On Thu, Jul 7, 2011 at 11:56 AM, Gene Kligerman <gene_kliger...@ca.ibm.com> wrote: > > Hi SSLers! > > I am seeing an intermittent problem using EVP_md5 function to hash > user-specified passwords. > > The application works fine most of the time except when I run a "stress > test": 3 user applications concurrently that simply try to connect to my > server in a loop of 3,000 iterations each. > > My multi-threaded server accepts incoming connection requests and validates > the user's password by hashing it using MD5 and verifying against stored > hashed value. > > This works fine in all but approx. 10 iterations (out of 3,000). After > putting in debug code I find that in those few iterations the EVP_md5 > algorithm returned incorrect hashed value (which of course results in > password validation). > > Here's an example: > > clear text password: "u2" > stored (correct) MD5 hashed value in hex: '532A7B8E0328A8D05A8E6258B28B9A36' According to[1], it is actually 'u3'. You might consider salting the password database, and using a modern hash such as SHA-256. MD-5 is usually considered broken, and is no longer suitable for security purposes. Just ask HBGary (http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars).
> incorrect hashed values returned in some iterations: > '57D972DACC4671C2D448F66F308B6D49', 'B0E641C998CC3EAE6FA2F8726D98CDDD', > '3B33F2AD8FFE66427AF237B4DED2C1E2', etc. No hits on these - probably corrupted state. > Am I doing something wrong? Is this a known bug that perhaps has been fixed > in a later OpenSSL release? As mentioned above, I tried downloading OpenSSL > 1.0.0.d, but I only found static library while I need dynamic > libssl.so.X.Y.Z I would suspect the locking code; or you are violating your own data. If you believe you have implemented the OpenSSL locking code correctly, you probably have two threads on the same data at the same time. Jeff [1] http://www.md5rainbow.com/532A7B8E0328A8D05A8E6258B28B9A36 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
