Site Navigation

Date:      Fri, 24 Oct 2014 13:03:53 -0700
From:      Xin Li <delphij@delphij.net>
To:        Jim Pirzyk <pirzyk@freeBSD.org>, Ronald Klop <ronald-lists@klop.ws>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt
Message-ID:  <544AB0A9.8030808@delphij.net>
In-Reply-To: <23061782-21F6-4509-9362-2DAEED692F72@freeBSD.org>
References:  <201410222107.s9ML7nLC010739@freefall.freebsd.org> <F0DAE32B-34CF-4191-9070-A517ACDC6E2A@freeBSD.org> <op.xn8j96kqkndu52@ronaldradial.radialsg.local> <AC160955-2FEC-49FA-9E1F-B4DE948DCF00@freeBSD.org> <op.xn8lzxyvkndu52@ronaldradial.radialsg.local> <23061782-21F6-4509-9362-2DAEED692F72@freeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/24/14 09:18, Jim Pirzyk wrote:
> That statement is really irrelevant because this is the submitter, 
> what was the crypt() behavior back in the 2.0 days?  Did anyone in

FreeBSD's crypt(3) returns DES hash since FreeBSD 4.4.  I don't think
the previous behavior really matter here, especially with Peter's
reasoning in r70421 on 2000/12/28:

===
Hindsight is wonderful, but I got cold feet over the crypt(3) default
so I am backing it out for now.  The problem is that some random
program calling crypt() could be passing a DES salt and the crypt(3)
library would encrypt it in md5 mode and there would be a password
mismatch as a result.  I wrote a validater function for the DES code
to verify that a salt is valid for DES, but I realized there were too
many strange things to go wrong.  passwd(1), pw(8) etc still generate
md5 passwords by default for /etc/master.passwd, so this is almost
academic.  It is a big deal for things that have their own crypt(3)-ed
password strings (.htaccess, etc etc).  Those are the things I do not
want to break.

My DES salt recognizer basically checked if the salt was either 2 or
13 characters long, or began with '_' (_PASSWORD_EFMT1).  I think it
would have worked but I have seen way too much crypt() mishandling in
the past.
===

> FreeBSD verify this statement?  Why was that behavior not
> restored, as opposed to chaining the default encryption algorithm.
> If login.conf was lost, mangled, etc in the old days, you would
> still get md5/sha1/…/etc encryption, now you just get DES.

If your login.conf was lost, mangled, etc., and you are still running
a FreeBSD release that is older than FreeBSD 4.4-RELEASE, it's an
owned system already.

> I think the security implications of this change should have
> required a bigger review, like at least sign off from 
> security-officer@freebsd.org

All security advisories and errata notices are signed off by the
Security Officer.  Both Dag-Erling and I have considered the change
for quite some time before it was made.

> If this was a POSIX compatibility issue, that should have been 
> evaluated and reviewed properly.  It feels there were not enough
> eyes on this change and if as you say this is not affected the
> default passwd algorithm, that should have also been noted in the
> Errata note.

It's not a POSIX compliance issue, at least not what I am aware of, as
POSIX did not mandate the use of any algorithm by default, or what
algorithms should be supported.

It is, however, the default behavior of everyone else.  Linux's glibc
defaults to DES, OpenBSD's libc defaults to DES, so does Illumos, and
all recent FreeBSD releases except 9.3-RELEASE.

Given the fact that the change of crypt(3) default hash algorithm
*does* *NOT* change the system default of password hashing algorithm
(SHA512 currently, and tweakable via login.conf(5)), we do not believe
it would hurt or weaken your safety, and therefore doesn't worth it to
cause the subtle ABI breakage that breaks application in real world.

Cheers,

> 
> - JimP
> 
> On Oct 24, 2014, at 8:48 AM, Ronald Klop <ronald-lists@klop.ws> 
> wrote:
> 
>> Hi,
>> 
>> I have nothing to do with the actual coding, but please reread 
>> comment 7 from the bug report: 'This doesn't have anything
>> common with system default password encryption, this is realized
>> using /etc/login.conf and applications like passwd, etc.'
>> 
>> Regards, Ronald.
>> 
>> On Fri, 24 Oct 2014 15:21:48 +0200, Jim Pirzyk
>> <pirzyk@freebsd.org> wrote:
>> 
>>> I think this should be reopened and reverted.  This is the
>>> wrong answer and has not taken into account the history of
>>> crypt() on FreeBSD.  I point you to the svn log:
>>> 
>>> http://svnweb.freebsd.org/base?view=revision&revision=4246
>>> 
>>> and
>>> 
>>> http://www.freebsd.org/releases/2.0/notes.html
>>> 
>>> If password security for FreeBSD is all you need, and you have 
>>> no requirement for copying encrypted passwords from different 
>>> hosts (Suns, DEC machines, etc) into FreeBSD password entries, 
>>> then FreeBSD's MD5 based security may be all you require!  We 
>>> feel that our default security model is more than a match for 
>>> DES, and without any messy export issues to deal with.  If
>>> you're outside (or even inside) the U.S., give it a try!
>>> 
>>> We are reversing 20+ years of FreeBSD progress.
>>> 
>>> - JimP
>>> 
>>> On Oct 24, 2014, at 8:11 AM, Ronald Klop
>>> <ronald-lists@klop.ws> wrote:
>>> 
>>>> See:
>>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192277
>>>> 
>>>> Regards, Ronald.
>>>> 
>>>> On Fri, 24 Oct 2014 13:14:20 +0200, Jim Pirzyk 
>>>> <pirzyk@freebsd.org> wrote:
>>>> 
>>>>> Hi,
>>>>> 
>>>>> I was wondering if there is more information about this 
>>>>> change?  FreeBSD changed the default away from DES to MD5 
>>>>> back in the 1.1.5 -> 2.0 transition.  It seems to me a 
>>>>> downgrade and rewarding bad programming to be changing
>>>>> back to DES now.  Also the proper course of action is to
>>>>> correct programs that make the wrong assumption about what
>>>>> crypt() changes.
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> - JimP
>>>>> 
>>>>> On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices 
>>>>> <errata-notices@freebsd.org> wrote:
>>>>> 
>>>>>> Signed PGP part 
>>>>>> =============================================================================
>>>>>>
>>>>>>
>>>>>> 
FreeBSD-EN-14:11.crypt                                          Errata
Notice
>>>>>> The FreeBSD Project
>>>>>> 
>>>>>> Topic:          crypt(3) default hashing algorithm
>>>>>> 
>>>>>> Category:       core Module:         libcrypt Announced: 
>>>>>> 2014-10-22 Affects:        FreeBSD 9.3 and FreeBSD 
>>>>>> 10.0-STABLE after 2014-05-11 and before 2014-10-16. 
>>>>>> Corrected:      2014-10-13 15:56:47 UTC (stable/10, 
>>>>>> 10.1-PRERELEASE) 2014-10-16 21:39:04 UTC (releng/10.1, 
>>>>>> 10.1-RC3) 2014-10-16 21:39:04 UTC (releng/10.1, 
>>>>>> 10.1-RC2-p2) 2014-10-16 21:39:04 UTC (releng/10.1, 
>>>>>> 10.1-RC1-p2) 2014-10-16 21:39:04 UTC (releng/10.1, 
>>>>>> 10.1-BETA3-p2) 2014-10-21 21:09:54 UTC (stable/9, 
>>>>>> 9.3-STABLE) 2014-10-21 23:50:46 UTC (releng/9.3, 
>>>>>> 9.3-RELEASE-p4)
>>>>>> 
>>>>>> For general information regarding FreeBSD Errata Notices 
>>>>>> and Security Advisories, including descriptions of the 
>>>>>> fields above, security branches, and the following 
>>>>>> sections, please visit
>>>>>> <URL:http://security.freebsd.org/>.
>>>>>> 
>>>>>> I.   Background
>>>>>> 
>>>>>> The crypt(3) function performs password hashing.
>>>>>> Different algorithms of varying strength are available,
>>>>>> with older, weaker algorithms being retained for
>>>>>> compatibility.
>>>>>> 
>>>>>> The crypt(3) function was originally based on the DES 
>>>>>> encryption algorithm and generated a 13-character hash
>>>>>> from an eight-character password (longer passwords were 
>>>>>> truncated) and a two-character salt.
>>>>>> 
>>>>>> II.  Problem Description
>>>>>> 
>>>>>> In recent FreeBSD releases, the default algorithm for 
>>>>>> crypt(3) was changed to SHA-512, which generates a much 
>>>>>> longer hash than the traditional DES-based algorithm.
>>>>>> 
>>>>>> III. Impact
>>>>>> 
>>>>>> Many applications assume that crypt(3) always returns a 
>>>>>> traditional DES hash, and blindly copy it into a short 
>>>>>> buffer without bounds checks. This may lead to a variety
>>>>>> of undesirable results including, at worst, crashing the 
>>>>>> application.
>>>>>> 
>>>>>> IV.  Workaround
>>>>>> 
>>>>>> No workaround is available.
>>>>>> 
>>>>>> V.   Solution
>>>>>> 
>>>>>> Perform one of the following:
>>>>>> 
>>>>>> 1) Upgrade your system to a supported FreeBSD stable or 
>>>>>> release / security branch (releng) dated after the 
>>>>>> correction date.
>>>>>> 
>>>>>> 2) To update your present system via a source code
>>>>>> patch:
>>>>>> 
>>>>>> The following patches have been verified to apply to the 
>>>>>> applicable FreeBSD release branches.
>>>>>> 
>>>>>> a) Download the relevant patch from the location below,
>>>>>> and verify the detached PGP signature using your PGP
>>>>>> utility.
>>>>>> 
>>>>>> # fetch 
>>>>>> http://security.FreeBSD.org/patches/EN-14:11/crypt.patch
>>>>>> # fetch 
>>>>>> http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc
>>>>>>
>>>>>>
>>>>>> 
# gpg --verify crypt.patch.asc
>>>>>> 
>>>>>> b) Apply the patch.  Execute the following commands as 
>>>>>> root:
>>>>>> 
>>>>>> # cd /usr/src # patch < /path/to/patch
>>>>>> 
>>>>>> c) Recompile the operating system using buildworld and 
>>>>>> installworld as described in 
>>>>>> <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
>>>>>> 
>>>>>> Restart all deamons using the library, or reboot the 
>>>>>> system.
>>>>>> 
>>>>>> 3) To update your system via a binary patch:
>>>>>> 
>>>>>> Systems running a RELEASE version of FreeBSD on the i386
>>>>>> or amd64 platforms can be updated via the
>>>>>> freebsd-update(8) utility:
>>>>>> 
>>>>>> # freebsd-update fetch # freebsd-update install
>>>>>> 
>>>>>> VI.  Correction details
>>>>>> 
>>>>>> The following list contains the revision numbers of each 
>>>>>> file that was corrected in FreeBSD.
>>>>>> 
>>>>>> Branch/path Revision 
>>>>>> -------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> 
stable/9/                                                         r273425
>>>>>> releng/9.3/ r273438 stable/10/ r273043 releng/10.1/ 
>>>>>> r273187 
>>>>>> -------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
To see which files were modified by a particular revision, run the
>>>>>> following command, replacing NNNNNN with the revision 
>>>>>> number, on a machine with Subversion installed:
>>>>>> 
>>>>>> # svn diff -cNNNNNN --summarize
>>>>>> svn://svn.freebsd.org/base
>>>>>> 
>>>>>> Or visit the following URL, replacing NNNNNN with the 
>>>>>> revision number:
>>>>>> 
>>>>>> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
VII. References
>>>>>> 
>>>>>> The latest revision of this Errata Notice is available at
>>>>>>  
>>>>>> http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
_______________________________________________
>>>>>> freebsd-announce@freebsd.org mailing list 
>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
>>>>>>  To unsubscribe, send any mail to 
>>>>>> "freebsd-announce-unsubscribe@freebsd.org"
>>>>> 
>>>>> --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13
>>>>> pirzyk Exp $ __o  jim@pirzyk.org 
>>>>> -------------------------------------------------- _'\<,_ 
>>>>> (*)/ (*) I'd rather be out biking.
>>> 
>>> --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk
>>> Exp $ __o  jim@pirzyk.org 
>>> -------------------------------------------------- _'\<,_ (*)/ 
>>> (*) I'd rather be out biking.
> 
> --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $
>  __o  jim@pirzyk.org 
> -------------------------------------------------- _'\<,_ (*)/ (*) 
> I'd rather be out biking.
> 


- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0

iQIcBAEBCgAGBQJUSrCoAAoJEJW2GBstM+nsjLIP/j03SQaje0RAAsAbt29M5jEq
5dRdqn9Dk8eL/rLxt41/M5+CTTgdErkrlUq+M9SKTT8qBYiS2MKHHjfdt7fbUw6d
SnxWEcXTE0CHaY2fm/2dTDYKtYYdcHaEIIFB0x/Acx15xrxBhn7zNhpMyZzygynS
VzLN9uwZi5y6Wq6v5k7D2dPKzsjlKCdRrLPX9Ad2qdw4YzptzQWfvr45ueiaVq12
fEBRsZqxdodHBbsftGlUNMpbHxejmhT5az2N0Kvytk30v6nBumN+T4Uyd0YU2+8Z
Ea7RSQY4Q50hoTytaeQFfYyEIMYtaXMA9M1i2Z8tRvTodve8dMr9QJkdrezOQ359
lOcFpgZ36KGVlwzRL6PuaVyLIOtndFEfNOHUkmAmaz8t8kKVkkiBT1h60tz8NaXP
SOQeXNbPrXlXd/KCSvSz4Wgb1cuL7DR9DE6Q6Ghyxd6bCJFnu919WS2lftUDm9f2
UvgA5XhdsHJbmUfAPB865SDUVi+gascDSDJdTI2XZOa37KAvPTtTw0gHRoLCx0Cs
52fp+9XsAHw7WiH1URhAxLbt484D2V0eq6IvK+if7FKoKecOxBkMGwRVVSfYXliu
XG8HYlPQFnHGczaSVDYC0So7f1UqkUC6tVHo7FfxxS4B5cXKLmBN5OLGO1maI7sv
TfiyjGJqk/sTzUN4Opu/
=0bFd
-----END PGP SIGNATURE-----

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?544AB0A9.8030808>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact