Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Aug 2015 01:57:10 +0800
From: Kai Zhao <>
Subject: Re: auditing our use of FMT_* flags

Hi Alexander,

On Fri, Aug 7, 2015 at 1:01 AM, Solar Designer <> wrote:
> Kai,
> On Mon, Jul 27, 2015 at 11:24:21AM +0200, magnum wrote:
>> On 2015-07-27 09:48, Kai Zhao wrote:
>> >$ ./john --test=0 --format=LM
>> >Will run 8 OpenMP threads
>> >Testing: LM [DES 256/256 AVX2-16]... (8xOMP) PASS
>> >
>> >Change the first password: "AAAAAA" -> "AAAAAa"
>> >
>> >$ ./john --test=0 --format=LM
>> >Will run 8 OpenMP threads
>> >Testing: LM [DES 256/256 AVX2-16]... (8xOMP) FAILED (get_key(0))
>> The format DOES change the case to upper but since the test vector still
>> has it in lower, it fails. This is just a current technical aspect of
>> self-tests, you can ignore it.
> As magnum correctly pointed out, your test is sort of wrong.  It detects
> that get_key() isn't returning the key that was previously set.  For LM,
> that's deliberate: the key is visibly converted to uppercase, and we
> want it written to john.pot that way.  In order not to trigger this
> detection on our normal self-test, we provide all of the test vectors
> with already all-uppercase passwords.  There's certainly room for
> improvement here: to be able to self-test the uppercasing and truncation
> at length 7, yet check that get_key() returns mostly the same password,
> modulo case and truncation (check for the flags and max length first).
> An improvement like that would apply to our old, quick self-test as
> well.  Then we'd be able to list test vectors that would be meant to be
> uppercased and truncated.
> As to your --test-full also detecting this non-issue, this appears to be
> due to the get_key() check included in is_key_right() even when called
> from test_fmt_case(), test_fmt_8_bit(), and fmt_self_test_full_body().
> You need to either have the get_key() check skipped when invoked from
> there, or enhance it as I have described above.

I changed the is_key_right() function to handle uppercasing. The truncation
was already supported by the old self-test. Below is my patch:

Now the LM, netlm, and those formats which does not set FMT_CASE can
change their self-test passwords to lowercase or both lowercase and

When test FMT_CASE, I think we can ignore the results of get_key(), when
we test a passwords which is differ in case, what we care is the result of

I have tested this patch. It seems to work. Do you think so ?



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.