Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 21 Apr 2013 23:18:23 +0400
From: Alexander Cherepanov <>
Subject: Re: Supporting deprecated format syntax

On 2013-04-17 13:09, magnum wrote:
> Have a look at postgres. It supports a deprecated syntax in input files and pot entries, but will always write new pot entries in the new syntax. This is accomplished with prepare() - all other functions work with the new syntax. Another way to accomplish the same thing is to do the conversion in split() but then we need to have valid() support both syntaxes. The prepare() method gives better separation and is easier to review.
> In fact, I'd like you to hard-test this format. Can it break? Does it really do what I just said?

I cannot break it but it isn't very robust:
- valid() parses a ciphertext from the ending while get_salt() does it 
from the beginning -- this is generally risky;
- valid() doesn't check that a username is not empty;
- get_salt() doesn't handle usernames which contain asterisks (or 
valid() doesn't check that a username doesn't contain asterisks);
- valid() doesn't check for garbage after the hash.

For example,


is accepted by john but a username would be taken from the salt field 
and a salt -- from the hash field.

BTW maximum user name length (64) in john doesn't includes trailing NULL 
but it doesn't in postgresql. One byte could be saved but it's 
harmless:-) TODO: check how it plays with unicode...

Another problem is that prepare() doesn't account for hex encoding for 
salt so


is loaded fine but



Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.