Date: Tue, 16 Feb 2016 20:44:35 +0100 From: Szabolcs Nagy <nsz@...t70.net> To: musl@...ts.openwall.com Subject: Re: list of security features in musl * Solar Designer <solar@...nwall.com> [2016-02-16 20:45:32 +0300]: > On Thu, Feb 11, 2016 at 08:11:19PM +0100, Szabolcs Nagy wrote: > > - about 'security feature lists': > > the fedora project lists 'sha256 based passwd hash' in glibc > > as a security feature, that implementation is > > - a denial of service attack vector (computation depends on > > key length more than the admin controlled round count). > > - arch dependent(!), one can craft a passwd entry such that > > only 32bit machines can log in. > > What do you mean here? 32-bit overflow/wraparound with very high > rounds= specification? > no, rounds setting is specified in terms of strtoul which has saturating semantics so large values are not a problem (and out of range values are clamped into [1000,999999999]). but negative values are accepted by strtoul with different meaning on 32 vs 64bit systems (wraparound). (e.g. rounds=-4294967295 is clamped to 1000 vs 999999999). of course arch dependent output is not a useful property for a pbkdf so musl rejects negative rounds settings. http://git.musl-libc.org/cgit/musl/tree/src/crypt/crypt_sha256.c#n211 Rich, it seems musl has the wrong ROUNDS_MAX setting, do you mind adding two more 9s there: http://git.musl-libc.org/cgit/musl/commit/?id=aeaceb1fa89b865eb0bca739da9c450b5a054866 to follow the official spec: https://www.akkadia.org/drepper/SHA-crypt.txt (or reject large rounds so we don't generate non-portable hashes) > > - unbounded alloca(!) use was fixed in 2012, long after > > fedora added support for it (the reference implementation > > in the spec still has the problem, among other issues). > > - uses arbitrary sized realloc for the global crypt state > > even though 100 bytes would be enough (checks salt len > > after reallocation). > > - not standard conform c code: aligned attribute, alloca, > > section attribute, undefined behaviour: (tmp - (char *) 0). > > - meant to be used outside the libc, but secrets are cleared > > with memset which can be optimized away. > > (i think there are other issues in this sha256-crypt.c, but > > the point is: implementation details matter so security check > > lists should be taken with a grain of salt.) > > > > : https://fedoraproject.org/wiki/Security_Features#Glibc_Enhancements > > : http://www.openwall.com/lists/musl/2012/08/19/9 > > Another issue is that SHA-crypt leaks 8 bits via timing (total execution > time, not just cache-timing), for no good reason at all (not a tradeoff): > > "18. repeast the following 16+A times, where A represents the first > byte in digest A interpreted as an 8-bit unsigned value > > add the salt to digest DS" > and key length is leaked too :) > For comparison, bcrypt is not cache-timing-safe, but that's a tradeoff. > > Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.