Issue #1698: libdhash: hash table subject algorithmic complexity attacks - ding-libs

SSSD / ding-libs

#1698 libdhash: hash table subject algorithmic complexity attacks

Closed: wontfix Nov 8, 2021 by atikhonov. Opened Dec 6, 2012 by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=882334 (Red Hat Enterprise Linux 6)

The internal hash function for strings uses this construct:
        for (h = 0, k = (unsigned char *) key->str; *k; k++)
            h = h * PRIME_1 ^ (*k - ' ');
It might be a good idea to switch to a keyed hash function (like Bob Jenkins'
lookup3 function).
I don't know if libdhash is used in ways that expose this and allow attackers
to mount algorithmic complexity denial-of-service attacks (a few thousand
entries with attacker-controlled keys would be needed), or if client code
depends on the predictable iteration order.

dpal commented Dec 6, 2012

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.10 beta
testsupdated: => 0

dpal commented Dec 20, 2012

Fields changed

selected: => Not need

dpal commented Jan 2, 2013

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

simo commented Jan 24, 2013

Just FYI, the current recommended hash function is Siphash, so we will need to implement it before we can address this libdhash issue if we determine we need any change at all.

_comment0: Just FYI, the current recommended hash function is SipHash, so we will need to implement it before we can address this libdhash issue if we determine we need any change at all. => 1359043587232935

dpal commented Jul 30, 2013

Fields changed

changelog: =>
milestone: SSSD 1.13 beta => Tools Deferred
review: => 0

Metadata Update from @jhrozek:
- Issue set to the milestone: Tools Deferred

Mar 1, 2017

atikhonov commented Nov 8, 2021

AFAIK, this is not an issue for SSSD.

If there are other users of this lib in the wild who would need this improvement and would like to contribute code - please feel free to reopen this ticket and... patches are welcome.

Metadata Update from @atikhonov:
- Custom field component adjusted to None (was: SSSD)
- Custom field design_review reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field selected adjusted to None (was: Not need)
- Custom field testsupdated reset (from 0)
- Custom field type adjusted to None (was: defect)
- Custom field version adjusted to None
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

Nov 8, 2021

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

Normal

type

None

component

None

version

None

testsupdated

false

patch

false

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=882334

design_review

false

SSSD / ding-libs

#1698 libdhash: hash table subject algorithmic complexity attacks Closed: wontfix Nov 8, 2021 by atikhonov. Opened Dec 6, 2012 by jhrozek.

Metadata

#1698 libdhash: hash table subject algorithmic complexity attacks

Closed: wontfix Nov 8, 2021 by atikhonov. Opened Dec 6, 2012 by jhrozek.