Re: list of security features in musl

[Rich Felker <dalias@libc.org>]

On Tue, Feb 16, 2016 at 08:44:35PM +0100, Szabolcs Nagy wrote:
> * Solar Designer <solar@openwall.com> [2016-02-16 20:45:32 +0300]:
> > On Thu, Feb 11, 2016 at 08:11:19PM +0100, Szabolcs Nagy wrote:
> > > - about 'security feature lists':
> > >   the fedora project lists 'sha256 based passwd hash' in glibc
> > >   as a security feature[0], that implementation is
> > >   - a denial of service attack vector (computation depends on
> > >     key length more than the admin controlled round count).
> > >   - arch dependent(!), one can craft a passwd entry such that
> > >     only 32bit machines can log in.
> > 
> > What do you mean here?  32-bit overflow/wraparound with very high
> > rounds= specification?
> > 
> 
> no,
> 
> rounds setting is specified in terms of strtoul which has
> saturating semantics so large values are not a problem
> (and out of range values are clamped into [1000,999999999]).
> 
> but negative values are accepted by strtoul with different
> meaning on 32 vs 64bit systems (wraparound).
> (e.g. rounds=-4294967295 is clamped to 1000 vs 999999999).
> 
> of course arch dependent output is not a useful property
> for a pbkdf so musl rejects negative rounds settings.
> http://git.musl-libc.org/cgit/musl/tree/src/crypt/crypt_sha256.c#n211
> 
> Rich,
> it seems musl has the wrong ROUNDS_MAX setting, do you
> mind adding two more 9s there:
> http://git.musl-libc.org/cgit/musl/commit/?id=aeaceb1fa89b865eb0bca739da9c450b5a054866
> to follow the official spec:
> https://www.akkadia.org/drepper/SHA-crypt.txt
> (or reject large rounds so we don't generate non-portable hashes)

The intent was to preclude extreme-DoS-range values of rounds, but
clamping is the wrong behavior to achieve that. Instead we should just
return 0 (fail the operation) if the value is greater than our
ROUNDS_MAX. Does that sound ok?

Rich