From: Tim van der Staaij <git@tim.vanderstaaij.email>
To: "musl" <musl@lists.openwall.com>
Subject: Re: [musl] [PATCH] crypt: support $2b$ prefix for blowfish
Date: Thu, 15 Oct 2020 22:59:42 +0200 [thread overview]
Message-ID: <1752e0fb54a.df9dc6c5135741.5665031325422067973@tim.vanderstaaij.email> (raw)
In-Reply-To: <20201015203232.GA7129@openwall.com>
Hi,
> Wow, I didn't realize we forgot to get this into musl.
Haha yes, what lead me to submitting this patch was an afternoon of
debugging why my nginx, linked with musl, was rejecting correct
passwords with a bcrypt credential file generated with python-passlib.
I figured it was probably just an oversight and it didn't look too
difficult to fix.
> Your patch looks OK to me at first glance, but it'd benefit from
> existing testing and perhaps it'd help further maintenance to merge my
> upstream changes instead of making slightly different (even if smaller)
> changes specific to musl.
I didn't realize that this code had an upstream, should've paid more
attention to the header! Of course I agree that syncing it with your
version would be a better solution.
> This is really subtle, but I recall deliberately avoiding the "!= 'x'"
> comparison as it's more likely to result in a conditional branch, which
> is an additional side-channel leak about the hash sub-type. We accept
> leaks through data cache access patterns, but we avoided branching on
> hash sub-type so far (let alone on anything truly security-sensitive).
> As I recall, this is why I had to move flags_by_subtype to global scope
> in that source file.
I see. I read about this phenomenon before, but actively recognizing and
avoiding such patterns is still quite a bit out my league.
Tim
next prev parent reply other threads:[~2020-10-15 21:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-15 19:56 Tim van der Staaij
2020-10-15 20:32 ` Solar Designer
2020-10-15 20:59 ` Tim van der Staaij [this message]
2020-10-17 19:27 ` Solar Designer
2020-10-18 8:57 ` Julien Ramseier
2020-10-18 14:51 ` Tim van der Staaij
2020-10-18 16:12 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1752e0fb54a.df9dc6c5135741.5665031325422067973@tim.vanderstaaij.email \
--to=git@tim.vanderstaaij.email \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).