subject:"Re\: svn commit\: r1772803 \- in \/apr\/apr\/trunk\: CHANGEScrypto\/crypt

Re: svn commit: r1772803 - in /apr/apr/trunk: CHANGEScrypto/crypt_blowfish.c

2016-12-05 Thread William A Rowe Jr

On Mon, Dec 5, 2016 at 4:38 PM,  wrote:

> Doesn’t this simple patch break all existing hashes for the existing type?
>
>
 No, only those exceeding an absurd number of iterations. 31 iterations
takes over a day of CPU at 3Ghz.



Perhaps this breakage is safe for 2.0, but perhaps it is better to just
> introduce a new less expensive hash format, while still allowing
> verifications against the old format.
>
>
>
> For some of the hash usacases the fact that the code is very expensive is
> an advantage. (Expensive to crack)
>
>
>
>
>
> Bert
>
>
>
> Sent from Mail  for
> Windows 10
>
>
>
> *From: *n...@apache.org
> *Sent: *maandag 5 december 2016 21:57
> *To: *comm...@apr.apache.org
> *Subject: *svn commit: r1772803 - in /apr/apr/trunk:
> CHANGEScrypto/crypt_blowfish.c
>
>
>
> Author: niq
>
> Date: Mon Dec  5 20:56:59 2016
>
> New Revision: 1772803
>
>
>
> URL: http://svn.apache.org/viewvc?rev=1772803=rev
>
> Log:
>
> apr_crypt: avoid excessive iteration in bcrypt hash.
>
> Patch by Hanno Böck
>
>
>
> Modified:
>
> apr/apr/trunk/CHANGES
>
> apr/apr/trunk/crypto/crypt_blowfish.c
>
>
>
> Modified: apr/apr/trunk/CHANGES
>
> URL: http://svn.apache.org/viewvc/apr/apr/trunk/CHANGES?rev=
> 1772803=1772802=1772803=diff
>
> 
> ==
>
> --- apr/apr/trunk/CHANGES [utf-8] (original)
>
> +++ apr/apr/trunk/CHANGES [utf-8] Mon Dec  5 20:56:59 2016
>
> @@ -1,6 +1,9 @@
>
>   -*- coding: utf-8
> -*-
>
> Changes for APR 2.0.0
>
> +  *) apr_crypto: avoid excessive iteration in bcrypt hash.
>
> + [Hanno Böck ]
>
> +
>
>*) apr_siphash: Implement keyed hash function SipHash.  [Yann Ylavic]
>
>*) apr_atomic: change the API of apr_atomic_casptr()
> apr_atomic_xchgptr()
>
>
>
> Modified: apr/apr/trunk/crypto/crypt_blowfish.c
>
> URL: http://svn.apache.org/viewvc/apr/apr/trunk/crypto/crypt_
> blowfish.c?rev=1772803=1772802=1772803=diff
>
> 
> ==
>
> --- apr/apr/trunk/crypto/crypt_blowfish.c (original)
>
> +++ apr/apr/trunk/crypto/crypt_blowfish.c Mon Dec  5 20:56:59 2016
>
> @@ -877,7 +877,7 @@ char *_crypt_gensalt_blowfish_rn(const c
>
>   const char *input, int size, char *output, int output_size)
>
> {
>
>   if (size < 16 || output_size < 7 + 22 + 1 ||
>
> -  (count && (count < 4 || count > 31)) ||
>
> + (count && (count < 4 || count > 17)) ||
>
>   prefix[0] != '$' || prefix[1] != '2' ||
>
>   (prefix[2] != 'a' && prefix[2] != 'y')) {
>
>  if (output_size > 0) output[0] = '\0';
>
>
>
>
>
>
>

RE: svn commit: r1772803 - in /apr/apr/trunk: CHANGEScrypto/crypt_blowfish.c

2016-12-05 Thread bert

Doesn’t this simple patch break all existing hashes for the existing type?

Perhaps this breakage is safe for 2.0, but perhaps it is better to just 
introduce a new less expensive hash format, while still allowing verifications 
against the old format.

For some of the hash usacases the fact that the code is very expensive is an 
advantage. (Expensive to crack)


Bert

Sent from Mail for Windows 10

From: n...@apache.org
Sent: maandag 5 december 2016 21:57
To: comm...@apr.apache.org
Subject: svn commit: r1772803 - in /apr/apr/trunk: 
CHANGEScrypto/crypt_blowfish.c

Author: niq
Date: Mon Dec  5 20:56:59 2016
New Revision: 1772803

URL: http://svn.apache.org/viewvc?rev=1772803=rev
Log:
apr_crypt: avoid excessive iteration in bcrypt hash.
Patch by Hanno Böck

Modified:
apr/apr/trunk/CHANGES
apr/apr/trunk/crypto/crypt_blowfish.c

Modified: apr/apr/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/apr/apr/trunk/CHANGES?rev=1772803=1772802=1772803=diff
==
--- apr/apr/trunk/CHANGES [utf-8] (original)
+++ apr/apr/trunk/CHANGES [utf-8] Mon Dec  5 20:56:59 2016
@@ -1,6 +1,9 @@
  -*- coding: utf-8 -*-
 Changes for APR 2.0.0
 
+  *) apr_crypto: avoid excessive iteration in bcrypt hash.
+ [Hanno Böck ]
+
   *) apr_siphash: Implement keyed hash function SipHash.  [Yann Ylavic]
 
   *) apr_atomic: change the API of apr_atomic_casptr() apr_atomic_xchgptr()

Modified: apr/apr/trunk/crypto/crypt_blowfish.c
URL: 
http://svn.apache.org/viewvc/apr/apr/trunk/crypto/crypt_blowfish.c?rev=1772803=1772802=1772803=diff
==
--- apr/apr/trunk/crypto/crypt_blowfish.c (original)
+++ apr/apr/trunk/crypto/crypt_blowfish.c Mon Dec  5 20:56:59 2016
@@ -877,7 +877,7 @@ char *_crypt_gensalt_blowfish_rn(const c
const char *input, int size, char *output, int output_size)
 {
if (size < 16 || output_size < 7 + 22 + 1 ||
-   (count && (count < 4 || count > 31)) ||
+   (count && (count < 4 || count > 17)) ||
prefix[0] != '$' || prefix[1] != '2' ||
(prefix[2] != 'a' && prefix[2] != 'y')) {
if (output_size > 0) output[0] = '\0';

Re: svn commit: r1772803 - in /apr/apr/trunk: CHANGEScrypto/crypt_blowfish.c

RE: svn commit: r1772803 - in /apr/apr/trunk: CHANGEScrypto/crypt_blowfish.c

2 matches

Site Navigation

Mail list logo

Footer information