Date: Fri, 14 Aug 2015 22:12:06 +0800 From: Kai Zhao <loverszhao@...il.com> To: john-dev@...ts.openwall.com Subject: Re: auditing our use of FMT_* flags On Fri, Aug 14, 2015 at 9:01 PM, magnum <john.magnum@...hmail.com> wrote: > On 2015-08-14 14:51, Solar Designer wrote: >> >> On Fri, Aug 14, 2015 at 10:55:06AM +0800, Kai Zhao wrote: >>> >>> Before strncmp(), we also should check the length of string returned >>> by get_key() should not smaller than plaintext_min_length. >>> >>> So the length should between plaintext_min_length and plaintext_length, >>> including. >> >> >> Oh, plaintext_min_length is a jumbo addition that I wasn't even aware >> of. I guess it was added for WPA PSK. > > > That (and some SRP IIRC?) was what initiated it. I think we also have some > format(s) that can't use length 0. > >> I think the check you suggest would be fine, but not of much use. For >> those formats, all test vectors are probably of at least the minimum >> length, so a shorter get_key() string would be detected through it being >> different from what was provided. And if there's a shorter test vector, >> violating plaintext_min_length, then your check would detect it as an >> error... but do we want that? magnum? > > > I think we do. I'm pretty sure it wont trigger with current code anyway. > So I think I can check the plaintext_min_length and plaintext_length before compare the plaintext and get_key(). Thanks, Kai
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.