[issue8596] crypt blowfish 'ignores' salt

2010-05-03 Thread Mark Dickinson 

Mark Dickinson  added the comment:

Okay, thanks for the update!

Looks like the FreeBSD crypt manpage could use some work...

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8596] crypt blowfish 'ignores' salt

2010-05-03 Thread pvo 

pvo  added the comment:

OpenBSD's crypt(3) mentions some bcrypt*() functions. One of this functions is 
"char * bcrypt_gensalt(u_int8_t log_rounds)". It produces salts like: 
$2a$04$7.zkQ.HPURlplcFTWgDL3u or $2a$04$l2SuIEWPqF4D3uMTABgBYO

Passing this salts to Pyton's crypt.crypt on FreeBSD works perfect.

Sorry for the noise.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8596] crypt blowfish 'ignores' salt

2010-05-02 Thread pvo 

pvo  added the comment:

$2a$12$saltysalt$ignored
 ^  ^  ^ ^
 |  |  |  \_ignored
 |  |  \_the salt
 |  \_number of rounds (04-31)
 \_ crypt id
 
About the crypt id:
I read too much Blowfish crypt related stuff in the recent both days. Can't 
remember exactly the difference between the IDs '2' and '2a'. The 
/etc/master.passwd on my OpenBSD contains encrypted passwords with the '2a' ID.

The C code is attached.

--
Added file: http://bugs.python.org/file17188/blf_crypt.c

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8596] crypt blowfish 'ignores' salt

2010-05-02 Thread Mark Dickinson 

Mark Dickinson  added the comment:

> FreeBSD's crypt(3) doesn't explain the 'salt' for Blowfish crypt exactly.

Reading:

http://www.freebsd.org/cgi/man.cgi?query=crypt&apropos=0&sektion=3&manpath=FreeBSD+7.2-RELEASE&format=html

and especially the section entitled "Modular crypt", it looks like your salt 
should take the form "$2$salt$ignored", where there are at most 8 characters of 
salt and the 'ignored' bit is ignored.

So your $2a$ looks wrong to me:  shouldn't it be $2$?  And after that, in the 
examples that you give, the only used portion of the salt is "05", which is the 
same in all the examples, so I'd expect to get the same output in each case.

I can't see any way that Python could be contributing to this:  if you look at 
the implementation (in Modules/cryptmodule.c), you'll see that the crypt 
function (called crypt_crypt in the source) really is a trivial wrapper around 
the system function;  there's no pre- or post-processing of arguments.

Can you attach the C code that's giving the different results?

--
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8596] crypt blowfish 'ignores' salt

2010-05-02 Thread pvo 

pvo  added the comment:

FreeBSD's crypt(3) doesn't explain the 'salt' for Blowfish crypt exactly. 
OpenBSD's crypt(3) says: "The Blowfish version of crypt has 128 bits of salt in 
order to make building dictionaries of common passwords space consuming."

I wrote a few lines of C code. Copied the salts from the output above to it and 
cryt()ed "test". The result differs:
$2a$05$/Ae.aeamG.O.../52uwMz3Q1WQSyWoWTy6zNndsrkAl2fnTn.

I hope I'll find some useful hints in the near future.

--
status: pending -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8596] crypt blowfish 'ignores' salt

2010-05-02 Thread Mark Dickinson 

Changes by Mark Dickinson :


--
resolution:  -> invalid
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8596] crypt blowfish 'ignores' salt

2010-05-02 Thread Mark Dickinson 

Mark Dickinson  added the comment:

I doubt this is a Python issue, since the crypt function does little more than 
wrap the system crypt function.

What does your man page for crypt say?  Are you sure you're providing a salt 
that the system crypt accepts?

--
nosy: +mark.dickinson

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8596] crypt blowfish 'ignores' salt

2010-05-01 Thread pvo 

New submission from pvo :

Blowfish crypt uses a 128 bit salt, not only the letters [./a-zA-Z0-9]. Despite 
the different salts, crypt ignores the salt and produces identical encrypted 
passwords.
The problem occurs on FreeBSD 7.2 with Python 2.5.5 (r255:77872) and Python 
2.6.4 (r264:7570) (both from the ports)

python2.6 crypt_blf.py 
 salt: '$2a$05$)O\x0e9\xb7\xb0\xc9\xd6)v.\xd3\x03\xea!\xc1$'
$2a$05$t59ktwmm7.WpI./5uuAazXv5nUvrWyN1EzMcL6/EQ0HrNyJwq
 salt: '$2a$05$\x1ak\x0c\xfbF\xf5\xdf\xb4\x99\xa6\x12\x81\x8d\xce\xea\x19$'
$2a$05$COgstwmm../5uuu63L/Vi1a/9FQpklC2BKZ74ai8JM2ey
 salt: '$2a$05$\x80:\x14\xbb\xc3R\x95\xb9\xcb\xf0#\x04\xbf"\xf7\xe9$'
$2a$05$COgstwmm../5uuu63L/Vi1a/9FQpklC2BKZ74ai8JM2ey
 salt: '$2a$05$i\x01 \x10\x13#\xe3\xdc\x80\x90[3\xd5@(\x96$'
$2a$05$COgstwmm../5uuu63L/Vi1a/9FQpklC2BKZ74ai8JM2ey
 salt: '$2a$05$<\xa8CY\xa6\x018\xe7\x0b}\x92\xd3\xa1L1\xfb$'
$2a$05$COgstwmm../5uuu63L/Vi1a/9FQpklC2BKZ74ai8JM2ey

--
components: Library (Lib)
files: crypt_blf.py
messages: 104768
nosy: pvo
priority: normal
severity: normal
status: open
title: crypt blowfish 'ignores' salt
type: behavior
versions: Python 2.5, Python 2.6
Added file: http://bugs.python.org/file17181/crypt_blf.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com