From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1N7V7e-00032L-Bj for mharc-grub-devel@gnu.org; Mon, 09 Nov 2009 09:21:34 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1N7V7c-00031K-5h for grub-devel@gnu.org; Mon, 09 Nov 2009 09:21:32 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1N7V7X-0002yE-Gf for grub-devel@gnu.org; Mon, 09 Nov 2009 09:21:31 -0500 Received: from [199.232.76.173] (port=54258 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N7V7X-0002y3-8T for grub-devel@gnu.org; Mon, 09 Nov 2009 09:21:27 -0500 Received: from mail-pz0-f192.google.com ([209.85.222.192]:52594) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1N7V7W-00047T-Qd for grub-devel@gnu.org; Mon, 09 Nov 2009 09:21:27 -0500 Received: by pzk30 with SMTP id 30so2251648pzk.24 for ; Mon, 09 Nov 2009 06:21:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=TJK9MlJoZG4EgygMFm8cfWUP/zyThCVYIw0lGo6DtuQ=; b=suB9LCsTqB84fSIk5EIPDx80Wrv5QC2wgASpuPKqdi0QtKdFmNK6Kd1M7rgjAJ9MPz udrejdwvSLsq9ylXqTCwaqSPqjgc6KnBEASIF8dJj0SWcH76arRvZRzU3RAsCM0BF0XC n0oH8S7XsnEonKROLrwwafl5oMIMZCHNyVssA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=XNIazwVFtLcGwsuMwHVLnk13EV9BV5FtgEvkPiWBljl7jHRNGmaJGIc2OjGZ9+upCN GdPUyAi+nWhiyfNoITxCqsV9/aWd0NiH0ba5Z7jEMtnMOqx707wVlJDvQyDzgGpM1ZpY pYjiiCGKzLoacs2OWQNdqqke8D8dG9pgKdr0M= MIME-Version: 1.0 Received: by 10.141.13.13 with SMTP id q13mr421829rvi.40.1257776486064; Mon, 09 Nov 2009 06:21:26 -0800 (PST) In-Reply-To: <4AF81E2C.2090700@gmail.com> References: <20091109010422.GA23417@thorin> <4AF81E2C.2090700@gmail.com> Date: Mon, 9 Nov 2009 22:21:26 +0800 Message-ID: From: Bean To: The development of GNU GRUB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 2) Subject: Re: Imminent bugfix release (1.97.1) X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Nov 2009 14:21:32 -0000 On Mon, Nov 9, 2009 at 9:50 PM, Vladimir 'phcoder' Serbinenko wrote: > Bean wrote: >> On Mon, Nov 9, 2009 at 9:04 AM, Robert Millan wrote: >> >>> A security problem [1] was found in our password-checking routines, >>> which affects GRUB 1.97. =A0I'll be releasing 1.97.1 tomorrow. >>> >>> Additionally, I cherry-picked fixes for a few problems that should >>> have made it to the release, like GNU/Hurd support (see NEWS file >>> for details). =A0The release branch is available in: >>> >>> =A0sftp://bzr.savannah.gnu.org/srv/bzr/grub/branches/release_1_97/ >>> >>> If you have time, please test this tree, specially password support, >>> to help find possible problems. >>> >> >> Hi, >> >> Actually, the function of grub_auth_strcmp puzzles me, why would it >> need to wait 100 ms to return the result ? > 10 ms actually. The goal is to take same amount of time indpendently of > input values. But probably the delay should be around whole thing and > it's how I'll do but for this urgent release this will do it Hi, int grub_auth_strcmp (const char *s1, const char *s2) { int ret; grub_uint64_t end; end =3D grub_get_time_ms () + 100; ret =3D grub_strcmp (s1, s2); /* This prevents an attacker from deriving information about the password from the time it took to execute this function. */ while (grub_get_time_ms () < end); return ret; } Isn't this 100 ms ? Anyway, the longest supported string is 1024 long, I doubt there is any perceivable difference between them. --=20 Bean My repository: https://launchpad.net/burg Document: https://help.ubuntu.com/community/Burg