[openssl-dev] [openssl.org #4674] Openssl 1.1.0 passwd bug & feature request

Richard Levitte via RT rt at openssl.org
Tue Sep 13 21:37:41 UTC 2016 

A note for the future: since this is really two issues, they should be one
ticket each. I'll let this one slip by, 'cause it's relatively simple to fix
both. However, please understand that while issue 1 will be fixed in OpenSSL
1.1.0a, issue 2 will not appear before OpenSSL 1.1.1.

Cheers,
Richard

On Tue Sep 13 17:23:48 2016, bkhowson at gmail.com wrote:
> This may be two requests, one a bug and one a feature request.
>
> Issue 1: openssl 1.1.0 passwd on Windows 64 doesn't generate MD5 passwords
> (-1 / -apr1), returns "<NULL>". I haven't tested other platforms. See
> output below.
>
> Issue 2: openssl 1.1.0 passwd doesn't support newer password hashing
> algorithms used by unix / linux platforms. This limitation may force
> people to use weaker password storage than possible, for example if
> generating crypts using openssl passwd to feed into usermod -p. Please add
> support for password types 5 (SHA-256) and 6 (SHA-512).
>
> http://man7.org/linux/man-pages/man3/crypt.3.html
>
> ID | Method
> ─────────────────────────────────────────────────────────
> 1 | MD5
> 2a | Blowfish (not in mainline glibc; added in some
> | Linux distributions)
> 5 | SHA-256 (since glibc 2.7)
> 6 | SHA-512 (since glibc 2.7)
>
>
> Issue 1: collateral:
>
> Working in OpenSSL 1.0.2.h:
> D:\>openssl version
> OpenSSL 1.0.2h 3 May 2016
>
> D:\>openssl passwd -apr1 password
> $apr1$hU.5TC8J$BaYCimZriQeWKBSupbQuO.
>
> D:\>openssl passwd -1 password
> $1$LxNTmc7h$FHDYsVvavnYy0KqB.2ZIx0
>
> Compiled Openssl 1.1.0:
>
> D:\OpenSSL\openssl-1.1.0\apps>.\openssl version
> OpenSSL 1.1.0 25 Aug 2016
>
> D:\OpenSSL\openssl-1.1.0\apps>.\openssl version
> OpenSSL 1.1.0 25 Aug 2016
>
> D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd password
> UZ8kfkzdGoYTQ
>
> D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -1 password
> <NULL>
>
> D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -apr1 password
> <NULL>
>
> (To show that MD5 wasn't compiled out):
>
> D:\Download\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -help
> Usage: passwd [options]
> Valid options are:
> -help Display this summary
> -in infile Pead passwords from file
> -noverify Never verify when reading password from terminal
> -quiet No warnings
> -table Format output as table
> -reverse Switch table columns
> -salt val Use provided salt
> -stdin Read passwords from stdin
> -apr1 MD5-based password algorithm, Apache variant
> -1 MD5-based password algorithm
> -crypt Standard Unix password algorithm (default)


--
Richard Levitte
levitte at openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4674
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list