Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 21 Apr 2013 23:18:23 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-dev@...ts.openwall.com
Subject: Re: Supporting deprecated format syntax

On 2013-04-17 13:09, magnum wrote:
> Have a look at postgres. It supports a deprecated syntax in input files and pot entries, but will always write new pot entries in the new syntax. This is accomplished with prepare() - all other functions work with the new syntax. Another way to accomplish the same thing is to do the conversion in split() but then we need to have valid() support both syntaxes. The prepare() method gives better separation and is easier to review.
>
> In fact, I'd like you to hard-test this format. Can it break? Does it really do what I just said?

I cannot break it but it isn't very robust:
- valid() parses a ciphertext from the ending while get_salt() does it 
from the beginning -- this is generally risky;
- valid() doesn't check that a username is not empty;
- get_salt() doesn't handle usernames which contain asterisks (or 
valid() doesn't check that a username doesn't contain asterisks);
- valid() doesn't check for garbage after the hash.

For example,

$postgres$**00000000*00000000000000000000000000000000garbage

is accepted by john but a username would be taken from the salt field 
and a salt -- from the hash field.

BTW maximum user name length (64) in john doesn't includes trailing NULL 
but it doesn't in postgresql. One byte could be saved but it's 
harmless:-) TODO: check how it plays with unicode...

Another problem is that prepare() doesn't account for hex encoding for 
salt so

$postgres$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*00000000*00000000000000000000000000000000

is loaded fine but

$postgre$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*00000000*00000000000000000000000000000000

doesn't.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.