DragonFly BSD
DragonFly kernel List (threaded) for 2012-01
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Heads-up, Re: git: crypt(3) - Switch SHA256/512 to the Linux implementation

From: "Samuel J. Greear" <sjg@xxxxxxxxxxxx>
Date: Fri, 20 Jan 2012 06:20:51 -0700 
--14dae9340f3fc321d704b6f58ce5
Content-Type: text/plain; charset=ISO-8859-1

Just a quick heads-up,

Please test this on a machine to which you have console access prior to
updating any remote machines to which your only means of access is ssh or
similar, or give this patch a couple of days to marinate to ensure nothing
was broken.

Best,
Sam

On Fri, Jan 20, 2012 at 6:13 AM, Samuel Greear
<sjg@crater.dragonflybsd.org>wrote:

>
> commit d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08
> Author: Samuel J. Greear <sjg@thesjg.com>
> Date:   Fri Jan 20 05:24:33 2012 -0700
>
>    crypt(3) - Switch SHA256/512 to the Linux implementation
>
>    * The existing SHA backends have been shown to be more susceptible to
> brute-
>      force attacks than we would prefer --
>      http://www.openwall.com/lists/oss-security/2012/01/16/2
>
>    * Bring in the reference implementation used in Linux, code is in the
> public
>      domain.
>
>    * Add required (standard) functions mempcpy and stpcpy.
>
>    * Change default for future installs to SHA512, this is the default on
> at
>      least archlinux and fedora.
>
>    * Add some minor hacks to libcrypt/crypt.c to ensure that
>      a) All existing passwords continue to work
>      b) All future passwords will be more secure with no changes required
>
>    * To update passwords to the new format use passwd(1) for each user,
> and to
>      change your default password type to SHA512 (default for new
> installations)
>      change the passwd_format setting under default to "sha512".
>
> Summary of changes:
>  etc/login.conf                         |    2 +-
>  include/string.h                       |    6 +-
>  lib/libc/string/Makefile.inc           |   11 +-
>  lib/libc/string/memcpy.3               |   13 +-
>  lib/libc/string/mempcpy.c              |   44 ++
>  lib/libc/string/stpncpy.c              |   44 ++
>  lib/libc/string/strcpy.3               |   38 +-
>  lib/libcrypt/Makefile                  |    8 +-
>  lib/libcrypt/crypt-sha256.c            |  828
> ++++++++++++++++++++++++++----
>  lib/libcrypt/crypt-sha512.c            |  883
> ++++++++++++++++++++++++++++----
>  lib/libcrypt/crypt.c                   |   32 +-
>  lib/libcrypt/crypt.h                   |    8 +-
>  lib/libcrypt/deprecated-crypt-sha256.c |  122 +++++
>  lib/libcrypt/deprecated-crypt-sha512.c |  110 ++++
>  14 files changed, 1903 insertions(+), 246 deletions(-)
>  create mode 100644 lib/libc/string/mempcpy.c
>  create mode 100644 lib/libc/string/stpncpy.c
>  create mode 100644 lib/libcrypt/deprecated-crypt-sha256.c
>  create mode 100644 lib/libcrypt/deprecated-crypt-sha512.c
>
>
> http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08
>
>
> --
> DragonFly BSD source repository
>

--14dae9340f3fc321d704b6f58ce5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div>Just a quick heads-up,</div><div><br></div>Please test this on a machi=
ne to which you have console access prior to updating any remote machines t=
o which your only means of access is ssh or similar, or give this patch a c=
ouple of days to marinate to ensure nothing was broken.<div>
<br></div><div>Best,</div><div>Sam<br><br><div class=3D"gmail_quote">On Fri=
, Jan 20, 2012 at 6:13 AM, Samuel Greear <span dir=3D"ltr">&lt;<a href=3D"m=
ailto:sjg@crater.dragonflybsd.org">sjg@crater.dragonflybsd.org</a>&gt;</spa=
n> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><br>
commit d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08<br>
Author: Samuel J. Greear &lt;<a href=3D"mailto:sjg@thesjg.com";>sjg@thesjg.c=
om</a>&gt;<br>
Date: =A0 Fri Jan 20 05:24:33 2012 -0700<br>
<br>
 =A0 =A0crypt(3) - Switch SHA256/512 to the Linux implementation<br>
<br>
 =A0 =A0* The existing SHA backends have been shown to be more susceptible =
to brute-<br>
 =A0 =A0 =A0force attacks than we would prefer --<br>
 =A0 =A0 =A0<a href=3D"http://www.openwall.com/lists/oss-security/2012/01/1=
6/2" target=3D"_blank">http://www.openwall.com/lists/oss-security/2012/01/1=
6/2</a><br>
<br>
 =A0 =A0* Bring in the reference implementation used in Linux, code is in t=
he public<br>
 =A0 =A0 =A0domain.<br>
<br>
 =A0 =A0* Add required (standard) functions mempcpy and stpcpy.<br>
<br>
 =A0 =A0* Change default for future installs to SHA512, this is the default=
 on at<br>
 =A0 =A0 =A0least archlinux and fedora.<br>
<br>
 =A0 =A0* Add some minor hacks to libcrypt/crypt.c to ensure that<br>
 =A0 =A0 =A0a) All existing passwords continue to work<br>
 =A0 =A0 =A0b) All future passwords will be more secure with no changes req=
uired<br>
<br>
 =A0 =A0* To update passwords to the new format use passwd(1) for each user=
, and to<br>
 =A0 =A0 =A0change your default password type to SHA512 (default for new in=
stallations)<br>
 =A0 =A0 =A0change the passwd_format setting under default to &quot;sha512&=
quot;.<br>
<br>
Summary of changes:<br>
=A0etc/login.conf =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 =A0=
2 +-<br>
=A0include/string.h =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 =A06 =
+-<br>
=A0lib/libc/string/Makefile.inc =A0 =A0 =A0 =A0 =A0 | =A0 11 +-<br>
=A0lib/libc/string/memcpy.3 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 13 +-<br>
=A0lib/libc/string/mempcpy.c =A0 =A0 =A0 =A0 =A0 =A0 =A0| =A0 44 ++<br>
=A0lib/libc/string/stpncpy.c =A0 =A0 =A0 =A0 =A0 =A0 =A0| =A0 44 ++<br>
=A0lib/libc/string/strcpy.3 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 38 +-<br>
=A0lib/libcrypt/Makefile =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0| =A0 =A08 +-<b=
r>
=A0lib/libcrypt/crypt-sha256.c =A0 =A0 =A0 =A0 =A0 =A0| =A0828 ++++++++++++=
++++++++++++++----<br>
=A0lib/libcrypt/crypt-sha512.c =A0 =A0 =A0 =A0 =A0 =A0| =A0883 ++++++++++++=
++++++++++++++++----<br>
=A0lib/libcrypt/crypt.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 32 +-<br>
=A0lib/libcrypt/crypt.h =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 =A08 +-<b=
r>
=A0lib/libcrypt/deprecated-crypt-sha256.c | =A0122 +++++<br>
=A0lib/libcrypt/deprecated-crypt-sha512.c | =A0110 ++++<br>
=A014 files changed, 1903 insertions(+), 246 deletions(-)<br>
=A0create mode 100644 lib/libc/string/mempcpy.c<br>
=A0create mode 100644 lib/libc/string/stpncpy.c<br>
=A0create mode 100644 lib/libcrypt/deprecated-crypt-sha256.c<br>
=A0create mode 100644 lib/libcrypt/deprecated-crypt-sha512.c<br>
<br>
<a href=3D"http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d8ee3b5d=
2d9ba12d8978a47bccb8e3945f96ea08" target=3D"_blank">http://gitweb.dragonfly=
bsd.org/dragonfly.git/commitdiff/d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08</=
a><br>

<span class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>
--<br>
DragonFly BSD source repository<br>
</font></span></blockquote></div><br></div>

--14dae9340f3fc321d704b6f58ce5--

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]