Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 07 Aug 2015 01:03:23 +0200
From: magnum <>
Subject: Re: auditing our use of FMT_* flags

On 2015-08-07 00:16, Solar Designer wrote:
> On Thu, Aug 06, 2015 at 11:32:46PM +0200, magnum wrote:
>> On 2015-08-06 20:09, Solar Designer wrote:
>>> On Tue, Aug 04, 2015 at 08:57:29AM +0800, Kai Zhao wrote:
>>>>      1.1 formats have not set FMT_8_BIT but there is at least one
>>>>            password which does not ignore the 8th bit
>>>>          bsdicrypt, has-160, pomelo, pufferfish, Stribog-256, wpapsk
>>> I've just fixed bsdicrypt's code.  The rest should have the flag set.
>>> Kai, you may commit that change.
>> I'm not sure we want it for WPAPSK. While it technically handles 8-bit
>> just fine, a WPAPSK passphrase is 8 to 63 printable ASCII characters
>> according to the spec.
>> IEEE Std. 802.11i-2004, Annex H.4.1: Each character in the pass-phrase
>> must have an encoding in the range of 32 to 126 (decimal), inclusive.
> Oh, OK.  Makes sense.
>> I suspect there's one or two implementations that missed this and do
>> allow 8-bit but for normal use, I think we should not set FMT_8_BIT
>> (because it does/should affect what incremental mode is picked by
>> default in Jumbo).
> I suspect that technically most implementations (not "one or two") allow
> 8-bit input.  But perhaps this is not commonly actually used, since WPA
> passphrases are typically to be input by many people on many devices.

I initially thought so too but I have yet to find a router that allows 
setting an 8-bit password - or even a smartphone that allows using one.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.