Date: Mon, 20 Jun 2011 03:20:26 +0400 From: Solar Designer <solar@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: Either my test script is b0rken or BF has an 8-bit bug magnum - On Mon, Jun 20, 2011 at 03:08:52AM +0400, Solar Designer wrote: > Now I am wondering how Authen::Passphrase avoided the bug (IIRC, it used > my code from crypt_blowfish), and why I am getting different hashes for > 8-bit chars produced by crypt() in Perl on Owl (which uses crypt_blowfish > in glibc on Owl). I'll need to investigate that. If crypt_blowfish has > the bug too, and it looks like it does, that's pretty bad, because it > means we have incorrect (incompatible with OpenBSD's) hashes in the wild > as well. Moreover, those might be weaker than expected, as sign > expansion in the OR operation may be overwriting key bits from other > characters (the exact impact needs to be analyzed). I am quite > embarrassed of that. I should have tested the 8-bit chars vs. OpenBSD > myself, years ago (when I released crypt_blowfish separately from JtR). I've just tried my Perl script on OpenBSD 4.6, invoking crypt(). It produced the same hash as I am getting on Owl. However, that hash is not cracked by John, neither with nor without the fix I posted. I'll investigate further. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.