Mailing List Archive: Apache: Bugs

[Bug 53410] SHA-2 password hashes with more than 9999 rounds not accepted

Index | Next | Previous | View Threaded

bugzilla at apache

Jul 15, 2012, 2:31 PM

Post #1 of 4 (114 views)
Permalink

[Bug 53410] SHA-2 password hashes with more than 9999 rounds not accepted

https://issues.apache.org/bugzilla/show_bug.cgi?id=53410

Stefan Fritsch <sf [at] sfritsch> changed:

What |Removed |Added
----------------------------------------------------------------------------
Component|Core |APR-util
Version|2.2.17 |HEAD
Product|Apache httpd-2 |APR

--- Comment #1 from Stefan Fritsch <sf [at] sfritsch> ---
This is a problem in apr-util's apr_password_validate() function

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Jul 15, 2012, 2:52 PM

Post #2 of 4 (111 views)
Permalink

[Bug 53410] SHA-2 password hashes with more than 9999 rounds not accepted [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53410

Stefan Fritsch <sf [at] sfritsch> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED

--- Comment #2 from Stefan Fritsch <sf [at] sfritsch> ---
trunk: r1361811
1.5: r1361814
1.4: r1361816

The fix will be in apr-util 1.4.3 or 1.5.0, whichever gets released first.

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Jul 16, 2012, 12:18 PM

Post #3 of 4 (108 views)
Permalink

[Bug 53410] SHA-2 password hashes with more than 9999 rounds not accepted [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53410

Jason Ovich <jasonovich [at] mailfish> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---

--- Comment #3 from Jason Ovich <jasonovich [at] mailfish> ---
Hmm, I've read through the code again and the fix consists of increasing the
size of the (static) buffer holding a copy of the crypted password. I don't see
why this size limit is necessary at all. Why not just do a straight-forward
strcmp(crypt_pw, hash) at the end?

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Jul 16, 2012, 1:45 PM

Post #4 of 4 (108 views)
Permalink

[Bug 53410] SHA-2 password hashes with more than 9999 rounds not accepted [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53410

Stefan Fritsch <sf [at] sfritsch> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED

--- Comment #4 from Stefan Fritsch <sf [at] sfritsch> ---
(In reply to comment #3)
> Hmm, I've read through the code again and the fix consists of increasing the
> size of the (static) buffer holding a copy of the crypted password. I don't
> see why this size limit is necessary at all. Why not just do a
> straight-forward strcmp(crypt_pw, hash) at the end?

True, that's better. Fixed in

trunk: r1362241
1.5: r1362243
1.4: r1362244

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads