Input to the module is a series of pairs of NUL-terminated strings on standard input. The first of each pair is the plaintext pass phrase. The second of each pair is the stored, hashed pass phrase. The total size of each pair of strings must not exceed 4096 bytes.
Output from the module is a series of bytes on standard output, one for each complete pair of input strings. A zero byte indicates that the passwords match.
The module must output its comparison status byte immedately after reading the terminating NUL byte of the second of each pair of strings, before reading any more data. This is required to prevent deadlocking.
Since the data format effectively disallows data containing NUL bytes, the client and module must agree to encode binary data in some other format. Hexadecimal digits and base64 are good choices.