Re: list of security features in musl

[Szabolcs Nagy <nsz@port70.net>]

* Solar Designer <solar@openwall.com> [2016-02-16 20:45:32 +0300]:
> On Thu, Feb 11, 2016 at 08:11:19PM +0100, Szabolcs Nagy wrote:
> > - about 'security feature lists':
> >   the fedora project lists 'sha256 based passwd hash' in glibc
> >   as a security feature[0], that implementation is
> >   - a denial of service attack vector (computation depends on
> >     key length more than the admin controlled round count).
> >   - arch dependent(!), one can craft a passwd entry such that
> >     only 32bit machines can log in.
> 
> What do you mean here?  32-bit overflow/wraparound with very high
> rounds= specification?
> 

no,

rounds setting is specified in terms of strtoul which has
saturating semantics so large values are not a problem
(and out of range values are clamped into [1000,999999999]).

but negative values are accepted by strtoul with different
meaning on 32 vs 64bit systems (wraparound).
(e.g. rounds=-4294967295 is clamped to 1000 vs 999999999).

of course arch dependent output is not a useful property
for a pbkdf so musl rejects negative rounds settings.
http://git.musl-libc.org/cgit/musl/tree/src/crypt/crypt_sha256.c#n211

Rich,
it seems musl has the wrong ROUNDS_MAX setting, do you
mind adding two more 9s there:
http://git.musl-libc.org/cgit/musl/commit/?id=aeaceb1fa89b865eb0bca739da9c450b5a054866
to follow the official spec:
https://www.akkadia.org/drepper/SHA-crypt.txt
(or reject large rounds so we don't generate non-portable hashes)

> >   - unbounded alloca(!) use was fixed in 2012, long after
> >     fedora added support for it (the reference implementation
> >     in the spec still has the problem, among other issues[1]).
> >   - uses arbitrary sized realloc for the global crypt state
> >     even though 100 bytes would be enough (checks salt len
> >     after reallocation).
> >   - not standard conform c code: aligned attribute, alloca,
> >     section attribute, undefined behaviour: (tmp - (char *) 0).
> >   - meant to be used outside the libc, but secrets are cleared
> >     with memset which can be optimized away.
> >   (i think there are other issues in this sha256-crypt.c, but
> >   the point is: implementation details matter so security check
> >   lists should be taken with a grain of salt.)
> > 
> > [0]: https://fedoraproject.org/wiki/Security_Features#Glibc_Enhancements
> > [1]: http://www.openwall.com/lists/musl/2012/08/19/9
> 
> Another issue is that SHA-crypt leaks 8 bits via timing (total execution
> time, not just cache-timing), for no good reason at all (not a tradeoff):
> 
> "18. repeast the following 16+A[0] times, where A[0] represents the first
>     byte in digest A interpreted as an 8-bit unsigned value
> 
>       add the salt to digest DS"
> 

and key length is leaked too :)

> For comparison, bcrypt is not cache-timing-safe, but that's a tradeoff.
> 
> Alexander