| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150414134451.GA2760@openwall.com>
Date: Tue, 14 Apr 2015 16:44:51 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Bug in yescrypt pwxform specification pseudocode
Hi Ken,
On Tue, Apr 14, 2015 at 03:09:01AM -0400, Ken T Takusagawa wrote:
> The loop indices in pwxform run from 0 to "X"-1 in the
> reference implementation
> yescrypt-v1/yescrypt/yescrypt-0.7.1/yescrypt-ref.c :
>
> for (i = 0; i < PWXrounds; i++) {
> for (j = 0; j < PWXgather; j++) {
> for (k = 0; k < PWXsimple; k++) {
>
> But run from 0 to "X" in the specification document
> yescrypt-v1/yescrypt/yescrypt-phc.rst :
>
> 1: for :latex:`$ i = 0 $` to :latex:`$ PWXrounds $` do
> 2: for :latex:`$ j = 0 $` to :latex:`$ PWXgather $` do
> 5: for :latex:`$ k = 0 $` to :latex:`$ PWXsimple $` do
>
> (Other "for" loops in the specification document explicitly
> specify "X"-1.)
You're correct. Thank you!
As to fixing this, maybe the rounds loop should go from 1 to PWXrounds
in the spec, whereas implementations may also make it from 0 to
PWXrounds-1 (or even use a "do ... while (--count)" loop, or an unrolled
loop). For the gather and simple loops, they should in fact be
zero-based, as the spec uses zero-based indices here and elsewhere, so
the upper bounds in the loops in the specs need to be "X"-1 as you say.
I'll plan to include a fix for this in the next update of the spec.
The code is correct as-is, so there won't be a change to that (nor to
the test vectors, obviously).
Alexander
Powered by blists - more mailing lists