Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bdaaf748f53d5720f85c287fb432e1e6@smtp.hushmail.com>
Date: Fri, 14 Aug 2015 15:01:38 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: auditing our use of FMT_* flags

On 2015-08-14 14:51, Solar Designer wrote:
> On Fri, Aug 14, 2015 at 10:55:06AM +0800, Kai Zhao wrote:
>> Before strncmp(), we also should check the length of string returned
>> by get_key() should not smaller than plaintext_min_length.
>>
>> So the length should between plaintext_min_length and plaintext_length,
>> including.
>
> Oh, plaintext_min_length is a jumbo addition that I wasn't even aware
> of.  I guess it was added for WPA PSK.

That (and some SRP IIRC?) was what initiated it. I think we also have 
some format(s) that can't use length 0.

> I think the check you suggest would be fine, but not of much use.  For
> those formats, all test vectors are probably of at least the minimum
> length, so a shorter get_key() string would be detected through it being
> different from what was provided.  And if there's a shorter test vector,
> violating plaintext_min_length, then your check would detect it as an
> error... but do we want that?  magnum?

I think we do. I'm pretty sure it wont trigger with current code anyway.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.