[openssl-dev] [openssl.org #4674] Openssl 1.1.0 passwd bug & feature request
Richard Levitte via RT
rt at openssl.org
Wed Sep 14 03:21:14 UTC 2016
Done!
On Wed Sep 14 03:16:11 2016, bkhowson at gmail.com wrote:
> Richard,
> I had taken a crack at this and got to the point of actually
> needing
> sha2crypt(). I compared your changes to mine, which is all pretty
> predictable so matched line by line. The only exception is 203, which
> is
> because it's entirely redundant as the max_pwlen defaults to 256.
>
> So maybe:
>
> - else if (use1 || useapr1)
> + else if (use1 || useapr1 || use5 || use6)
>
> or
>
> - else if (use1 || useapr1)
> - pw_maxlen = 256; /* arbitrary limit, should be enough
> for
> most
> - * passwords */
>
> Cheers,
> Brian
>
>
> On Tue, Sep 13, 2016 at 10:57 PM, Brian Howson <bkhowson at gmail.com>
> wrote:
>
> > Thanks Richard,
> > Quick work on issue 1, I git cloned & tested it, works as
> > expected.
> > I downloaded the pull above, built it and it appears to work.
> >
> > I found test vectors in the specification document here:
> > https://www.akkadia.org/drepper/sha-crypt.html
> >
> >
> > openssl passwd -5 -salt saltstring "Hello world!" | find
> > "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"
> >
> > openssl passwd -6 -salt saltstring "Hello world!" | find
> > "$6$saltstring$
> > svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBF
> > dcbYEdFCoEOfaS35inz1"
> >
> >
> > So looks good. One suggestion is to re-order the help output so it's
> > in declining "best to worst" 6 -> 5 -> 1 -> apr1 -> des), but that's
> > minor.
> >
> >
> > Cheers,
> > Brian
> >
> > On Tue, Sep 13, 2016 at 10:09 PM, Richard Levitte via RT
> > <rt at openssl.org>
> > wrote:
> >
> >> Issue 2 is implemented in
> >> https://github.com/openssl/openssl/pull/1572
> >>
> >> Please try it out.
> >>
> >> Cheers,
> >> Richard
> >>
> >> On Tue Sep 13 22:32:37 2016, levitte wrote:
> >> > Issue 1 now resolved, fix pushed to master branch as well as
> >> > OpenSSL_1_1_0-stable.
> >> >
> >> > Issue 2 remaining.
> >> >
> >> > Cheers,
> >> > Richard
> >> >
> >> > On Tue Sep 13 20:32:18 2016, levitte wrote:
> >> > > I can confirm issue one and raise you one: it's not just on
> >> > > Windows
> >> > >
> >> > > On it.
> >> > >
> >> > > Cheers,
> >> > > Richard
> >> > >
> >> > > On Tue Sep 13 17:23:48 2016, bkhowson at gmail.com wrote:
> >> > > > This may be two requests, one a bug and one a feature request.
> >> > > >
> >> > > > Issue 1: openssl 1.1.0 passwd on Windows 64 doesn't generate
> >> > > > MD5
> >> > > > passwords
> >> > > > (-1 / -apr1), returns "<NULL>". I haven't tested other
> >> > > > platforms.
> >> > > > See
> >> > > > output below.
> >> > > >
> >> > > > Issue 2: openssl 1.1.0 passwd doesn't support newer password
> >> > > > hashing
> >> > > > algorithms used by unix / linux platforms. This limitation may
> >> > > > force
> >> > > > people to use weaker password storage than possible, for
> >> > > > example if
> >> > > > generating crypts using openssl passwd to feed into usermod
> >> > > > -p.
> >> > > > Please add
> >> > > > support for password types 5 (SHA-256) and 6 (SHA-512).
> >> > > >
> >> > > > http://man7.org/linux/man-pages/man3/crypt.3.html
> >> > > >
> >> > > > ID | Method
> >> > > > ─────────────────────────────────────────────────────────
> >> > > > 1 | MD5
> >> > > > 2a | Blowfish (not in mainline glibc; added in some
> >> > > > | Linux distributions)
> >> > > > 5 | SHA-256 (since glibc 2.7)
> >> > > > 6 | SHA-512 (since glibc 2.7)
> >> > > >
> >> > > >
> >> > > > Issue 1: collateral:
> >> > > >
> >> > > > Working in OpenSSL 1.0.2.h:
> >> > > > D:\>openssl version
> >> > > > OpenSSL 1.0.2h 3 May 2016
> >> > > >
> >> > > > D:\>openssl passwd -apr1 password
> >> > > > $apr1$hU.5TC8J$BaYCimZriQeWKBSupbQuO.
> >> > > >
> >> > > > D:\>openssl passwd -1 password
> >> > > > $1$LxNTmc7h$FHDYsVvavnYy0KqB.2ZIx0
> >> > > >
> >> > > > Compiled Openssl 1.1.0:
> >> > > >
> >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl version
> >> > > > OpenSSL 1.1.0 25 Aug 2016
> >> > > >
> >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl version
> >> > > > OpenSSL 1.1.0 25 Aug 2016
> >> > > >
> >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd password
> >> > > > UZ8kfkzdGoYTQ
> >> > > >
> >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -1 password
> >> > > > <NULL>
> >> > > >
> >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -apr1 password
> >> > > > <NULL>
> >> > > >
> >> > > > (To show that MD5 wasn't compiled out):
> >> > > >
> >> > > > D:\Download\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -help
> >> > > > Usage: passwd [options]
> >> > > > Valid options are:
> >> > > > -help Display this summary
> >> > > > -in infile Pead passwords from file
> >> > > > -noverify Never verify when reading password from terminal
> >> > > > -quiet No warnings
> >> > > > -table Format output as table
> >> > > > -reverse Switch table columns
> >> > > > -salt val Use provided salt
> >> > > > -stdin Read passwords from stdin
> >> > > > -apr1 MD5-based password algorithm, Apache variant
> >> > > > -1 MD5-based password algorithm
> >> > > > -crypt Standard Unix password algorithm (default)
> >> > >
> >> > >
> >> > > --
> >> > > Richard Levitte
> >> > > levitte at openssl.org
> >> >
> >> >
> >> > --
> >> > Richard Levitte
> >> > levitte at openssl.org
> >>
> >>
> >> --
> >> Richard Levitte
> >> levitte at openssl.org
> >>
> >> --
> >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4674
> >> Please log in as guest with password guest if prompted
> >>
> >>
> >
--
Richard Levitte
levitte at openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4674
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list