Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 01 May 2014 11:50:32 +0200
From: magnum <>
Subject: Re: hmacSHA256_fmt.c in john-1.7.9-jumbo-7 - allow long

On 2014-05-01 11:00, Colm O'Flaherty wrote:
> Fair points.. I followed the guidance at
> (linked from
> Can I suggest that someone updates the recommended practice, as documented
> on that page, so new people know the score?

I did that right after sending but that page still barely mentions that 
we use GitHub nowadays (for Jumbo, that is. Someone could want to send a 
patch for core John and that's another thing).

> I wasn't aware that 125 was the global max for the key, since it was being
> used as hardcoded value. That was also based on ignorance my my part. I
> initially reduced it to about 30 before realising that one of the test
> cases failed because it had a long key, so I upped it back to 110, which
> solved the problem.  Maybe the best fix is for the code to use a constant
> in this case, so the developer will know that they should not mess with it,
> and so any change will have global effect.

Yes, maybe we should add a macro in params.h. We do have 
PLAINTEXT_BUFFER_SIZE as 0x80 but that is gross size - it can be used in 
declarations but not in exact max tests. For some reason some other part 
of john pushes the usable part back a couple of bytes, to 125 instead of 

> I've managed to avoid using Git to date (although I use it find source code
> disclosure in web apps).  Time for me to move into the next millennium, by
> the sounds of it.

It took me a while to get the hang of it but git is the best thing since 
sliced DES. If you're going to submit more stuff I recommend you create 
a GitHub account and fork the bleeding-jumbo branch of


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.