Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Jul 2011 20:18:32 -0500
From: "jfoug" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: RE: md5_gen ... again

I did list (within code) that this would happen.  This exact case.

		// this code is BROKEN in the case where we have a 'simple'
salt, that starts with a '$'
		// character.  For now, I will simply comment these out, and
they should work fine.  NOTE, this
		// will break complex salts, which do not start with a
'normal' salt.  Something like
		// $$Uuser will now fail (if that is the entire salt).  But
at this time, there are no 'canned'
		// formats that use that, so this patch will work around the
problem, giving me some time to
		// address this for the 'complex' salt case, in a later
version of md5_gen.
//		if (ciphertext[curdat.md5_gen_SALT_OFFSET] == '$')
//			strnzcpy(Salt,
&ciphertext[curdat.md5_gen_SALT_OFFSET-1], SALT_SIZE);
//		else


Thus what is happening, is you have no 'valid' salt  What you have in the
salt 'field' is $$U1234  But due to some other fixes I added, this is
failing.

At this time, until I spend more time coming up with a more generic 'fix', I
would sugest that you build the format this way:

[List.Generic:md5_gen(1400)]
Expression=md5($s.:asterisk:.$p) [Asterisk SIP]
Flag=MGF_SALTED
Func=MD5GenBaseFunc__clean_input
Func=MD5GenBaseFunc__append_salt
Func=MD5GenBaseFunc__append_input1_from_CONST1
Func=MD5GenBaseFunc__append_keys
Func=MD5GenBaseFunc__crypt
CONST1=:asterisk:
Test=md5_gen(1400)4a8e71480c5b1ef0a5d502a8eb98576a$1234:abcd


Yes, I know that is not a 'fix', but I am not going down the knee jerk fix
in the salts until I have a better chance to dig deeper, and get it 'right'.

Jim.

>-----Original Message-----
>From: jm@...izoku.org [mailto:jm@...izoku.org] On Behalf Of Jean-Michel
>Sent: Wednesday, July 20, 2011 6:27 PM
>To: john-users@...ts.openwall.com
>Subject: [john-users] md5_gen ... again
>
>I upgraded from john 1.7.7 to john 1.7.8 with all patches applied.
>
>On x64 build, the patch john-1.7.8-jumbo-2after-MSCash2-many-fixes-
>1.diff
>made some of my md5_gen configuration scripts to fail.
>
>It seems that having the flag MGF_USERNAME without MGF_SALTED breaks the
>format.
>
>For example, for Asterisk SIP secret hashes, I have :
>
>[List.Generic:md5_gen(1400)]
>Expression=md5($u.:asterisk:.$p) [Asterisk SIP]
>Flag=MGF_USERNAME
>Func=MD5GenBaseFunc__clean_input
>Func=MD5GenBaseFunc__append_userid
>Func=MD5GenBaseFunc__append_input1_from_CONST1
>Func=MD5GenBaseFunc__append_keys
>Func=MD5GenBaseFunc__crypt
>CONST1=:asterisk:
>Test=md5_gen(1400)4a8e71480c5b1ef0a5d502a8eb98576a:abcd:1234
>
>This function fails at get_hash[0](0)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.