Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 May 2014 10:00:53 +0100
From: "Colm O'Flaherty" <>
Subject: Re: Re: [Suspected Junk Mail] hmacSHA256_fmt.c
 in john-1.7.9-jumbo-7 - allow long salts

HI Magnum,

Fair points.. I followed the guidance at (linked from

Can I suggest that someone updates the recommended practice, as documented
on that page, so new people know the score?

I wasn't aware that 125 was the global max for the key, since it was being
used as hardcoded value. That was also based on ignorance my my part. I
initially reduced it to about 30 before realising that one of the test
cases failed because it had a long key, so I upped it back to 110, which
solved the problem.  Maybe the best fix is for the code to use a constant
in this case, so the developer will know that they should not mess with it,
and so any change will have global effect.

I've managed to avoid using Git to date (although I use it find source code
disclosure in web apps).  Time for me to move into the next millennium, by
the sounds of it.


On 1 May 2014 01:11, magnum <> wrote:

> On 2014-04-30 11:08, Colm O'Flaherty wrote:
>> Hi.
>> This is my first post.
>> I'm attaching a patch to allow longer salt values in hmacSHA256_fmt.c,
>> since the current Jumbo implementation does not allow most JWT tokens to
>> be
>> cracked, due to length constraints.
> Welcome! Your patch had numerous little problems but JimF made similar
> changes to the bleeding-jumbo tree so the functionality is committed now.
> Next time, please delete any irrelevant stuff so it doesn't get included
> in the patch. Do a "make clean" for a starter. And please review your patch
> before submitting it. Did you want us to add an "arch.h" and other stuff to
> the tree? Of course not.
> Also, please submit patches against current development tree (and most
> preferably in the form of pull requests on GitHub). 1.7.9-jumbo-7 is
> ancient - literally hundreds of thousands of source lines has been added or
> changed since. A patch against that will often not apply to the current
> trees without manual resolving. But yes, 1.7.9-jumbo-7 *is* the latest
> released tree so maybe you just followed some old recommendation.
> A question specific for your patch: You decreased max. password length
> from 125 (the global max.) to 110. Why? Such lengths are pretty academic
> but even so, I despise limits unless there are significant perfomance
> benefits. Maybe there was?
> Thanks,
> magnum

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.