Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Aug 2015 21:46:50 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: more robustness

Hi Alexander,

On Thu, Aug 6, 2015 at 9:29 PM, Solar Designer <solar@...nwall.com> wrote:
> On Mon, Aug 03, 2015 at 04:01:14PM +0800, Kai Zhao wrote:
>> On Sun, Jul 5, 2015 at 12:34 AM, Solar Designer <solar@...nwall.com> wrote:
>> > So when max_keys_per_crypt is higher than 1, and it usually is, the
>> > current self-test would only test one key at a time anyway.  This means
>> > that computation for other key indices is left untested.  This is
>> > mitigated by testing multiple key indices like that:
>> >
>> > /* 0 1 2 3 4 6 9 13 19 28 42 63 94 141 211 316 474 711 1066 ... */
>> >                 if (index >= 2 && max > ntests)
>> >                         index += index >> 1;
>> >                 else
>> >                         index++;
>> >
>> > but as you can see this does not result in an exhaustive set of indices,
>> > and it is very wasteful (e.g., 712 passwords are hashed, most of them
>> > uninitialized, to test only one index 711).
>>
>> I may find a bug as you described. It cracks when there is only 1 password,
>> but it fails when there is more then 1 passwords.
>>
>> Below is the detailed description.
>>
>> 1. Format = Oracle12C
>
> Thank you, Kai!
>
> Per commits, I think this has already been fixed, correct?

I think it has not. I was not sure whether this is a bug. I will open
a issue soon.

>
> In general, when something had been brought to john-dev, please post a
> followup in here when the issue is fixed (or just to announce that a
> GitHub issue has been created and discussion is proceeding there).  As
> it was, your john-dev posting stood like an open issue with no followup.
>
> Alexander

OK. I will create an open issue when I post bugs to john-dev.

If you have time, please check these problems:

http://www.openwall.com/lists/john-dev/2015/08/04/1

If you have the latest john jumbo, you can reproduce the problems by:

$ ./john --test-full=0

or for some format

$ ./john --test-full=0 --format=bsdicrypt


Thanks,

Kai

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ