Boost :

From: Peter Dimov (pdimov_at_[hidden])
Date: 2024-12-12 20:17:26

• Next message: Matt Borland: "Re: [hash2] Formal Review Begins"
• Previous message: Ruben Perez: "Re: [hash2] Formal Review Begins"
• In reply to: Ruben Perez: "Re: [hash2] Formal Review Begins"
• Next in thread: Matt Borland: "Re: [hash2] Formal Review Begins"
• Reply: Matt Borland: "Re: [hash2] Formal Review Begins"
• Reply: Ruben Perez: "Re: [hash2] Formal Review Begins"

Ruben Perez wrote:
> On Thu, 12 Dec 2024 at 14:27, Peter Dimov <pdimov_at_[hidden]> wrote:
> >
> > Ruben Perez wrote:
> > > As a potential user mainly interested in the "hashing untyped byte
> sequences"
> > > use case (involving SHA2), do you think migrating from OpenSSL to
> > > Boost.Hash2 would be detrimental for security at this point? If the
> > > answer is yes, is there a way to remediate this (even after the
> > > library gets accepted)? Or is this just not the main use case of the library?
> > >
> > > The use case involves generating digests for a network protocol (MySQL).
> > >
> > > I'd like to know both Tom's and Peter's opinions.
> >
> > Can you please point me to the source code portions in Boost.MySQL
> > that implement SHA-2 authentication?
> >
> >
>
> Current code (using OpenSSL):
> https://github.com/boostorg/mysql/blob/c438f26731e36c2db6457705ec5dbb9f7657db2a/include/boost/mysql/impl/internal/auth/auth.ipp#L101-L114
> Code using the proposed library:
> https://github.com/boostorg/mysql/pull/389/files#diff-1ce941e5f315c38f0eb53e030e8752ae5d1209b702305b60e22024c138e29be5R45-R58
> Protocol docs: https://dev.mysql.com/doc/dev/mysql-server/8.4.3/page_caching_sha2_authentication_exchanges.html
>
> It's somehow similar in spirit to SCRAM-SHA256, but built in-house by MySQL.

In this specific case, if we assume that Hash2 is accepted into Boost, I'd say
that using OpenSSL is much more susceptible to supply chain attacks.

The user acquires both Boost.MySQL and Boost.Hash2 through Boost,
whereas the typical practice of acquiring OpenSSL under Windows until
very recently was "web search and download random binaries from
somewhere on the Internet."

Things are probably much better today because of vcpkg and conan, but
the exact version of OpenSSL that the user will end up using is still an
unknown variable.

The actual SHA256 implementation in OpenSSL has been looked at much
more than the one in Hash2 at this point, but the Hash2 code is easy to
inspect and verify because it follows the reference implementation
very closely at the moment (although this might change if we add SHA-NI
optimizations in the future.)

(I ignore here the C-style interface of OpenSSL's function, which has its own
safety implications, but let's assume that the code in Boost.MySQL is 100%
correct.)

• Next message: Matt Borland: "Re: [hash2] Formal Review Begins"
• Previous message: Ruben Perez: "Re: [hash2] Formal Review Begins"
• In reply to: Ruben Perez: "Re: [hash2] Formal Review Begins"
• Next in thread: Matt Borland: "Re: [hash2] Formal Review Begins"
• Reply: Matt Borland: "Re: [hash2] Formal Review Begins"
• Reply: Ruben Perez: "Re: [hash2] Formal Review Begins"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk