Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20241231103858.GG10433@brightrain.aerifal.cx>
Date: Tue, 31 Dec 2024 05:38:58 -0500
From: Rich Felker <dalias@...c.org>
To: Markus Wichmann <nullplan@....net>
Cc: musl@...ts.openwall.com, Runxi Yu <runxiyuld@...xiyu.org>
Subject: Re: crypt(3) returns "*" from read-only region, segfaulting
 passwd(1) on Alpine for long passwords

On Tue, Dec 31, 2024 at 09:35:27AM +0100, Markus Wichmann wrote:
> Am Mon, Dec 30, 2024 at 07:46:21AM +0100 schrieb Markus Wichmann:
> > Am Sun, Dec 29, 2024 at 04:38:03PM +0800 schrieb Runxi Yu:
> > > musl/src/crypt/crypt_sha512.c
> > > > 	if (!p || q != testbuf || memcmp(testbuf, testhash, sizeof testhash))
> > > > 		return "*";
> >
> > It doesn't make sense for these lines to be the problem, because they
> > are only triggered if the compiler used for musl was broken and created
> > a version of sha512crypt that generates wrong hashes. If this path is
> > ever taken, then it is better for passwd to crash than to use any part
> > of the hash.
> >
> > Ciao,
> > Markus
> 
> I stand corrected. I neglected to look at the "!p" condition. While the
> other two conditions for this return are indeed internal error checking
> (and maybe crashing explicitly here would be a better solution), the
> first one comes from a few conditions inside of sha512crypt, including
> keys beyond 256 bytes.
> 
> There is no justification for length limits on the password, and nor
> for a length limit at exactly 256 bytes. Would CPUs overheat at 257?

There absolutely is a justification for the length limit. The
laughably bad design of the sha256/512 password hash functions is
gratuitously O(n²) in password length. So some limit needs to be
imposed, and 256 was chosen as a number way larger than any reasonable
password someone could want. Sure there's no reason it couldn't have
been 257 or 300 or whatever, but either way you'd get things like this
when software has bugs in handling the condition.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.