Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jul 2015 10:03:38 +0800
From: Kai Zhao <>
Subject: Re: auditing our use of FMT_* flags

Hi Frank,

On Tue, Jul 28, 2015 at 5:52 AM, Frank Dittrich <>
> On 07/27/2015 04:01 AM, Kai Zhao wrote:
> > I have written a script to check, and change john source code to check
> > FMT_SPLIT_UNIFIES_CASE. They are described at:
> >
> >
> >
> > I thought there were some problems but they were not.
> I don't know whether you considered this, but a format which sets
> FMT_SPLIT_UNIFIES_CASE may decide to convert everything into lower case,
> and another format may decide to convert everything into upper case.
> Both is fine.

Most formats which set FMT_SPLIT_UNIFIES_CASE may decide to
convert part into lower case or upper case.

For example: WoWSRP


After split()


It converts the middle part to upper.

> So I would use input with mixed upper and lower case letters, and then
> see whether the format converts into lower or upper or leaves the input
> unchanged (not considering formats where split produces more than one
> hash for a single input (like LM format)).

Yes. Your method is all right. But I think we can do it in

1. Change the ciphertext to upper case
2. If split() returns lower case
        If FMT_SPLIT_UNIFIES_CASE is set
             return OK;
             return ERROR;

3. Change the ciphertext to lower case
4. If split() returns upper case
        If FMT_SPLIT_UNIFIES_CASE is set
             return OK;
             return ERROR;

Finally, there are no formats have obvious problems with
FMT_SPLIT_UNIFIES_CASE flag. But there are 3 formats: MediaWiki,
PHPS, PHPS2 which do not contain the flag and their split do not change
case. But the 3 formats finally has the flag: FMT_SPLIT_UNIFIES_CASE.



Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.