crypt_blowfish 1.0

Type securityvulns
Reporter Securityvulns
Modified 2006-02-08T00:00:00



This is to announce the first mature version of crypt_blowfish and the minor security fix that this version adds.

crypt_blowfish is a public domain implementation of a modern password hashing algorithm based on the Blowfish block cipher, provided via the crypt(3) and a reentrant interface. It is compatible with bcrypt (version 2a) by Niels Provos and David Mazieres, as used in OpenBSD. The homepage for crypt_blowfish is:

The most important property of bcrypt (and thus crypt_blowfish) is that it is adaptable to future processor performance improvements, allowing you to arbitrarily increase the processing cost of checking a password while still maintaining compatibility with your older password hashes. Already now bcrypt hashes you would use are several orders of magnitude stronger than traditional Unix DES-based or FreeBSD-style MD5-based hashes.

Besides providing a bcrypt implementation, the crypt_blowfish package also includes a generic password hashing framework and hooks for introducing this framework into the GNU C Library. The provided functions include crypt_gensalt*(), a family of functions for generating "salts" for use with common Unix password hashing methods (that is, not only with bcrypt).

Marko Kreen has discovered and reported a minor security bug in crypt_blowfish 0.4.7 and below. The bug affected the way salts for BSDI-style extended DES-based and for FreeBSD-style MD5-based password hashes were generated with the crypt_gensalt() functions. It would result in a higher than expected number of matching salts with large numbers of password hashes of the affected types. crypt_gensalt()'s functionality for Blowfish-based (bcrypt) hashes that crypt_blowfish itself implements and for traditional DES-based crypt(3) hashes was not affected.

Since bcrypt hashes were not affected, default installs of Openwall GNU/*/Linux (Owl) were never affected either. The specific impact this could have on non-default installs of Owl is described in the latest Owl-current change log entry for glibc:

Since Owl 2.0 is scheduled to be released really soon and since the bug is minor, we are not planning a similar glibc update for Owl 1.1-stable. Instead, the 1.1-stable branch will be obsoleted by the new release.

For those curious about the nature of the bug, it was unintended sign extension on a typecast.

As this crypt_blowfish bug is my own, and as I was well aware of this pitfall and avoided it in other places, I am very embarrassed about this. I apologize to anyone who might be affected for the exposure and inconvenience this causes.

-- Alexander Peslyak <solar at> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 - bringing security into open computing environments