Heads-up, Re: git: crypt(3) - Switch SHA256/512 to the Linux implementation
Samuel J. Greear
sjg at evilcode.net
Fri Jan 20 05:20:51 PST 2012
--14dae9340f3fc321d704b6f58ce5
Content-Type: text/plain; charset=ISO-8859-1
Just a quick heads-up,
Please test this on a machine to which you have console access prior to
updating any remote machines to which your only means of access is ssh or
similar, or give this patch a couple of days to marinate to ensure nothing
was broken.
Best,
Sam
On Fri, Jan 20, 2012 at 6:13 AM, Samuel Greear
<sjg at crater.dragonflybsd.org>wrote:
>
> commit d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08
> Author: Samuel J. Greear <sjg at thesjg.com>
> Date: Fri Jan 20 05:24:33 2012 -0700
>
> crypt(3) - Switch SHA256/512 to the Linux implementation
>
> * The existing SHA backends have been shown to be more susceptible to
> brute-
> force attacks than we would prefer --
> http://www.openwall.com/lists/oss-security/2012/01/16/2
>
> * Bring in the reference implementation used in Linux, code is in the
> public
> domain.
>
> * Add required (standard) functions mempcpy and stpcpy.
>
> * Change default for future installs to SHA512, this is the default on
> at
> least archlinux and fedora.
>
> * Add some minor hacks to libcrypt/crypt.c to ensure that
> a) All existing passwords continue to work
> b) All future passwords will be more secure with no changes required
>
> * To update passwords to the new format use passwd(1) for each user,
> and to
> change your default password type to SHA512 (default for new
> installations)
> change the passwd_format setting under default to "sha512".
>
> Summary of changes:
> etc/login.conf | 2 +-
> include/string.h | 6 +-
> lib/libc/string/Makefile.inc | 11 +-
> lib/libc/string/memcpy.3 | 13 +-
> lib/libc/string/mempcpy.c | 44 ++
> lib/libc/string/stpncpy.c | 44 ++
> lib/libc/string/strcpy.3 | 38 +-
> lib/libcrypt/Makefile | 8 +-
> lib/libcrypt/crypt-sha256.c | 828
> ++++++++++++++++++++++++++----
> lib/libcrypt/crypt-sha512.c | 883
> ++++++++++++++++++++++++++++----
> lib/libcrypt/crypt.c | 32 +-
> lib/libcrypt/crypt.h | 8 +-
> lib/libcrypt/deprecated-crypt-sha256.c | 122 +++++
> lib/libcrypt/deprecated-crypt-sha512.c | 110 ++++
> 14 files changed, 1903 insertions(+), 246 deletions(-)
> create mode 100644 lib/libc/string/mempcpy.c
> create mode 100644 lib/libc/string/stpncpy.c
> create mode 100644 lib/libcrypt/deprecated-crypt-sha256.c
> create mode 100644 lib/libcrypt/deprecated-crypt-sha512.c
>
>
> http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08
>
>
> --
> DragonFly BSD source repository
>
--14dae9340f3fc321d704b6f58ce5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div>Just a quick heads-up,</div><div><br></div>Please test this on a machi=
ne to which you have console access prior to updating any remote machines t=
o which your only means of access is ssh or similar, or give this patch a c=
ouple of days to marinate to ensure nothing was broken.<div>
<br></div><div>Best,</div><div>Sam<br><br><div class=3D"gmail_quote">On Fri=
, Jan 20, 2012 at 6:13 AM, Samuel Greear <span dir=3D"ltr"><<a href=3D"m=
ailto:sjg at crater.dragonflybsd.org">sjg at crater.dragonflybsd.org</a>></spa=
n> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><br>
commit d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08<br>
Author: Samuel J. Greear <<a href=3D"mailto:sjg at thesjg.com">sjg at thesjg.c=
om</a>><br>
Date: =A0 Fri Jan 20 05:24:33 2012 -0700<br>
<br>
=A0 =A0crypt(3) - Switch SHA256/512 to the Linux implementation<br>
<br>
=A0 =A0* The existing SHA backends have been shown to be more susceptible =
to brute-<br>
=A0 =A0 =A0force attacks than we would prefer --<br>
=A0 =A0 =A0<a href=3D"http://www.openwall.com/lists/oss-security/2012/01/1=
6/2" target=3D"_blank">http://www.openwall.com/lists/oss-security/2012/01/1=
6/2</a><br>
<br>
=A0 =A0* Bring in the reference implementation used in Linux, code is in t=
he public<br>
=A0 =A0 =A0domain.<br>
<br>
=A0 =A0* Add required (standard) functions mempcpy and stpcpy.<br>
<br>
=A0 =A0* Change default for future installs to SHA512, this is the default=
on at<br>
=A0 =A0 =A0least archlinux and fedora.<br>
<br>
=A0 =A0* Add some minor hacks to libcrypt/crypt.c to ensure that<br>
=A0 =A0 =A0a) All existing passwords continue to work<br>
=A0 =A0 =A0b) All future passwords will be more secure with no changes req=
uired<br>
<br>
=A0 =A0* To update passwords to the new format use passwd(1) for each user=
, and to<br>
=A0 =A0 =A0change your default password type to SHA512 (default for new in=
stallations)<br>
=A0 =A0 =A0change the passwd_format setting under default to "sha512&=
quot;.<br>
<br>
Summary of changes:<br>
=A0etc/login.conf =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 =A0=
2 +-<br>
=A0include/string.h =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 =A06 =
+-<br>
=A0lib/libc/string/Makefile.inc =A0 =A0 =A0 =A0 =A0 | =A0 11 +-<br>
=A0lib/libc/string/memcpy.3 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 13 +-<br>
=A0lib/libc/string/mempcpy.c =A0 =A0 =A0 =A0 =A0 =A0 =A0| =A0 44 ++<br>
=A0lib/libc/string/stpncpy.c =A0 =A0 =A0 =A0 =A0 =A0 =A0| =A0 44 ++<br>
=A0lib/libc/string/strcpy.3 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 38 +-<br>
=A0lib/libcrypt/Makefile =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0| =A0 =A08 +-<b=
r>
=A0lib/libcrypt/crypt-sha256.c =A0 =A0 =A0 =A0 =A0 =A0| =A0828 ++++++++++++=
++++++++++++++----<br>
=A0lib/libcrypt/crypt-sha512.c =A0 =A0 =A0 =A0 =A0 =A0| =A0883 ++++++++++++=
++++++++++++++++----<br>
=A0lib/libcrypt/crypt.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 32 +-<br>
=A0lib/libcrypt/crypt.h =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 | =A0 =A08 +-<b=
r>
=A0lib/libcrypt/deprecated-crypt-sha256.c | =A0122 +++++<br>
=A0lib/libcrypt/deprecated-crypt-sha512.c | =A0110 ++++<br>
=A014 files changed, 1903 insertions(+), 246 deletions(-)<br>
=A0create mode 100644 lib/libc/string/mempcpy.c<br>
=A0create mode 100644 lib/libc/string/stpncpy.c<br>
=A0create mode 100644 lib/libcrypt/deprecated-crypt-sha256.c<br>
=A0create mode 100644 lib/libcrypt/deprecated-crypt-sha512.c<br>
<br>
<a href=3D"http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d8ee3b5d=
2d9ba12d8978a47bccb8e3945f96ea08" target=3D"_blank">http://gitweb.dragonfly=
bsd.org/dragonfly.git/commitdiff/d8ee3b5d2d9ba12d8978a47bccb8e3945f96ea08</=
a><br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>
--<br>
DragonFly BSD source repository<br>
</font></span></blockquote></div><br></div>
--14dae9340f3fc321d704b6f58ce5--
More information about the Kernel
mailing list