From: Solar Designer <solar@openwall.com>
To: musl@lists.openwall.com
Subject: Re: list of security features in musl
Date: Tue, 16 Feb 2016 20:45:32 +0300 [thread overview]
Message-ID: <20160216174532.GA6216@openwall.com> (raw)
In-Reply-To: <20160211191119.GO9915@port70.net>
On Thu, Feb 11, 2016 at 08:11:19PM +0100, Szabolcs Nagy wrote:
> - about 'security feature lists':
> the fedora project lists 'sha256 based passwd hash' in glibc
> as a security feature[0], that implementation is
> - a denial of service attack vector (computation depends on
> key length more than the admin controlled round count).
> - arch dependent(!), one can craft a passwd entry such that
> only 32bit machines can log in.
What do you mean here? 32-bit overflow/wraparound with very high
rounds= specification?
> - unbounded alloca(!) use was fixed in 2012, long after
> fedora added support for it (the reference implementation
> in the spec still has the problem, among other issues[1]).
> - uses arbitrary sized realloc for the global crypt state
> even though 100 bytes would be enough (checks salt len
> after reallocation).
> - not standard conform c code: aligned attribute, alloca,
> section attribute, undefined behaviour: (tmp - (char *) 0).
> - meant to be used outside the libc, but secrets are cleared
> with memset which can be optimized away.
> (i think there are other issues in this sha256-crypt.c, but
> the point is: implementation details matter so security check
> lists should be taken with a grain of salt.)
>
> [0]: https://fedoraproject.org/wiki/Security_Features#Glibc_Enhancements
> [1]: http://www.openwall.com/lists/musl/2012/08/19/9
Another issue is that SHA-crypt leaks 8 bits via timing (total execution
time, not just cache-timing), for no good reason at all (not a tradeoff):
"18. repeast the following 16+A[0] times, where A[0] represents the first
byte in digest A interpreted as an 8-bit unsigned value
add the salt to digest DS"
For comparison, bcrypt is not cache-timing-safe, but that's a tradeoff.
Alexander
next prev parent reply other threads:[~2016-02-16 17:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-11 7:56 Natanael Copa
2016-02-11 8:41 ` Rich Felker
2016-02-11 19:11 ` Szabolcs Nagy
2016-02-16 17:45 ` Solar Designer [this message]
2016-02-16 19:44 ` Szabolcs Nagy
2016-02-16 20:39 ` Rich Felker
2016-02-16 20:44 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160216174532.GA6216@openwall.com \
--to=solar@openwall.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).