Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 21 Apr 2013 23:18:23 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-dev@...ts.openwall.com
Subject: Re: Supporting deprecated format syntax

On 2013-04-17 13:09, magnum wrote:
> Have a look at postgres. It supports a deprecated syntax in input files and pot entries, but will always write new pot entries in the new syntax. This is accomplished with prepare() - all other functions work with the new syntax. Another way to accomplish the same thing is to do the conversion in split() but then we need to have valid() support both syntaxes. The prepare() method gives better separation and is easier to review.
>
> In fact, I'd like you to hard-test this format. Can it break? Does it really do what I just said?

I cannot break it but it isn't very robust:
- valid() parses a ciphertext from the ending while get_salt() does it 
from the beginning -- this is generally risky;
- valid() doesn't check that a username is not empty;
- get_salt() doesn't handle usernames which contain asterisks (or 
valid() doesn't check that a username doesn't contain asterisks);
- valid() doesn't check for garbage after the hash.

For example,

$postgres$**00000000*00000000000000000000000000000000garbage

is accepted by john but a username would be taken from the salt field 
and a salt -- from the hash field.

BTW maximum user name length (64) in john doesn't includes trailing NULL 
but it doesn't in postgresql. One byte could be saved but it's 
harmless:-) TODO: check how it plays with unicode...

Another problem is that prepare() doesn't account for hex encoding for 
salt so

$postgres$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*00000000*00000000000000000000000000000000

is loaded fine but

$postgre$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*00000000*00000000000000000000000000000000

doesn't.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ