Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 25 Mar 2015 12:25:42 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Ideas for the robustness gsoc task

On 2015-03-25 09:56, Kai Zhao wrote:

Please turn off sending html parts in your emails if you can.

>> And I think it's better to specifically list parts of code to review for
> better prioritization.

The quoting in your email is slightly wrong: there are hard line breaks 
but no ">" on the continuation lines. It's not urgent but please fix it 
after submission deadline.

> For manual review, I think valid() functions should be first even we
> change the mechanism.

If we come up with a simple mechanism to express valid() and other 
similar functions then we can switch to it skipping review of the old 
implementation and I hope we will not need to review the use of the new 
mechanism or that reviewing it would be trivial. We can process formats 
gradually, one by one. Starting with the worst, found e.g. by fuzzing.

And we surely must carefully review and test the new mechanism.

>> If we convert valid()/etc. functions to some simple-to-use mechanism, I
>> don't think it would that hard to convert even hundreds of formats.
>
> For simple formats, I think we can use regex to check. But regex can
> not check complex formats

If we can cover 90% of all formats in a simple way that would be great. 
Remaining formats could be done by hand (as it is done now).

> such as agilekeychain_fmt_plug.c.

I haven't looked into it deep enough but right now this formats looks a 
bit strange: there could be upto to two keys in the hash but only the 
first one is used, the second one is ignored. Either it should be 
splitted in john or in keychain2john. If you stumble upon some strange 
formats please note them to post the list in the future or post right away.

Anyway, the structure of hashes in agilekeychain_fmt_plug.c is not that 
complex. I hope to post a prototype of scanf-like functions for use in 
valid() and salt() soon.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.