On Mon, Nov 9, 2009 at 9:50 PM, Vladimir 'phcoder' Serbinenko
<[email protected]> wrote:
> Bean wrote:
>> On Mon, Nov 9, 2009 at 9:04 AM, Robert Millan <[email protected]> wrote:
>>
>>> A security problem [1] was found in our password-checking routines,
>>> which affects GRUB 1.97. I'll be releasing 1.97.1 tomorrow.
>>>
>>> Additionally, I cherry-picked fixes for a few problems that should
>>> have made it to the release, like GNU/Hurd support (see NEWS file
>>> for details). The release branch is available in:
>>>
>>> sftp://bzr.savannah.gnu.org/srv/bzr/grub/branches/release_1_97/
>>>
>>> If you have time, please test this tree, specially password support,
>>> to help find possible problems.
>>>
>>
>> Hi,
>>
>> Actually, the function of grub_auth_strcmp puzzles me, why would it
>> need to wait 100 ms to return the result ?
> 10 ms actually. The goal is to take same amount of time indpendently of
> input values. But probably the delay should be around whole thing and
> it's how I'll do but for this urgent release this will do it
Hi,
int
grub_auth_strcmp (const char *s1, const char *s2)
{
int ret;
grub_uint64_t end;
end = grub_get_time_ms () + 100;
ret = grub_strcmp (s1, s2);
/* This prevents an attacker from deriving information about the
password from the time it took to execute this function. */
while (grub_get_time_ms () < end);
return ret;
}
Isn't this 100 ms ? Anyway, the longest supported string is 1024 long,
I doubt there is any perceivable difference between them.
--
Bean
My repository: https://launchpad.net/burg
Document: https://help.ubuntu.com/community/Burg
_______________________________________________
Grub-devel mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/grub-devel
