From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 18:24:06 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71698106566B for ; Thu, 28 Jan 2010 18:24:06 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 54A828FC14 for ; Thu, 28 Jan 2010 18:24:06 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id 48DEB31E2D18; Thu, 28 Jan 2010 10:24:13 -0800 (PST) Date: Thu, 28 Jan 2010 10:24:13 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20100128182413.GI892@noncombatant.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 18:24:06 -0000 See your copy of /usr/src/lib/libcrypt/crypt-md5.c: /* * and now, just to make sure things don't run too fast * On a 60 Mhz Pentium this takes 34 msec, so you would * need 30 seconds to build a 1000 entry dictionary... */ for(i = 0; i < 1000; i++) { MD5Init(&ctx1); if(i & 1) MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); else MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); if(i % 3) MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); if(i % 7) MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); if(i & 1) MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); else MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); MD5Final(final, &ctx1); } This algorithm is still the default on FreeBSD 8. (Blowfish is available -- but has it been tuned for slowness either? I have not checked.) The purpose of these functions is to be slow, but the above has not been slow for years. Hence this patch: --- crypt.h.orig 2010-01-28 10:14:50.000000000 -0800 +++ crypt.h 2010-01-28 10:17:49.000000000 -0800 @@ -32,6 +32,9 @@ #define MD4_SIZE 16 #define MD5_SIZE 16 +/* As processors get faster, increase this. 1000 was good on a Pentium 60. */ +#define MD5_SLOW 100000 + char *crypt_des(const char *pw, const char *salt); char *crypt_md5(const char *pw, const char *salt); char *crypt_nthash(const char *pw, const char *salt); --- crypt-md5.c.orig 2010-01-28 10:18:03.000000000 -0800 +++ crypt-md5.c 2010-01-28 10:19:00.000000000 -0800 @@ -107,10 +107,10 @@ /* * and now, just to make sure things don't run too fast - * On a 60 Mhz Pentium this takes 34 msec, so you would + * On a 60 Mhz Pentium MD5_SLOW = 1000 takes 34 msec, so you would * need 30 seconds to build a 1000 entry dictionary... */ - for(i = 0; i < 1000; i++) { + for(i = 0; i < MD5_SLOW; i++) { MD5Init(&ctx1); if(i & 1) MD5Update(&ctx1, (const u_char *)pw, strlen(pw));