Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 16 Sep 2018 12:49:27 -0300
From: Claudio André <claudioandre.br@...il.com>
To: Solar Designer <solar@...nwall.com>
Cc: john-users@...ts.openwall.com
Subject: Re: John the Ripper on Windows (includes OpenCL on
 Windows)

Em 16/09/2018 11:50, Solar Designer escreveu:
> On Sat, Sep 15, 2018 at 10:04:28AM -0300, Claudio Andr?? wrote:
>> I would say that if you need John for Windows you should use
>> https://rebrand.ly/JtRWin64 [2][3]:
>> - it is 100% JtR magnum's source code;
>> - it is built and tested on an actual (and auditable) Windows machine;
>> - it works on CMD, no need to install CygWin, ...
>> - I (tried, at least, to) handled all details;
> Great, thanks!  In what way is that Windows machine "auditable"?  Isn't
> it a third-party machine that we know little about?

It means anyone can see what these machines have installed (packages and 
versions) [1].
- See https://www.appveyor.com/docs/build-environment/
   1. The history of build worker image updates can be found online.
   2. Before rolling out an image update they do perform some testing.
- I guess any customer (deploying directly from AppVeyor) can ask for a 
report about their environment.

=> In fact, AppVeyor allows us to run builds on our own cloud. So, if 
needed, it just a matter of money to control 100% the process.

> I'm also concerned
> about the third-party link redirect service and third-party file
> download hosting service (even if same company as the CI service where
> we build these).

This was on purpose (the link is):
- Upgradeable: At this very moment the ZIP points to a version from 20 
days ago. Later, today, I will update the ZIP to include latest changes 
(e.g., the ETA bug fix). The link will reflect the change.
- Safe: I'm not offering a ZIP file to download. I offer a full view of 
the build process. Anyone can see and analyze ALL build process and logs.
- Safe: I compute and print (using the read only log) the hash of the 
ZIP file. I want people to see notice the computed hash.

> https://openwall.info/wiki/john/custom-builds
>
> Even though I didn't verify these downloads in any way (beyond my https
> client checking the certificate's validity, which passed), I've just
> added copies to:

You have a hash to verify these ZIP files (the algorithm used is SHA256).


> Since my trust in these unofficial builds is limited, I am not
> PGP-signing them.  Unfortunately, this also means that if our server is
> compromised, we might serve compromised downloads with no easy way for
> users to detect that.
>
> Ideally, we should be making builds that we could trust, and would be
> willing to sign.

Again, you have a hash to verify these ZIP files (20 years in the 
future). Also, as a customer, people do deploy directly from the CI 
provider. So, it is just a matter of using your own cloud.

>
>> - CygWin OpenCL DLL needs proper ICD information;
> Most relevant is this comment:
>
> https://github.com/magnumripper/JohnTheRipper/issues/3191#issuecomment-404051085
>
> "arcfide commented on Jul 11
>
> Okay, I got this fixed up. If you see claudioandre-br's comment, that's where ICD Vendor files are mentioned. He also gives a working example of a build that seems to work. I've got this working now on the current build.
>
> It doesn't require any hard hacks, but I did figure out that the OpenCL drivers with Cygwin don't work without an ICD Vendor file. That means that there has to be a location to find such files. That means that the OpenCL support works on Windows if you run JtR from inside of a Cygwin installation.
>
> To make this work for me on Windows, I installed Cygwin with OpenCL, and then created the /etc/OpenCL/vendors/nvidia.icd file that included the Cygwin path to nvopencl.dll mentioned above. After I did that, I ran JtR from inside of the Cygwin Terminal, which mounts and makes available the /etc/ directory. That has fixed things, and I can now see all of my devices and I can run JtR on the GPU with the appropriate speedups."
>
> Claudio, I notice that your win_x64.zip includes:
>
>         33  08-09-18 18:42   etc/OpenCL/vendors/amd.icd
>         33  08-09-18 18:42   etc/OpenCL/vendors/nvidia.icd

Basically,
- CygWin is not needed to run JtR. But, of course, one can run JtR from 
inside CygWin
- From a user point of view, to run OpenCL on Windows from inside CygWin:
    - Install the OpenCL package and:
        "echo 'c:\Windows\System32\amdocl64.dll' > 
{john}/etc/OpenCL/vendors/amd.icd"
        "echo 'c:\Windows\System32\nvopencl.dll' > 
{john}/etc/OpenCL/vendors/nvidia.icd"
- For Intel, `strace`, I have no idea what is the filename.

> BTW, somehow it also includes what's probably a left-over from testing:
>
>      99286  08-09-18 18:43   run/john.log
>        355  08-09-18 18:43   run/john.pot

I'll take a look.

Claudio


[1] Build worker image is a template used to provision a virtual machine 
for your build. Physical implementation of the template depends on the 
build cloud platform and can be a master VHD for Hyper-V and Azure, 
snapshot or image for GCE or AWS.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.