From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 32188 invoked from network); 15 Oct 2020 21:29:00 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 15 Oct 2020 21:29:00 -0000 Received: (qmail 7716 invoked by uid 550); 15 Oct 2020 21:28:56 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 27671 invoked from network); 15 Oct 2020 20:59:59 -0000 ARC-Seal: i=1; a=rsa-sha256; t=1602795585; cv=none; d=zohomail.com; s=zohoarc; b=h4IrtZC19QyDazIizcqVB6Kl6dc2JUNehjJxKLyHTmrRDV1HxGhT9zA77THPGc3DssPKzAACw5qLpcp4tLL/T4F317DC1+vtcUjnZVAJxYm/YE0TepfoVh02CfkXv9m1KqfcavHjnqHyfPz+iMgRhVE6dCB5qsvfD/8vcyEkfqQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1602795585; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=U+EwjrapH63TehxFeLiypx/Dm74w0ehFxtA1rM7UuRw=; b=RjE8gQ7x7/6r+4812162ayCINlKxZJVEb1x0Pt5P+elAcDCVxeaLpJojizrcqc0DIJeboRu9WdoYyw2bmCCke6AM6JAvpIDyt8cgsfok3YtklZfGD64Hx9ueU2PPvZn+CN48BR6jsoX9GF4uQsZekJSJt/qqCmqG8d28T6t5Gfk= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=tim@vanderstaaij.email; dmarc=pass header.from= header.from= Date: Thu, 15 Oct 2020 22:59:42 +0200 From: Tim van der Staaij To: "musl" Message-ID: <1752e0fb54a.df9dc6c5135741.5665031325422067973@tim.vanderstaaij.email> In-Reply-To: <20201015203232.GA7129@openwall.com> References: <1752dd63ca0.f45c706c130962.3068699904194055827@tim.vanderstaaij.email> <20201015203232.GA7129@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail Subject: Re: [musl] [PATCH] crypt: support $2b$ prefix for blowfish Hi, > Wow, I didn't realize we forgot to get this into musl. Haha yes, what lead me to submitting this patch was an afternoon of debugging=C2=A0why my nginx, linked with musl, was rejecting correct passwords with a bcrypt credential file generated with python-passlib. I figured it was probably just an oversight and it didn't look too difficult to fix. > Your patch looks OK to me at first glance, but it'd benefit from > existing testing and perhaps it'd help further maintenance to merge my > upstream changes instead of making slightly different (even if smaller) > changes specific to musl. I didn't realize that this code had an upstream, should've paid more attention to the header! Of course I agree that syncing it with your version would be a better solution. > This is really subtle, but I recall deliberately avoiding the "!=3D 'x'" > comparison as it's more likely to result in a conditional branch, which > is an additional side-channel leak about the hash sub-type. We accept > leaks through data cache access patterns, but we avoided branching on > hash sub-type so far (let alone on anything truly security-sensitive). > As I recall, this is why I had to move flags_by_subtype to global scope > in that source file. I see. I read about this phenomenon before, but actively recognizing and avoiding such patterns is still quite a bit out my league. Tim