This is the mail archive of the
mailing list for the glibc project.
Re: [RFC][PATCH][BZ 2100] blowfish support in libcrypt
- From: Björn Esser <bjoern dot esser at gmail dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Thu, 1 Jun 2017 15:02:16 +0200
- Subject: Re: [RFC][PATCH][BZ 2100] blowfish support in libcrypt
- Authentication-results: sourceware.org; auth=none
- References: <firstname.lastname@example.org> <email@example.com>
Am 01.06.2017 um 11:23 schrieb Florian Weimer:
On 05/31/2017 07:33 PM, Björn Esser wrote:
+Solar Designer <solar at openwall.com>
I think we generally prefer patch submission from the original author or
Are the crypt_gensalt functions strongly related to Blowfish support?
In any case, they need documentation, and I'm not sure if the interfaces
are properly designed (haven't looked in detail, admittedly).
The FIPS changes in the patch appear to be incorrect. Surely Blowfish
should be disabled in FIPS mode, too.
I'll change this in the next version of this patch.
The other question is why we should add Blowfish support when the cipher
is pretty much on everyone's banned list.
Well, it depends on it's use case. If we're talking about encrypting
large data streams then it's to be considered deprecated or vulnerable
(SWEET32); talking about password hashing it still offers some
advantages over other algorithms (brute forcing takes unlikely much more
time on bcrypt hashed passwords) and excellent security. Look at
OpenBSD, SUSE, OpenWall, etc. still using bcrypt as the default password