Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 May 2014 10:00:53 +0100
From: "Colm O'Flaherty" <colm.p.oflaherty@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Re: [Suspected Junk Mail] hmacSHA256_fmt.c
 in john-1.7.9-jumbo-7 - allow long salts

HI Magnum,

Fair points.. I followed the guidance at
http://openwall.info/wiki/how-to-make-patches (linked from
http://openwall.info/wiki/)

Can I suggest that someone updates the recommended practice, as documented
on that page, so new people know the score?

I wasn't aware that 125 was the global max for the key, since it was being
used as hardcoded value. That was also based on ignorance my my part. I
initially reduced it to about 30 before realising that one of the test
cases failed because it had a long key, so I upped it back to 110, which
solved the problem.  Maybe the best fix is for the code to use a constant
in this case, so the developer will know that they should not mess with it,
and so any change will have global effect.

I've managed to avoid using Git to date (although I use it find source code
disclosure in web apps).  Time for me to move into the next millennium, by
the sounds of it.

Colm





On 1 May 2014 01:11, magnum <john.magnum@...hmail.com> wrote:

> On 2014-04-30 11:08, Colm O'Flaherty wrote:
>
>> Hi.
>>
>> This is my first post.
>>
>> I'm attaching a patch to allow longer salt values in hmacSHA256_fmt.c,
>> since the current Jumbo implementation does not allow most JWT tokens to
>> be
>> cracked, due to length constraints.
>>
>
> Welcome! Your patch had numerous little problems but JimF made similar
> changes to the bleeding-jumbo tree so the functionality is committed now.
>
> Next time, please delete any irrelevant stuff so it doesn't get included
> in the patch. Do a "make clean" for a starter. And please review your patch
> before submitting it. Did you want us to add an "arch.h" and other stuff to
> the tree? Of course not.
>
> Also, please submit patches against current development tree (and most
> preferably in the form of pull requests on GitHub). 1.7.9-jumbo-7 is
> ancient - literally hundreds of thousands of source lines has been added or
> changed since. A patch against that will often not apply to the current
> trees without manual resolving. But yes, 1.7.9-jumbo-7 *is* the latest
> released tree so maybe you just followed some old recommendation.
>
> A question specific for your patch: You decreased max. password length
> from 125 (the global max.) to 110. Why? Such lengths are pretty academic
> but even so, I despise limits unless there are significant perfomance
> benefits. Maybe there was?
>
> Thanks,
> magnum
>
>

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ