Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

restore compatibility with 2.0.0's fix for wraparound bug #81

Merged
merged 3 commits into from
Jun 30, 2016
Merged

restore compatibility with 2.0.0's fix for wraparound bug #81

merged 3 commits into from
Jun 30, 2016

Conversation

reaperhulk
Copy link
Member

fixes #80

@reaperhulk
Copy link
Member Author

This fix is a bit weird to me since arguably OpenBSD's "If you're on the old $2a$ hash you may want this behavior because you're checking existing hashes that were made with that behavior" is more correct, but I guess preserving compatibility with ourselves is more important.

@dstufft
Copy link
Member

dstufft commented Jun 29, 2016

@reaperhulk Yea-- I think it's especially important to break those particular hashes because they're trivial to brute force (since they hash the same as b"0" * 72) which is one of the first things that something like JackTheRipper will try. However, given that we had the old behavior previously, if we didn't restore it we'd also be breaking anyone who happened to use this kind of password (although the edge case this hits it's quite rare).

Ultimately though, I think the edge case is sufficiently narrow so as not to matter that much, but the fact it generates a warning in passlib motivates me to ensure this is fixed :)

@reaperhulk reaperhulk mentioned this pull request Jun 29, 2016
Closed
9 tasks
charmander
charmander reviewed Jun 29, 2016
View reviewed changes
tests/test_bcrypt.py
def test_2a_wraparound_bug():
assert bcrypt.hashpw(
(b"0123456789" * 26)[:255], b"$2a$04$R1lJ2gkNaoPGdafE.H.16."
) != b"$2a$04$R1lJ2gkNaoPGdafE.H.16.nVyh2niHsGJhayOHLMiXlI45o8/DU.6"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May as well make a positive assertion here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done :)

@dstufft dstufft merged commit 1088881 into pyca:master Jun 30, 2016
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 16, 2020
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Possible regression of "BSD wraparound" bug?
3 participants
@reaperhulk @dstufft @charmander