lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 2 Sep 2014 16:50:36 +0200
From: Krisztián Pintér <pinterkr@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] A review per day - Schvrch

On Tue, Sep 2, 2014 at 3:39 PM, Thomas Pornin <pornin@...et.org> wrote:

> In the case of PHS(), it is defined as returning a status code (an
> "int"), so it has a way to report an error condition after all.

yeah, i forgot about that interface. if the definition contains a
result code, and there is no other source explaining it in detail, one
should assume that no exceptions or other error conditions can happen,
and all situations must either give back a correct result or report
the error via the result code.

personally, i thought nobody will ever call the PHS. i thought it is
just a documentation on what to actually call.

>     memcost = (m_cost + 1) * statelen;

i would argue that this is a minor bug. one should not derive input
ranges from such lines, they should come from a documentation, or must
be assumed to be equal to the range of the type. i'll definitely check
my submission again if it complies.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ