Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 30 Dec 2012 09:09:40 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Rejecting hashes in valid() due to memory allocation failures?

Making sure to only accept valid hashes is certainly a good thing.
But I wonder if changes like this one (just the most recent I found, I'm
sure there are more) are OK:

src/pbkdf2-hmac-sha512_fmt_plug.c

+  if (!(ctcopy = strdup(ciphertext)))
+    return 0;

In such a case, the hash could be valid, but it gets treated as if it
were invalid.

How unlikely is it that a memory allocation failure occurs when trying
to crack a huge number of passwords?
(This could also be caused by strict ulimit settings.)
IMHO, In such a case we shouldn't silently drop valid hashes as if they
were invalid, but instead at least print some kind of error message.
(May be even change the interface and allow a negative return value in
valid(), to signal that there is a more general problem, so that we
don't get thousands of error messages for memory allocation failures...)

Frank

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ