Date: Wed, 28 Sep 2011 00:56:28 +0200 From: magnum <rawsmooth@...dband.net> To: john-dev@...ts.openwall.com Subject: Re: MSCHAPv2 Bug On 2011-09-28 00:29, jmk wrote: > On Tue, 2011-09-27 at 00:19 +0200, magnum wrote: >> I see the problem. I believe the enclosed patch is more correct (and it >> adds a self-test with username of 1111 too). You were scanning the >> username for hex digits instead of line ending - I'm sure it must have >> failed for "b0b" (there actually is a bOb with capital O in the tests, >> which confused me a while) or "abe" too, for example. > > This patch makes sense. Should I post this to the wiki for it to make > its way into the jumbo patch? Actually I already did :) I also had a quick check at your other formats (since I don't assume things anymore, lol) but did not find any similar bug - however I noticed you rejected usernames (used as salts) with 8-bit characters in NETLMv2 and NETNTLMv2. That may have been barely appropriate at the time you wrote it but I felt it had to be changed now, with encodings and stuff. So I posted a patch for that too. Thank you! magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.