LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

an example of why unit tests help with security

an example of why unit tests help with security

Posted Jun 23, 2011 20:52 UTC (Thu) by solardiz (guest, #35993)
In reply to: an example of why unit tests help with security by zooko
Parent article: A hole in crypt_blowfish

You're right. But I have something to add:

There were unit tests. crypt_blowfish had "make check" and even "make check_threads" (for thread-safety testing) for years. It's just that its test vectors were limited to more typical passwords, without 8-bit characters in them. The only somewhat unusual test vectors were an empty string and a 72-character string (maximum supported by this hashing method). The rest were more typical for passwords. And no 8-bit chars in any of them.

Similarly, John the Ripper tested its bcrypt implementation each time it was run on hashes of this type. And it used the same limited set of test vectors.

Both have now been corrected to include 8-bit test vectors, and crypt_blowfish to do a quick self-test every time it's called to hash a password.

BTW, I think the same lack of 8-bit test vectors applies to SHA-crypt. Anyone wants to fix that?

(Log in to post comments)

an example of why unit tests help with security

Posted Jun 24, 2011 8:17 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

"I think the same lack of 8-bit test vectors applies to SHA-crypt"

That's the first thing I worried about when I saw this bug reported.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds