Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Sep 2011 17:29:11 -0500
From: jmk <jmk@...fus.net>
To: john-dev@...ts.openwall.com
Subject: Re: MSCHAPv2 Bug

On Tue, 2011-09-27 at 00:19 +0200, magnum wrote:
> On 2011-09-26 23:29, jmk wrote:
> > My MSCHAPv2 format appears to ignore entries in which the username is a
> > number (e.g., 1111). I'm not really sure why this is the case, but the
> > attached patch seems to correct the issue.
> 
> Lol, from a comment in pass_gen.pl it seems I wrote that down to 
> Digest::SHA and worked around it (by not using numeric usernames). In 
> hindsight that was a bad assumption - or let's say I trusted you :)

That'll teach you - never assume that I have a clue what I'm doing. ;)

> I see the problem. I believe the enclosed patch is more correct (and it 
> adds a self-test with username of 1111 too). You were scanning the 
> username for hex digits instead of line ending - I'm sure it must have 
> failed for "b0b" (there actually is a bOb with capital O in the tests, 
> which confused me a while) or "abe" too, for example.

This patch makes sense. Should I post this to the wiki for it to make
its way into the jumbo patch?

Thanks!
Joe

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ