From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9333 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: list of security features in musl Date: Tue, 16 Feb 2016 15:39:14 -0500 Message-ID: <20160216203914.GZ9349@brightrain.aerifal.cx> References: <20160211085613.2e58f751@ncopa-desktop.alpinelinux.org> <20160211084105.GL9349@brightrain.aerifal.cx> <20160211191119.GO9915@port70.net> <20160216174532.GA6216@openwall.com> <20160216194435.GX9915@port70.net> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1455655176 5982 80.91.229.3 (16 Feb 2016 20:39:36 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 16 Feb 2016 20:39:36 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-9346-gllmg-musl=m.gmane.org@lists.openwall.com Tue Feb 16 21:39:32 2016 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1aVmPC-0003BB-9r for gllmg-musl@m.gmane.org; Tue, 16 Feb 2016 21:39:30 +0100 Original-Received: (qmail 25968 invoked by uid 550); 16 Feb 2016 20:39:28 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 25947 invoked from network); 16 Feb 2016 20:39:27 -0000 Content-Disposition: inline In-Reply-To: <20160216194435.GX9915@port70.net> User-Agent: Mutt/1.5.21 (2010-09-15) Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:9333 Archived-At: On Tue, Feb 16, 2016 at 08:44:35PM +0100, Szabolcs Nagy wrote: > * Solar Designer [2016-02-16 20:45:32 +0300]: > > On Thu, Feb 11, 2016 at 08:11:19PM +0100, Szabolcs Nagy wrote: > > > - about 'security feature lists': > > > the fedora project lists 'sha256 based passwd hash' in glibc > > > as a security feature[0], that implementation is > > > - a denial of service attack vector (computation depends on > > > key length more than the admin controlled round count). > > > - arch dependent(!), one can craft a passwd entry such that > > > only 32bit machines can log in. > > > > What do you mean here? 32-bit overflow/wraparound with very high > > rounds= specification? > > > > no, > > rounds setting is specified in terms of strtoul which has > saturating semantics so large values are not a problem > (and out of range values are clamped into [1000,999999999]). > > but negative values are accepted by strtoul with different > meaning on 32 vs 64bit systems (wraparound). > (e.g. rounds=-4294967295 is clamped to 1000 vs 999999999). > > of course arch dependent output is not a useful property > for a pbkdf so musl rejects negative rounds settings. > http://git.musl-libc.org/cgit/musl/tree/src/crypt/crypt_sha256.c#n211 > > Rich, > it seems musl has the wrong ROUNDS_MAX setting, do you > mind adding two more 9s there: > http://git.musl-libc.org/cgit/musl/commit/?id=aeaceb1fa89b865eb0bca739da9c450b5a054866 > to follow the official spec: > https://www.akkadia.org/drepper/SHA-crypt.txt > (or reject large rounds so we don't generate non-portable hashes) The intent was to preclude extreme-DoS-range values of rounds, but clamping is the wrong behavior to achieve that. Instead we should just return 0 (fail the operation) if the value is greater than our ROUNDS_MAX. Does that sound ok? Rich