Date: Sun, 6 Sep 2015 12:48:08 -0500 From: JimF <jfoug@....net> To: john-dev@...ts.openwall.com Subject: Re: FormSpring valid() On 9/6/2015 12:28 PM, Solar Designer wrote: > magnum - > > On Tue, Sep 01, 2015 at 03:47:23PM +0800, Kai Zhao wrote: >> On Tue, Sep 1, 2015 at 3:21 PM, magnum <john.magnum@...hmail.com> wrote: >>> I do not know but I think there should be an issue for finding out (or it >>> will be forgotten). >>> >>> The existing untagged test vector only has a salt length of two, I wonder if >>> that is the difference? Maybe real Formspring hashes have that limitation? >> I opened an issue for this: >> >> https://github.com/magnumripper/JohnTheRipper/issues/1725 > Your comment: > > "I see now formspring defines SALT_SIZE as 2. Doesn't look like a bug to > me, your test vector simply didn't fit the format." > > does not address the issue of the format accepting strings with longer > salts. Maybe the bug is that this format's valid() (which builds upon > the dynamic stuff and thus isn't easy for me to follow) sometimes > accepts invalid strings as well (just not all the time, which is why Kai > felt that something was wrong)? And some of the currently listed test > vectors are in fact invalid. I think you should re-open the issue. > > Kai - how did you obtain the test vectors that you added to > formspring_fmt_plug.c in 101bed96efba9509f5f60447a342a00024bba17e? > Specifically, where did their salts come from? Why are they of 8 hex > digits whereas the existing test vectors used two-char salts? > > Alexander If we want formspring by itself, to not work for any salt > 2, then it is still pretty easy to do. We would simply call the dynamic->valid() function. If that fails return failure. The if that is ok, (all done within formspring_valid() function), we simply make sure that the salt is exactly 2 bytes. If not we fail. That way, the format would work with raw hashes, or with dynamic_61 hashes, AS LONG as the salts are 2 bytes. Right now, even though there is a #define of SALT_SIZE=2 it is not used at all. Well, actually it IS used, but used incorrectly, to determine when to call dynamic valid without doing a convert.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.