Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120814025805.GE27715@brightrain.aerifal.cx>
Date: Mon, 13 Aug 2012 22:58:05 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Todo for release?

On Tue, Aug 14, 2012 at 06:49:03AM +0400, Solar Designer wrote:
> > If this issue is as simple to solve as it sounds, it might make sense
> > to allow arbitrary key sizes. After all, programs that could be DoS'd
> > by long keys are already going to be limiting key length themselves.
> 
> That's wishful thinking.

Are you sure? I haven't read the code lately, but I can't imagine any
login daemon is going to be calling realloc() in a loop to read an
arbitrarily long password before authentication. That just sounds
gratuitously broken (i.e. someone went out of their way to write
painful code that does nothing useful and makes their daemon
susceptible to DoS).

> > If time grew superlinearly in key length, I'd say it should definitely
> > be limited, but since the growth is just linear (the expected growth
> > rate for any interface that takes a string argument), I think it's
> > less clear what should be done.
> 
> Yes, it is not clear what should be done.

If it's a toss-up on whether we should limit key length for runtime
considerations, I might just go on a basis of how it affects code
complexity for handling long keys and thus still limit them.

> > something that can never match. By the way, would you agree that all
> > programs that generate new password hashes should do so by calling
> > crypt twice, the second time using the output of the first as the
> > setting/salt, and verify that the results match? This seems to be the
> > only safe/portable way to make sure you got a valid hash and not an
> > error.
> 
> This makes sense, yet it sounds overkill to me.  I'd simply check for
> hash && strlen(hash) >= 13.

Indeed, strlen(hash)>=13 is certainly a necessary condition, but is it
sufficient? I could imagine a hypothetical crypt implementation that
puts error messages in the unmatchable hash as a debugging aid to why
generating the hash failed, but I agree they probably don't exist.
Still, changing your password should not be a frequent action, so it
might make the most sense to do the check the way I suggested.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.