john-dev - Re: The cmp

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20150821183803.GA4646@openwall.com>
Date: Fri, 21 Aug 2015 21:38:03 +0300
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: The cmp_all() of cq

Kai,

On Sat, Aug 22, 2015 at 12:26:42AM +0800, Kai Zhao wrote:
> On Sat, Aug 22, 2015 at 12:23 AM, JimF <jfoug@....net> wrote:
> > On Fri, 21 Aug 2015 11:14:57 -0500, Kai Zhao <loverszhao@...il.com> wrote:
> >
> >> The cmp_all() of cq seems never return 0. Is this right ?
> >>
> >> static int cmp_all(void *binary, int count)
> >> {
> >>         int i = 0;
> >>
> >> #if defined(_OPENMP) || MAX_KEYS_PER_CRYPT > 1
> >>         for (i = 0; i < count; ++i)
> >> #endif
> >>         {
> >>                 if ((*(unsigned int*)binary) == *(unsigned
> >> int*)crypt_key[i])
> >>                         return 1;
> >>         }
> >>
> >>         return count;
> >> }
> >
> >
> > That looks like a bug to me.  self-test does not catch this?!
> 
> The original --test did not catch this. The new --test-full option
> catches this.

The above is a real bug (thank you for finding it!), but:

Are you getting many false positives when trying to catch potential
issues like this?

cmp_all() doesn't necessarily imply that any passwords were cracked.
It only says that some _might_ have been cracked.  So a non-zero return
when you didn't pass any correct passwords doesn't always indicate that
there's a bug.

Alexander

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.