lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Feb 2013 02:54:27 +0400
From: Solar Designer <>
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Mon, Feb 18, 2013 at 05:12:25PM -0500, Daniel Franke wrote:
> I would amend the recommendation by explicit calling for some test
> vectors containing embedded null bytes.

Note that some of the submissions will be intended for implementation
in scripting languages, whereas the C implementation of them will be to
fit the PHC terms (allow for uniform testing of all submissions, etc.),
as well as to ensure correctness of the scripts (e.g., I made a C
implementation of phpass "portable" hashes for that very reason).

Yes, PHS() is defined to accept inlen, but in many scripting languages
and in many other APIs NULs may be problematic anyway.

Should PHS() support embedded NULs even when the password hashing
scheme's primary implementation - one intended for actual use - does not
support embedded NULs?  Well, perhaps it should...


Powered by blists - more mailing lists