|
|
Boost : |
From: Ruben Perez (rubenperez038_at_[hidden])
Date: 2024-12-12 21:07:52
On Thu, 12 Dec 2024, 21:17 Peter Dimov, <pdimov_at_[hidden]> wrote:
> Ruben Perez wrote:
> > On Thu, 12 Dec 2024 at 14:27, Peter Dimov <pdimov_at_[hidden]> wrote:
> > >
> > > Ruben Perez wrote:
> > > > As a potential user mainly interested in the "hashing untyped byte
> > sequences"
> > > > use case (involving SHA2), do you think migrating from OpenSSL to
> > > > Boost.Hash2 would be detrimental for security at this point? If the
> > > > answer is yes, is there a way to remediate this (even after the
> > > > library gets accepted)? Or is this just not the main use case of the
> library?
> > > >
> > > > The use case involves generating digests for a network protocol
> (MySQL).
> > > >
> > > > I'd like to know both Tom's and Peter's opinions.
> > >
> > > Can you please point me to the source code portions in Boost.MySQL
> > > that implement SHA-2 authentication?
> > >
> > >
> >
> > Current code (using OpenSSL):
> >
> https://github.com/boostorg/mysql/blob/c438f26731e36c2db6457705ec5dbb9f7657db2a/include/boost/mysql/impl/internal/auth/auth.ipp#L101-L114
> > Code using the proposed library:
> >
> https://github.com/boostorg/mysql/pull/389/files#diff-1ce941e5f315c38f0eb53e030e8752ae5d1209b702305b60e22024c138e29be5R45-R58
> > Protocol docs:
> https://dev.mysql.com/doc/dev/mysql-server/8.4.3/page_caching_sha2_authentication_exchanges.html
> >
> > It's somehow similar in spirit to SCRAM-SHA256, but built in-house by
> MySQL.
>
> In this specific case, if we assume that Hash2 is accepted into Boost, I'd
> say
> that using OpenSSL is much more susceptible to supply chain attacks.
>
> The user acquires both Boost.MySQL and Boost.Hash2 through Boost,
> whereas the typical practice of acquiring OpenSSL under Windows until
> very recently was "web search and download random binaries from
> somewhere on the Internet."
>
> Things are probably much better today because of vcpkg and conan, but
> the exact version of OpenSSL that the user will end up using is still an
> unknown variable.
>
> The actual SHA256 implementation in OpenSSL has been looked at much
> more than the one in Hash2 at this point, but the Hash2 code is easy to
> inspect and verify because it follows the reference implementation
> very closely at the moment (although this might change if we add SHA-NI
> optimizations in the future.)
>
> (I ignore here the C-style interface of OpenSSL's function, which has its
> own
> safety implications, but let's assume that the code in Boost.MySQL is 100%
> correct.)
>
Thanks for the clarifications, Peter.
>
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk