crypt_format.html) to store
both the salt and the hash of the password.
The python library we have selected uses bcrypt.c. In
(http://www.openwall.com/lists/oss-security/2012/01/02/4), 'Alexander'
describes that Christos Zoulas discovered a wrap-around error. This is
also described in https://en.wikipedia.org/wiki/Crypt_(C). Either way,
the actual behavior in the c libarary is not truncation, but wrapping
in a way that can eliminate significant (all) entropy in the overflow
case (overflow is of the len variable which is uint8).
As a mitigation, some implementations use the $2b$ prefix which
clarifies the behavior regarding long passwords (e.g. the actual
behavior is now truncation). Implementations generally have addressed
both the overflow and used the version bump to identify this change.
The jbcrypt library uses "minor >= 'a'" comparisons in many positions,
but the critical section seems to be a check:
        if (salt.charAt(0) != '$' || salt.charAt(1) != '2') {
            throw new IllegalArgumentException("Invalid salt version");
        }
        if (salt.charAt(2) == '$') {
            off = 3;
        } else {
            minor = salt.charAt(2);
            if (minor != 'a' || salt.charAt(3) != '$') {
                throw new IllegalArgumentException("Invalid salt
revision");
            }
            off = 4;
        }
This code only supports prefixes $2a$ and $2$. It appears that the java
implementation does not have the wrapping problem from the C
implementation, but for compatibility, we would prefer that the java
implementation include support for both.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list