On Mon, Dec 5, 2016 at 4:38 PM, <b...@qqmail.nl> wrote: > Doesn’t this simple patch break all existing hashes for the existing type? > > No, only those exceeding an absurd number of iterations. 31 iterations takes over a day of CPU at 3Ghz.
Perhaps this breakage is safe for 2.0, but perhaps it is better to just > introduce a new less expensive hash format, while still allowing > verifications against the old format. > > > > For some of the hash usacases the fact that the code is very expensive is > an advantage. (Expensive to crack) > > > > > > Bert > > > > Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows 10 > > > > *From: *n...@apache.org > *Sent: *maandag 5 december 2016 21:57 > *To: *comm...@apr.apache.org > *Subject: *svn commit: r1772803 - in /apr/apr/trunk: > CHANGEScrypto/crypt_blowfish.c > > > > Author: niq > > Date: Mon Dec 5 20:56:59 2016 > > New Revision: 1772803 > > > > URL: http://svn.apache.org/viewvc?rev=1772803&view=rev > > Log: > > apr_crypt: avoid excessive iteration in bcrypt hash. > > Patch by Hanno Böck > > > > Modified: > > apr/apr/trunk/CHANGES > > apr/apr/trunk/crypto/crypt_blowfish.c > > > > Modified: apr/apr/trunk/CHANGES > > URL: http://svn.apache.org/viewvc/apr/apr/trunk/CHANGES?rev= > 1772803&r1=1772802&r2=1772803&view=diff > > ============================================================ > ================== > > --- apr/apr/trunk/CHANGES [utf-8] (original) > > +++ apr/apr/trunk/CHANGES [utf-8] Mon Dec 5 20:56:59 2016 > > @@ -1,6 +1,9 @@ > > -*- coding: utf-8 > -*- > > Changes for APR 2.0.0 > > + *) apr_crypto: avoid excessive iteration in bcrypt hash. > > + [Hanno Böck <hanno hboeck.de>] > > + > > *) apr_siphash: Implement keyed hash function SipHash. [Yann Ylavic] > > *) apr_atomic: change the API of apr_atomic_casptr() > apr_atomic_xchgptr() > > > > Modified: apr/apr/trunk/crypto/crypt_blowfish.c > > URL: http://svn.apache.org/viewvc/apr/apr/trunk/crypto/crypt_ > blowfish.c?rev=1772803&r1=1772802&r2=1772803&view=diff > > ============================================================ > ================== > > --- apr/apr/trunk/crypto/crypt_blowfish.c (original) > > +++ apr/apr/trunk/crypto/crypt_blowfish.c Mon Dec 5 20:56:59 2016 > > @@ -877,7 +877,7 @@ char *_crypt_gensalt_blowfish_rn(const c > > const char *input, int size, char *output, int output_size) > > { > > if (size < 16 || output_size < 7 + 22 + 1 || > > - (count && (count < 4 || count > 31)) || > > + (count && (count < 4 || count > 17)) || > > prefix[0] != '$' || prefix[1] != '2' || > > (prefix[2] != 'a' && prefix[2] != 'y')) { > > if (output_size > 0) output[0] = '\0'; > > > > > > >