Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 19 Feb 2021 16:21:24 +0100
From: Solar Designer <>
Cc: Misgac04 <>
Subject: Re: HMAC-SHA256 Max length / Bug ?


On Thu, Feb 18, 2021 at 09:04:59AM +0000, Misgac04 wrote:
> I'm using john 1.9.0.jumbo1-5, from blackarch.
> I'm having issues at cracking hmac-sha256 key because john skip my hash, I think my message/signature combination seems too long.

Yes, it is too long.  Looking in hmacSHA256_fmt_plug.c, we have this:

#ifndef SIMD_COEF_32
#define SALT_LENGTH                     1023
#define SALT_ALIGN                      1
#define SALT_LIMBS                      12  /* 12*64-9 == 759 bytes */
#define SALT_LENGTH                     (SALT_LIMBS * PAD_SIZE - 9)
#define SALT_ALIGN                      MEM_ALIGN_SIMD

As you can see, for a SIMD-enabled build the maximum salt length is 759
bytes.  I've just confirmed that your sample is loaded when the salt is
shortened to 759, and stops being loaded at 760.

For a SIMD-less build, the limit would apparently be 1023, but it'd run

I've just tried increasing SIMD_LIMBS like this:

#define SALT_LIMBS                      24 /* 24*64-9 == 1527 bytes */

along with changing "#ifndef SIMD_COEF_32" to "#if 1" inside the tests[]
initializer, to have support for higher salt lengths actually tested.
The format still passes self-tests after a rebuild, and starts loading
your sample hash fine.  So you can probably do the same.  I only tested
this using the latest code off GitHub, and I suggest you use the latest
too - not a distro package.

> For instance this works well:
> john.txt
> hello#750f39f4f1bc9dfb785a9a939d324227e910cf33af8bbd4e7a65012d385e508c
> However this is not loaded by john
> john.txt

FWIW, you got the line wrapped at 190 characters there.  With such
wrapping, the last one of the resulting multiple lines is actually
loaded fine, but that's not what you intended.  I ran my tests above
with the line unwrapped back to its full length.

> My practical case is with a message of 3kbytes.

Oh, then you need an even higher value in SALT_LIMBS, and you need to
create your own test vector to make sure this actually works right.


P.S. You don't appear to be subscribed to the list, so I am CC'ing you
on this reply.  You might want to subscribe so that you don't miss any
other replies people might post, and so that you can reply to those into
this same thread.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.