Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Sep 2015 12:19:43 -0500
From: JimF <jfoug@....net>
To: john-dev@...ts.openwall.com
Subject: Re: auditing our use of FMT_* flags


On 9/8/2015 10:42 AM, Kai Zhao wrote:
> Since JimF has add the flag for MediaWiki, PHPS and PHPS2, I think I 
> should add these formats to whitelist. Maybe also includes 
> dynamic=md5($p). Should I ? 
> https://github.com/magnumripper/JohnTheRipper/commit/cc5ae475bad53ca46b9c74a82848bc86c6b9c314

Ok, this certainly did show errors.  I had made changes to these 
formats, adding a 'smarter' split, so that it would allow a 'real' hash 
to store in the pot file, even though using a thin dynamic.

So, media wiki will now write  $B$salt$hash... into the .pot file, where 
before it was writing $dynamic_9$hash$salt-

That split was built do output in 2 possible ways, and then a prepare 
that would fix up to a single unified format.  However, this split 
function was NOT casing properly.  I have fixed this. I also added a 
proper dynamic hash to the array, and this turned up an issue which I 
have also fixed, in the case detect logic.  The older logic only tested 
the first element, and then made a yes or no based upon that. I have 
changed so that I test every element.  I will end up with a yes, a no, 
or a 'sometimes' end result, and will print errors listing all cases.

I will get these changes in shortly, and then move on the remaining 
failures.

Here is what was listed.  NOTE, a new format shows up as 'sometimes', 
and there likely are others, but they do not auto show up, because we do 
not have test strings in all layouts that the format's split() can 
handle.  I know I will have to make sure all of the thin formats have 
both types, since the splits were re-done like they were in media wiki. 
But there may be other hashes that handle both a canonical and a raw 
hash (or some other format), which only 'some' of the split() execution 
path's would properly case, but that have not enough test cases.

Jim.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ