Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 Dec 2018 03:18:11 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Rule bug in John proper

Hi magnum,

On Wed, Dec 05, 2018 at 10:46:16PM +0100, magnum wrote:
> While auditing rules for performance, I found a minor bug in john.conf 
> stemming from non-Jumbo:
> 
> # mary -> marie
> -[:c] <* (?\p1[za] \p1[lc] )y omi $e

Here we require with the "<*" command that there's room to add one
character.  If not, we don't(?) want to try e.g. "mari" instead of
"mary", which would be redundant with simpler overstrike rules - but
then we don't appear to have those in the same ruleset, so this is
arguably a bug (add overstrike rules to there or use "<+" here).

Also, there are two distinct cases: a hash type genuinely having a low
length limit (then it makes sense to try a truncated password, e.g.
"ladymari" against descrypt) vs. a user requesting a low length limit
(jumbo's "--max-length=8", in which case I think jumbo's own code would
reject the string "ladymarie" after this rule has wasted a bit of time
processing it).  As I understand, we currently have means to distinguish
these cases inside jumbo (we even have a format flag indicate whether
its length limit is genuine or implementation-specific), but not from
rules.  Maybe that's too much detail to bother with in rules, but you
said you were "auditing rules for performance" and this is relevant.

> # marie -> mary
> -[:c] <* (?\p1[za] \p1[lc] )e \] )i val1 oay
> 
> The last line should use `<+` instead. The current rule will reject 
> words that would (barely) fit in max_length.

Thanks.

It's actually trickier than that.  I think the check was off by 2 (and
my testing confirms that), and this is a proper fix:

# marie -> mary
-[:c] (?\p1[za] \p1[lc] )e \] <+ )i val1 oay

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.