lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 30 Sep 2015 07:28:23 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Specification of a modular crypt format (2)

On Wed, Sep 30, 2015 at 04:18:28AM +0000, Peter Gutmann wrote:
> Solar Designer <solar@...nwall.com> writes:
> 
> >That's true, and your code works, but I gave strtoul() a try anyway.
> 
> It has the same problem as atol(), it uses in-band signalling for errors
> (which means, at least for my purposes, that I consider it unusable).

It also has out-of-band if you don't mind resetting errno to zero before
calling strtoul(), like POSIX explicitly recommends:

http://pubs.opengroup.org/onlinepubs/009695399/functions/strtoul.html

"Since 0, {ULONG_MAX}, and {ULLONG_MAX} are returned on error and are
also valid returns on success, an application wishing to check for error
situations should set errno to 0, then call strtoul() or strtoull(),
then check errno."

The code I posted does just that.

> Thomas' version (and mine) don't.

Sure.  My wrapper function around strtoul() doesn't, either.  It has
the side-effect of clobbering errno even when there's no error, though;
but I could save and restore errno to avoid that if we care.

Anyway, it was just an experiment to see how bad strtoul() is, and the
answer is: pretty bad, yet repairable with a wrapper.  This experiment
also happened to test Thomas' code.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ