Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 28 Sep 2019 10:31:17 -0400 (EDT)
From: jfoug openwall <jfoug.openwall@....net>
To: john-users@...ts.openwall.com
Subject: Re: Buffer overflow in dynamic using very long salts


> On September 27, 2019 at 11:37 AM Vincent <spam@...lab.nl> wrote:
> 
> 
> Working on a dynamic format with a (very) long salt, I had some issue. 

This limitation is by design (and this will not change), the MAX length of any sub-string, ANYWHERE within the dynamic script is 256 bytes.    If you are needing to have huge long constants, or long salts, then dynamic is not going to work for you. 

Dynamic format has to be able to do things, and handle things which no other format does (i.e. it has NO idea going in, just what will be required by the format).  All other formats will have developer insight on just how to lay out buffers, how to optimize things, etc.  Not so with dynamic. So there were certain hard coded elements added to the format, just to allow it to be a workable format, and to be somewhat fast.   A large array of fixed sized input buffers is one of these trade offs.   NOTE, 256 byte buffers can not be filled up (I think) on SIMD formats (the 'flat' SIMD possibly can use entire buffer, but possibly not).  32 bit hashes will max out at 256-9 bytes (1 byte for 0x80 bit, and then 8 bytes for bit count).  64 bit hashes will max out at 256-17 bytes (1 byte 0x80, and 16 bytes bit count).   Again, this is BY DESIGN, and almost certainly will never be changed.

Jim.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.