Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 06 Jan 2011 19:54:58 -0600
From: James Nobis <quel@...lrod.net>
To: Robert Harris <rs904c@...scape.net>
CC: john-users@...ts.openwall.com
Subject: Re: Re: hmailserver patch has errors, error when compiling
 in Linux x86 64-bit and 32-bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Robert,

> You may possibly require a minimum version of GCC and/or OpenSSL, or
> something. Do you?  I'm using Owl version from September, the same exact
> version and configuration I used to build JtR with the jumbo 9 patch, and it
> worked fine.

Thanks for your follow up.  You are correct that there is a minimum
version requirement.  I had not considered the possibility of OpenSSL
that doesn't have SHA-2 support in active use.

> Here are the gcc and openssl version in the September versions of Owl:
> gcc version 3.4.5

Wow that's quite an old version though it isn't a factor here.  gcc 3.x
had a lot of performance regressions for the code it generated and 4.x
especially in the 4.3.x, 4.4.x, and 4.5.x lines are really producing
some excellent optimizations.  I keep finding more cases of the compiler
actually doing the right things with c code such that less inline
assembly is necessary.

> OpenSSL 0.9.7m 23 Feb 2007

The changelog indicates in the Changes between 0.9.7h and 0.9.8  [05 Jul
2005] that "New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are
implemented."  I don't think 0.9.7 has any upstream security support at
this point.  All US government agencies were suppose to cease all use of
MD5 and SHA-1 at the end of last year, though they didn't meet the
deadline.  With improving attacks on SHA-1 Owl really should have SHA-2
support.  SHA-1 at 160 bits only provides 80bits of security which is
insufficient even for 128-bit rc4 or aes.  The picture is more bleak if
you take current improvements on cryptanalytic analysis of SHA-1 into
account.  The minimum for 128-bits of security is currently SHA-256.

Is there a way to specify a minimum OpenSSL version in JtR?  The most
time I spent in the code was writing this quick patch for a friend.

Thanks,
James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCgAGBQJNJnJxAAoJEGUWgJyjXssu4CcP/3heFTxIkt61O0NEOHQRm1/W
4u+T0kGKqt9glVaPc/yDhOyn9w+5IPuA6FhcqsuR7ClBAocc5aPywXOGIDgVwaRd
wIZWcqu6+Kd4DKNGW2oZqm8HydHg2+101p8TjnD4Y2YwO50gc3qr3zZXPXwssSop
YmfVPzaO5qd4DYvt1tqbGaM2p1vJDJRwYL0UIVn7G69mudUiL9fGkQnX5Zeuy4R3
ZnM6zBy8tCuAVOSfrsrzF6ffX49afesNh1ZxTRF5uUP9fcOwbyqkKpuQgL65sDCg
S8U1WB5FiNlQaSPqP3RifHXUZxPuUHO8qOLyEXMwH8259Szxqin/PVtDYzvfPXMg
YfZ4uIphdbQGhD5BVHrImGdrfw8mN7zckR+3dtPK3rg+lNdX6mdK6NTnIu0X+QN8
4yIGmWyceM34FpVYBw//YeLzOpDIBcvKw/Cop87b582LB6GsbfbES6Z9VeHs65Ss
fCbIsN4oB7aM3WqD9hE8y+8dbAcRTyrn7kJAaxHpVwhsQ0orwGJjxX8Ra8JyNl3b
VziTzje2DaP7NKpORsaZVuzEWdNYej2R2P+8zclhqTOtRwy6PTLJuEGb/0yMlMSP
X23nzkj+i2JEcCsi2EmAs4YPqsYZZPnT45Kqv+SRv8kxsHSlkKGzpA0aYOp+zWRf
vnnTbzpX0wmOp3G+Kgqx
=deOj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.