Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Mar 2015 12:25:42 +0300
From: Alexander Cherepanov <>
Subject: Re: Ideas for the robustness gsoc task

On 2015-03-25 09:56, Kai Zhao wrote:

Please turn off sending html parts in your emails if you can.

>> And I think it's better to specifically list parts of code to review for
> better prioritization.

The quoting in your email is slightly wrong: there are hard line breaks 
but no ">" on the continuation lines. It's not urgent but please fix it 
after submission deadline.

> For manual review, I think valid() functions should be first even we
> change the mechanism.

If we come up with a simple mechanism to express valid() and other 
similar functions then we can switch to it skipping review of the old 
implementation and I hope we will not need to review the use of the new 
mechanism or that reviewing it would be trivial. We can process formats 
gradually, one by one. Starting with the worst, found e.g. by fuzzing.

And we surely must carefully review and test the new mechanism.

>> If we convert valid()/etc. functions to some simple-to-use mechanism, I
>> don't think it would that hard to convert even hundreds of formats.
> For simple formats, I think we can use regex to check. But regex can
> not check complex formats

If we can cover 90% of all formats in a simple way that would be great. 
Remaining formats could be done by hand (as it is done now).

> such as agilekeychain_fmt_plug.c.

I haven't looked into it deep enough but right now this formats looks a 
bit strange: there could be upto to two keys in the hash but only the 
first one is used, the second one is ignored. Either it should be 
splitted in john or in keychain2john. If you stumble upon some strange 
formats please note them to post the list in the future or post right away.

Anyway, the structure of hashes in agilekeychain_fmt_plug.c is not that 
complex. I hope to post a prototype of scanf-like functions for use in 
valid() and salt() soon.

Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.