[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Imminent bugfix release (1.97.1)
|
From: |
address@hidden |
|
Subject: |
Re: Imminent bugfix release (1.97.1) |
|
Date: |
Tue, 10 Nov 2009 09:27:08 -0600 |
On Tue, Nov 10, 2009 at 8:25 AM, Duboucher Thomas <address@hidden> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bean a écrit :
>> Hi,
>>
>> Oh, I just come up with a better way to do this:
>>
>> typedef char grub_password_t[1024];
>>
>> int
>> grub_auth_strcmp (const grub_password_t s1, const grub_password_t s2)
>> {
>> char r1 = 0;
>> char r2 = 0;
>> char *p;
>> int i, c;
>>
>> p = &r1;
>> c = 0;
>> for (i = 0; i < sizeof (grub_password_t); i++, s1++, s2++)
>> {
>> *p | = (*s1 ^ *s2);
>> if ((int) *s1 == c)
>> {
>> p = &r2;
>> c = 0x100;
>> }
>> }
>>
>> return (r1 != 0);
>> }
>>
>> The condition (int) *s1 == c would be true exactly once.
>>
>
> Well, it seems I lost something somewhere. I don't understand the need
> of doing it exactly sizeof (grub_password_t) times, except from having a
> perfectly symetric function. IMHO, stopping the comparison when the
> input buffer is done reading, or when the maximum size of a passphrase
> is reached does not leak any information to the attacker. So I would
> stick to
>
> typedef char grub_password_t[1024];
>
> int
> auth_strcmp (const grub_password_t input, grub_password_t key)
> {
> int retval, it;
>
> for (it = retval = 0; it < PASSPHRASE_MAXSIZE; it++, input++, key++)
After changing the parameter type, those postincrements won't do what
you expect.
> {
> retval |= (*input != *key);
>
> if (*input == '\0')
> break;
> }
>
> return !retval;
> }
>
> Also, take care that it requires to check how the function is
> optimized; sometimes you have surprises ... ;)
>
> Thomas.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkr5d90ACgkQBV7eXqefhqio+QCfba54+l45DiQNyI3IzfnwgvVe
> tbUAnRTPI+yYSZoVZLfM9fze7c7cvRQN
> =EjYS
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/grub-devel
>
- Re: Imminent bugfix release (1.97.1), (continued)
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Vladimir 'phcoder' Serbinenko, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Vladimir 'phcoder' Serbinenko, 2009/11/10
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/10
- Re: Imminent bugfix release (1.97.1),
address@hidden <=
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/10