Re: [boost] [hash2] Formal Review Begins

12 Dec 2024


      On Thu, 12 Dec 2024, 21:17 Peter Dimov,  wrote:
...
...
On Thu, 12 Dec 2024 at 14:27, Peter Dimov  wrote:
...
Ruben Perez wrote:
...
As a potential user mainly interested in the "hashing untyped byte
sequences"
...
...
use case (involving SHA2), do you think migrating from OpenSSL to
Boost.Hash2 would be detrimental for security at this point? If the
answer is yes, is there a way to remediate this (even after the
library gets accepted)? Or is this just not the main use case of the
Ruben Perez wrote:
library?
...
...
...
The use case involves generating digests for a network protocol
(MySQL).
...
I'd like to know both Tom's and Peter's opinions.
Can you please point me to the source code portions in Boost.MySQL
that implement SHA-2 authentication?
Current code (using OpenSSL):
https://github.com/boostorg/mysql/blob/c438f26731e36c2db6457705ec5dbb9f7657d...
...
Code using the proposed library:
https://github.com/boostorg/mysql/pull/389/files#diff-1ce941e5f315c38f0eb53e...
...
Protocol docs:
https://dev.mysql.com/doc/dev/mysql-server/8.4.3/page_caching_sha2_authentic...
It's somehow similar in spirit to SCRAM-SHA256, but built in-house by
MySQL.
In this specific case, if we assume that Hash2 is accepted into Boost, I'd
say
that using OpenSSL is much more susceptible to supply chain attacks.
The user acquires both Boost.MySQL and Boost.Hash2 through Boost,
whereas the typical practice of acquiring OpenSSL under Windows until
very recently was "web search and download random binaries from
somewhere on the Internet."
Things are probably much better today because of vcpkg and conan, but
the exact version of OpenSSL that the user will end up using is still an
unknown variable.
The actual SHA256 implementation in OpenSSL has been looked at much
more than the one in Hash2 at this point, but the Hash2 code is easy to
inspect and verify because it follows the reference implementation
very closely at the moment (although this might change if we add SHA-NI
optimizations in the future.)
(I ignore here the C-style interface of OpenSSL's function, which has its
own
safety implications, but let's assume that the code in Boost.MySQL is 100%
correct.)
Thanks for the clarifications, Peter.
...