Date: Mon, 2 May 2011 17:43:33 +0400 From: Solar Designer <solar@...nwall.com> To: musl@...ts.openwall.com Subject: FreeSec DES-based crypt(3) Rich, all - musl uses a DES-based crypt(3) implementation called FreeSec - the same one that *BSD's use. Unfortunately, its handling of invalid salt strings (with characters other than from the defined base-64 alphabet) differs from UFC-crypt's (which is standard in glibc) to an extent far greater than desired (yes, some deviations from UFC-crypt are in fact desired, in my opinion). Also, this may have security implications (yes, *BSD's are sort of affected) where lots of different invalid salts are treated as just one. This may affect e.g. some web apps that use PHP's crypt() improperly (their fault, but still). Thus, I propose that you replace the code in musl with my revision of it, which has the above issues corrected: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/ The files are crypt_freesec.c and crypt_freesec.h. These are also used in PHP 5.3.x, so they receive a lot of testing. Another issue is that somehow the speed of your FreeSec code in musl is extremely poor - it runs about 50 times slower than expected (e.g., than it does in glibc on Owl). This is as tested with "john --test --format=crypt" with JtR 1.7.7 on x86_64. I suggest that you run this test too, both before and after you replace the FreeSec code. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.