Date: Sun, 21 Apr 2013 23:18:23 +0400 From: Alexander Cherepanov <cherepan@...me.ru> To: john-dev@...ts.openwall.com Subject: Re: Supporting deprecated format syntax On 2013-04-17 13:09, magnum wrote: > Have a look at postgres. It supports a deprecated syntax in input files and pot entries, but will always write new pot entries in the new syntax. This is accomplished with prepare() - all other functions work with the new syntax. Another way to accomplish the same thing is to do the conversion in split() but then we need to have valid() support both syntaxes. The prepare() method gives better separation and is easier to review. > > In fact, I'd like you to hard-test this format. Can it break? Does it really do what I just said? I cannot break it but it isn't very robust: - valid() parses a ciphertext from the ending while get_salt() does it from the beginning -- this is generally risky; - valid() doesn't check that a username is not empty; - get_salt() doesn't handle usernames which contain asterisks (or valid() doesn't check that a username doesn't contain asterisks); - valid() doesn't check for garbage after the hash. For example, $postgres$**00000000*00000000000000000000000000000000garbage is accepted by john but a username would be taken from the salt field and a salt -- from the hash field. BTW maximum user name length (64) in john doesn't includes trailing NULL but it doesn't in postgresql. One byte could be saved but it's harmless:-) TODO: check how it plays with unicode... Another problem is that prepare() doesn't account for hex encoding for salt so $postgres$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*00000000*00000000000000000000000000000000 is loaded fine but $postgre$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*00000000*00000000000000000000000000000000 doesn't. -- Alexander Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.