You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/06/13 18:19:27 UTC
[Bug 53410] New: SHA-2 password hashes with more than 9999 rounds
not accepted
https://issues.apache.org/bugzilla/show_bug.cgi?id=53410
Priority: P2
Bug ID: 53410
Assignee: bugs@httpd.apache.org
Summary: SHA-2 password hashes with more than 9999 rounds not
accepted
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: jasonovich@mailfish.de
Hardware: PC
Status: NEW
Version: 2.2.17
Component: Core
Product: Apache httpd-2
I created two SHA-512 password hashes for the password "foobar" with the
crypt() function under Fedora 14, one using 9999 rounds, the other using 10000
rounds:
crypt("foobar", "$6$rounds=9999$IOm.N/WPP/0qRkWo");
crypt("foobar", "$6$rounds=10000$IOm.N/WPP/0qRkWo");
I added the results to a password file for basic authentication:
user1:$6$rounds=9999$IOm.N/WPP/0qRkWo$FMP6X5bcfVQX5IC6U7Kw5RIJn/s.MbMZ/LFf1Lt7fzqb.5vlofDv5e47UEWZM/fdsOd3jgJDhHdrnTOswZH4X1
user2:$6$rounds=10000$IOm.N/WPP/0qRkWo$jVJRXlMEcoIcoX3zyE8k/CPESF/2Tm5qLz/Z0koPDz6XklE0g8j.5S0C2YUwU1j0lBQEXH2t/5ygsGDA8yxl8/
The 10000 rounds hash is not accepted by Apache ("Password Mismatch" in the
error.log) although apr_password_validate() from apr_md5.c uses the system's
crypt()/crypt_r() functions.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53410] SHA-2 password hashes with more than 9999 rounds not
accepted
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53410
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Stefan Fritsch <sf...@sfritsch.de> ---
(In reply to comment #3)
> Hmm, I've read through the code again and the fix consists of increasing the
> size of the (static) buffer holding a copy of the crypted password. I don't
> see why this size limit is necessary at all. Why not just do a
> straight-forward strcmp(crypt_pw, hash) at the end?
True, that's better. Fixed in
trunk: r1362241
1.5: r1362243
1.4: r1362244
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53410] SHA-2 password hashes with more than 9999 rounds not
accepted
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53410
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Core |APR-util
Version|2.2.17 |HEAD
Product|Apache httpd-2 |APR
--- Comment #1 from Stefan Fritsch <sf...@sfritsch.de> ---
This is a problem in apr-util's apr_password_validate() function
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53410] SHA-2 password hashes with more than 9999 rounds not
accepted
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53410
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Stefan Fritsch <sf...@sfritsch.de> ---
trunk: r1361811
1.5: r1361814
1.4: r1361816
The fix will be in apr-util 1.4.3 or 1.5.0, whichever gets released first.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53410] SHA-2 password hashes with more than 9999 rounds not
accepted
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53410
Jason Ovich <ja...@mailfish.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #3 from Jason Ovich <ja...@mailfish.de> ---
Hmm, I've read through the code again and the fix consists of increasing the
size of the (static) buffer holding a copy of the crypted password. I don't see
why this size limit is necessary at all. Why not just do a straight-forward
strcmp(crypt_pw, hash) at the end?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org