Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 25 Jul 2015 20:57:28 +0200
From: Solar Designer <>
Subject: auditing our use of FMT_* flags (was: more robustness)


On Sun, Jul 12, 2015 at 05:18:03PM +0300, Solar Designer wrote:
> Unrelated, here's a task for you for next week: identify improperly set
> or missing FMT_* flags.  For example, a format supporting 8-bit chars in
> passwords (unlike descrypt, which drops the 8th bit, by its definition),
> but forgetting to set FMT_8_BIT.  Or vice versa.  Ditto about FMT_CASE,
> FMT_OMP, etc.  One of the trickier flags is FMT_SPLIT_UNIFIES_CASE, and
> even trickier is split() actually needing to do this in some cases.
> Maybe magnum will help you figure these out.  (My availability will
> likely be too limited, unfortunately.)
> Maybe you can even write a script that would spot some of the likely
> improper flag (non-)uses.  e.g. a _fmt*.c file mentions OpenMP stuff,
> but never mentions FMT_OMP, or vice versa.  Some of this could be easier
> detected at runtime - e.g., "\x20" and "\xa0" hashing differently, but a
> format lacks FMT_8_BIT, or vice versa.  Your builtin fuzzer or extended
> self-test could detect that.

What's the status on this sub-project?

I expected you'd find lots of bugs of this sort.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.