Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Sep 2015 16:00:03 -0500
From: JimF <>
Subject: Re: auditing our use of FMT_* flags

On 9/10/2015 3:47 PM, Solar Designer wrote:
> On Thu, Sep 10, 2015 at 01:18:50PM -0500, JimF wrote:
>> I have created a new method of test, within format, and many hashes are
>> now showing this bug.  I have just
>> tested with one of them and it absolutely is buggy, so I be the rest are
>> also.
> [...]
>> Here is the list. I was quite surprised it was this large.
> Now this matches my expectations. ;-)
> Why isn't AFS on the list, though?  Is it because I've just patched it?
> Or is it because your test failed to detect it as buggy?  (Kai's did.)
My test did not catch it, because my test does not give a crap about the 
flag.  Everything in taht format 'was' correct, except the flag was 
missing.  My method actually 'tests' the bug.

What I do is do proper prepare() valid() split().  Then I get results of 
binary().  I convert those to hex. I then SEARCH for this hex string 
within the working hash (the return from split). I check both lower and 
upper hex. If and ONLY if I find it, I smash the case of JUST that part 
of the hash.  I then call split.  If split 'fixes' the hash back, I call 
it 'good'.  But if hash does not fix it, BUT valid returns false, then I 
also say things are working.  If both of those checks fail, then I fail 
the entire format with a message about needing either a casing split() 
or a failure from valid().

I have added the same logic for the return of salt().  This is done only 
after binary (so all of the formats flushed out by binary are not being 
double checked, there is no need).  The only new hash was a net-ntlm  
and it has been added to the issue list.

So for AFS, my code was happy.  But my code is not the only code The 
code checking that if caseing is happening, that the bit is set or if 
the bit is set that casing must be happening, must also be run.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.