1910 – checkpw returns true when it shouldn't

Bug 1910 - checkpw returns true when it shouldn't

Summary: checkpw returns true when it shouldn't

Status:	CLOSED INVALID

Alias:	None

Product:	jBCrypt
Classification:	Unclassified
Component:	Default (show other bugs)
Version:	unspecified
Hardware:	amd64 Other

Importance:	P2 security
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-05-31 04:34 AEST by jfrobishow
Modified:	2011-09-06 15:33 AEST (History)
CC List:	0 users

See Also:

Attachments
POC code (498 bytes, application/octet-stream) 2011-05-31 04:34 AEST, jfrobishow	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jfrobishow 2011-05-31 04:34:22 AEST

On Windows 7 64 bits JRE 6

Simple POC in Test.java.

I hashed a given password, when using checkpw against the hash it returns true (if the seed is slightly modified, in my case I added aaa at the end).

Comment 1 jfrobishow 2011-05-31 04:34:58 AEST

Created attachment 2052 [details]
POC code

Comment 2 jfrobishow 2011-05-31 05:47:51 AEST

Closing bug - the implementation is correct - bCrypt only XOR using the first 72 bytes.  Perhaps a note in the doc would have been nice.

Comment 3 Damien Miller 2011-09-06 15:33:02 AEST

close resolved bugs now that openssh-5.9 has been released