Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 01 May 2014 11:50:32 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: hmacSHA256_fmt.c in john-1.7.9-jumbo-7 - allow long
 salts

On 2014-05-01 11:00, Colm O'Flaherty wrote:
> Fair points.. I followed the guidance at
> http://openwall.info/wiki/how-to-make-patches (linked from
> http://openwall.info/wiki/)
>
> Can I suggest that someone updates the recommended practice, as documented
> on that page, so new people know the score?

I did that right after sending but that page still barely mentions that 
we use GitHub nowadays (for Jumbo, that is. Someone could want to send a 
patch for core John and that's another thing).

> I wasn't aware that 125 was the global max for the key, since it was being
> used as hardcoded value. That was also based on ignorance my my part. I
> initially reduced it to about 30 before realising that one of the test
> cases failed because it had a long key, so I upped it back to 110, which
> solved the problem.  Maybe the best fix is for the code to use a constant
> in this case, so the developer will know that they should not mess with it,
> and so any change will have global effect.

Yes, maybe we should add a macro in params.h. We do have 
PLAINTEXT_BUFFER_SIZE as 0x80 but that is gross size - it can be used in 
declarations but not in exact max tests. For some reason some other part 
of john pushes the usable part back a couple of bytes, to 125 instead of 
127.

> I've managed to avoid using Git to date (although I use it find source code
> disclosure in web apps).  Time for me to move into the next millennium, by
> the sounds of it.

It took me a while to get the hang of it but git is the best thing since 
sliced DES. If you're going to submit more stuff I recommend you create 
a GitHub account and fork the bleeding-jumbo branch of 
https://github.com/magnumripper/JohnTheRipper.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.