Date: Tue, 15 Jun 2010 10:24:06 +0400 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: [openwall-announce] JtR 1.7.6 (and -jumbo-2); tcb 1.0.6; bitslice DES; articles Hi, This is to announce several items at once: 1. John the Ripper 1.7.6 is out: http://www.openwall.com/john/ The additions and changes since 1.7.5 are as follows: * Generic crypt(3) support (enabled with "--format=crypt") has been added for auditing password hash types supported by the system but not yet supported by John's own optimized cryptographic routines (such as "SHA-crypt" and SunMD5). * Optional parallelization of the above has been implemented by means of OpenMP along with glibc's crypt_r(3) or Solaris' MT-safe crypt(3C). * Optional parallelization of John's own optimized code for the OpenBSD-style Blowfish-based crypt(3) (bcrypt) hashes with OpenMP has been added. * A more suitable version of 32-bit x86 assembly code for Blowfish is now chosen on Core i7 and similar CPUs (when they happen to run a 32-bit build of John). * More optimal DES S-box expressions for PowerPC with AltiVec (making use of the conditional select operation) contributed by Dumplinger Boy (Dango-Chu) have been integrated. * The bitslice DES C source code has been reworked to allow for the use of arbitrary SIMD intrinsics, which was previously only implemented for AltiVec as a special case. * Support for SSE2 and MMX intrinsics with bitslice DES (as an alternative to the supplied assembly code) has been added (currently only enabled for SSE2 on x86-64 when compiling with GCC 4.4+). * Support for mixed-type longer virtual vectors (such as SSE2+MMX, SSE2+ALU, AltiVec+ALU, and other combinations) with bitslice DES has been added (not enabled by default yet, primarily intended for easy benchmarks on future CPUs, with future compiler versions, with even more SIMD instruction sets, and with different DES S-box expressions that might be available in the future). * The obsolete 32-bit SPARC assembly implementation of DES has been dropped. * The loader will now detect password hashes specified on a line on their own, not only as part of an /etc/passwd or PWDUMP format file. * When run in "--stdin" mode and reading candidate passwords from a terminal (to be typed by the user), John will no longer mess with the terminal settings. * John will now restore terminal settings not only on normal termination or interrupt, but also when forcibly interrupted with two Ctrl-C keypresses. And one last change that was supposed to be in 1.7.5, but it was not: * A new numeric variable has been added to the word mangling rules engine: "p" for position of the character last found with the "/" or "%" commands. I'd like to thank Dumplinger Boy (Dango-Chu) for the S-box expressions, and Erik Winkler for testing the AltiVec+ALU vectors (which didn't provide a speedup, unfortunately, at least not on a G5 with a specific version of GCC). So right now the default on PowerPC/AltiVec is to use Dango-Chu's S-boxes as-is (although the source code has been reworked), which obviously does provide a speedup over the previous version. The weird vector types (on x86, x86-64, and PowerPC) may now be easily enabled by editing the #if's in the corresponding .h files. Please experiment with this and post your results to the john-users mailing list. I am especially interested in SSE2+MMX and SSE2+ALU benchmarks on AMD processors when building with GCC 4.5 since my testing was mostly limited to Intel CPUs. Also, I am interested in AltiVec+ALU and double AltiVec benchmarks (vs. single AltiVec) on IBM's POWER6 and newer CPUs. 2. The jumbo patch has been updated to John the Ripper 1.7.6, and additionally updated with fixes for previously-integrated contributions and with additional modules. The current revision is 1.7.6-jumbo-2: http://www.openwall.com/john/#contrib More detail on the changes: http://www.openwall.com/lists/john-users/2010/06/15/1 3. The tcb suite, implementing our alternative password shadowing scheme on Owl (and reused by a number of other systems), has been updated to version 1.0.6. The only change since version 1.0.5 is removal of a faulty check for sparse files. This change was needed for compatibility with modern filesystems such as btrfs. I'd like to thank Jim Darby for identifying and reporting the problem to us. http://www.openwall.com/tcb/ More detail on the change: http://www.openwall.com/tcb/ChangeLog Of course, Owl-current already includes tcb 1.0.6 and JtR 1.7.6. 4. We've setup a collection of papers, source code, etc. related to bitslice implementations of DES (focusing on the S-boxes): http://download.openwall.net/pub/projects/john/contrib/bitslice-des/ This was prompted by websites hosting important/unique content in this area going down and then back up (for now). With copies in our files archive, this content has propagated to multiple FTP/HTTP mirrors by now. More content is likely to be added. Submissions are welcome. 5. My article entitled "How to manage a PHP application's users and passwords", originally published on the Month of PHP Security website, has been republished on the Openwall website (with slightly different formatting): http://www.openwall.com/articles/PHP-Users-Passwords Also, it was declared the winning entry in the MOPS contest: http://php-security.org/2010/06/10/winners-of-the-month-of-php-security/ You could want to check out other articles published under the MOPS, including on static PHP source code analysis, fuzzing the PHP interpreter, the many ways in which PHP can happen to process user input, and more: http://php-security.org/category/articlesandtools/ At the same time, three old Openwall security advisories have been updated to focus on currently relevant aspects and turned into articles: http://www.openwall.com/articles/ That's all for now. :-) Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.