From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9325 Path: news.gmane.org!not-for-mail From: Solar Designer Newsgroups: gmane.linux.lib.musl.general Subject: Re: list of security features in musl Date: Tue, 16 Feb 2016 20:45:32 +0300 Message-ID: <20160216174532.GA6216@openwall.com> References: <20160211085613.2e58f751@ncopa-desktop.alpinelinux.org> <20160211084105.GL9349@brightrain.aerifal.cx> <20160211191119.GO9915@port70.net> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1455644746 5699 80.91.229.3 (16 Feb 2016 17:45:46 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 16 Feb 2016 17:45:46 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-9338-gllmg-musl=m.gmane.org@lists.openwall.com Tue Feb 16 18:45:42 2016 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1aVjgy-0004Sl-LF for gllmg-musl@m.gmane.org; Tue, 16 Feb 2016 18:45:40 +0100 Original-Received: (qmail 23930 invoked by uid 550); 16 Feb 2016 17:45:37 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 23912 invoked from network); 16 Feb 2016 17:45:37 -0000 Content-Disposition: inline In-Reply-To: <20160211191119.GO9915@port70.net> User-Agent: Mutt/1.4.2.3i Xref: news.gmane.org gmane.linux.lib.musl.general:9325 Archived-At: On Thu, Feb 11, 2016 at 08:11:19PM +0100, Szabolcs Nagy wrote: > - about 'security feature lists': > the fedora project lists 'sha256 based passwd hash' in glibc > as a security feature[0], that implementation is > - a denial of service attack vector (computation depends on > key length more than the admin controlled round count). > - arch dependent(!), one can craft a passwd entry such that > only 32bit machines can log in. What do you mean here? 32-bit overflow/wraparound with very high rounds= specification? > - unbounded alloca(!) use was fixed in 2012, long after > fedora added support for it (the reference implementation > in the spec still has the problem, among other issues[1]). > - uses arbitrary sized realloc for the global crypt state > even though 100 bytes would be enough (checks salt len > after reallocation). > - not standard conform c code: aligned attribute, alloca, > section attribute, undefined behaviour: (tmp - (char *) 0). > - meant to be used outside the libc, but secrets are cleared > with memset which can be optimized away. > (i think there are other issues in this sha256-crypt.c, but > the point is: implementation details matter so security check > lists should be taken with a grain of salt.) > > [0]: https://fedoraproject.org/wiki/Security_Features#Glibc_Enhancements > [1]: http://www.openwall.com/lists/musl/2012/08/19/9 Another issue is that SHA-crypt leaks 8 bits via timing (total execution time, not just cache-timing), for no good reason at all (not a tradeoff): "18. repeast the following 16+A[0] times, where A[0] represents the first byte in digest A interpreted as an 8-bit unsigned value add the salt to digest DS" For comparison, bcrypt is not cache-timing-safe, but that's a tradeoff. Alexander