Done! On Wed Sep 14 03:16:11 2016, bkhow...@gmail.com wrote: > Richard, > I had taken a crack at this and got to the point of actually > needing > sha2crypt(). I compared your changes to mine, which is all pretty > predictable so matched line by line. The only exception is 203, which > is > because it's entirely redundant as the max_pwlen defaults to 256. > > So maybe: > > - else if (use1 || useapr1) > + else if (use1 || useapr1 || use5 || use6) > > or > > - else if (use1 || useapr1) > - pw_maxlen = 256; /* arbitrary limit, should be enough > for > most > - * passwords */ > > Cheers, > Brian > > > On Tue, Sep 13, 2016 at 10:57 PM, Brian Howson <bkhow...@gmail.com> > wrote: > > > Thanks Richard, > > Quick work on issue 1, I git cloned & tested it, works as > > expected. > > I downloaded the pull above, built it and it appears to work. > > > > I found test vectors in the specification document here: > > https://www.akkadia.org/drepper/sha-crypt.html > > > > > > openssl passwd -5 -salt saltstring "Hello world!" | find > > "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" > > > > openssl passwd -6 -salt saltstring "Hello world!" | find > > "$6$saltstring$ > > svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBF > > dcbYEdFCoEOfaS35inz1" > > > > > > So looks good. One suggestion is to re-order the help output so it's > > in declining "best to worst" 6 -> 5 -> 1 -> apr1 -> des), but that's > > minor. > > > > > > Cheers, > > Brian > > > > On Tue, Sep 13, 2016 at 10:09 PM, Richard Levitte via RT > > <r...@openssl.org> > > wrote: > > > >> Issue 2 is implemented in > >> https://github.com/openssl/openssl/pull/1572 > >> > >> Please try it out. > >> > >> Cheers, > >> Richard > >> > >> On Tue Sep 13 22:32:37 2016, levitte wrote: > >> > Issue 1 now resolved, fix pushed to master branch as well as > >> > OpenSSL_1_1_0-stable. > >> > > >> > Issue 2 remaining. > >> > > >> > Cheers, > >> > Richard > >> > > >> > On Tue Sep 13 20:32:18 2016, levitte wrote: > >> > > I can confirm issue one and raise you one: it's not just on > >> > > Windows > >> > > > >> > > On it. > >> > > > >> > > Cheers, > >> > > Richard > >> > > > >> > > On Tue Sep 13 17:23:48 2016, bkhow...@gmail.com wrote: > >> > > > This may be two requests, one a bug and one a feature request. > >> > > > > >> > > > Issue 1: openssl 1.1.0 passwd on Windows 64 doesn't generate > >> > > > MD5 > >> > > > passwords > >> > > > (-1 / -apr1), returns "<NULL>". I haven't tested other > >> > > > platforms. > >> > > > See > >> > > > output below. > >> > > > > >> > > > Issue 2: openssl 1.1.0 passwd doesn't support newer password > >> > > > hashing > >> > > > algorithms used by unix / linux platforms. This limitation may > >> > > > force > >> > > > people to use weaker password storage than possible, for > >> > > > example if > >> > > > generating crypts using openssl passwd to feed into usermod > >> > > > -p. > >> > > > Please add > >> > > > support for password types 5 (SHA-256) and 6 (SHA-512). > >> > > > > >> > > > http://man7.org/linux/man-pages/man3/crypt.3.html > >> > > > > >> > > > ID | Method > >> > > > ───────────────────────────────────────────────────────── > >> > > > 1 | MD5 > >> > > > 2a | Blowfish (not in mainline glibc; added in some > >> > > > | Linux distributions) > >> > > > 5 | SHA-256 (since glibc 2.7) > >> > > > 6 | SHA-512 (since glibc 2.7) > >> > > > > >> > > > > >> > > > Issue 1: collateral: > >> > > > > >> > > > Working in OpenSSL 1.0.2.h: > >> > > > D:\>openssl version > >> > > > OpenSSL 1.0.2h 3 May 2016 > >> > > > > >> > > > D:\>openssl passwd -apr1 password > >> > > > $apr1$hU.5TC8J$BaYCimZriQeWKBSupbQuO. > >> > > > > >> > > > D:\>openssl passwd -1 password > >> > > > $1$LxNTmc7h$FHDYsVvavnYy0KqB.2ZIx0 > >> > > > > >> > > > Compiled Openssl 1.1.0: > >> > > > > >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl version > >> > > > OpenSSL 1.1.0 25 Aug 2016 > >> > > > > >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl version > >> > > > OpenSSL 1.1.0 25 Aug 2016 > >> > > > > >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd password > >> > > > UZ8kfkzdGoYTQ > >> > > > > >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -1 password > >> > > > <NULL> > >> > > > > >> > > > D:\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -apr1 password > >> > > > <NULL> > >> > > > > >> > > > (To show that MD5 wasn't compiled out): > >> > > > > >> > > > D:\Download\OpenSSL\openssl-1.1.0\apps>.\openssl passwd -help > >> > > > Usage: passwd [options] > >> > > > Valid options are: > >> > > > -help Display this summary > >> > > > -in infile Pead passwords from file > >> > > > -noverify Never verify when reading password from terminal > >> > > > -quiet No warnings > >> > > > -table Format output as table > >> > > > -reverse Switch table columns > >> > > > -salt val Use provided salt > >> > > > -stdin Read passwords from stdin > >> > > > -apr1 MD5-based password algorithm, Apache variant > >> > > > -1 MD5-based password algorithm > >> > > > -crypt Standard Unix password algorithm (default) > >> > > > >> > > > >> > > -- > >> > > Richard Levitte > >> > > levi...@openssl.org > >> > > >> > > >> > -- > >> > Richard Levitte > >> > levi...@openssl.org > >> > >> > >> -- > >> Richard Levitte > >> levi...@openssl.org > >> > >> -- > >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4674 > >> Please log in as guest with password guest if prompted > >> > >> > >
-- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4674 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
