Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Apr 2013 13:30:20 +0200
From: Szabolcs Nagy <>
Subject: Re: High-priority library replacements?

* Gregor Pintar <> [2013-04-30 11:58:26 +0200]:
> 2013/4/30, Szabolcs Nagy <>:
> > * Gregor Pintar <> [2013-04-30 08:32:26 +0200]:
> >> My idea was that program would be correct, if it inputs too much data
> >> to hash function. It is very cheap to implement in most algorithms
> >> (detect counter overflow). Otherwise program has to count it himself.
> >
> > i dont think the program has to count
> >
> > eg in case of sha1 if you know that the throughput is less than
> > 10gbps then it takes more than 50years to overflow
> >
> Blowfish can encrypt max 128GB.

i see, i didn't know this

i wonder how often do ppl check the return value
(eg you don't seem to do it in your tests)

> > in theory there might be use-cases where the overflow could occure
> > in which case reporting error makes sense, but it seems to me that
> > can be avoided by the proper choice of algorithm or reasonable
> > application design
> >
> Choice of algorithm is not mine.

i meant that if a tool is used for something that it was not
designed for then that's a user error not a tool error

the lib looks fine otherwise, but the hard parts are missing for tls
(rsa,dsa,ecdsa require a bignum library, tls requires a parser for a
lot of complex formats)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.