Bug 1910

Summary: checkpw returns true when it shouldn't
Product: jBCrypt Reporter: jfrobishow
Component: DefaultAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: security    
Priority: P2    
Version: unspecified   
Hardware: amd64   
OS: Other   
Attachments: POC code

Description jfrobishow 2011-05-31 04:34:22 AEST 
On Windows 7 64 bits JRE 6

Simple POC in Test.java.

I hashed a given password, when using checkpw against the hash it returns true (if the seed is slightly modified, in my case I added aaa at the end).
Comment 1 jfrobishow 2011-05-31 04:34:58 AEST 
Created attachment 2052 [details]
POC code
Comment 2 jfrobishow 2011-05-31 05:47:51 AEST 
Closing bug - the implementation is correct - bCrypt only XOR using the first 72 bytes.  Perhaps a note in the doc would have been nice.
Comment 3 Damien Miller 2011-09-06 15:33:02 AEST 
close resolved bugs now that openssh-5.9 has been released