lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 06 Apr 2014 07:09:28 -0700
From: Jeremi Gosney <epixoip@...dshell.nl>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] pufferfish

On 4/6/2014 7:03 AM, Bill Cox wrote:
> Pufferfish has a minor bug in api.c.  I'm not 100% I got the fix
> right, but I am 100% sure this is a bug.  On line 135, memmove is
> calling strlen(hash) to determine how much data to copy.  It seems
> like it should use strlen instead, assuming Pufferfish supports
> variable out length.  Here's the diff after I made this change:
>
> diff --git a/Pufferfish/src/common/api.c b/Pufferfish/src/common/api.c
> index 288937d..58daf4b 100644
> --- a/Pufferfish/src/common/api.c
> +++ b/Pufferfish/src/common/api.c
> @@ -132,7 +132,7 @@ int PHS (void *out, size_t outlen, const void *in,
> size_t inlen, const void *sal
>                  return 1;
>          }
>
> -        memmove (out, hash, strlen (hash));
> +        memmove (out, hash, outlen);
>          free (settings);
>          free (hash);
>
> Bill


No, this is incorrect. The `hash' variable in this context is not the
raw hash value, it is the encoded hash plus the hash identifier and
encoded salt string.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ