Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20111208010523.GA1934@openwall.com>
Date: Thu, 8 Dec 2011 05:05:23 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: cracking RADIUS shared secrets with john the ripper

On Thu, Dec 08, 2011 at 01:09:28AM +0100, Didier Arenzana wrote:
> I have just updated the patch & perl script; now the HEX$ strings
> should work with any dynamic_n format, with fixed salt length or not.
> Please give me your thinkings of the modifications I made to loader.c,

I just took a look.  I think those modifications are not needed and
should be removed.  Instead of them and the changes to set_salt() (which
probably have performance impact) you should modify the format's salt()
function (or get_salt() as it's called in some formats).  Really, all of
your code changes should be contained in valid() and salt().

I am not familiar with dynamic_fmt.c, though - that's JimF's code.

One other thing I noticed is the less usual license on the Perl script,
requiring attribution.  I understand and respect your wish to be
credited, but it is very easy to raise license compatibility concerns in
this way.  What if another license that is meant to be applied to a
larger application including your script says that "no further
restrictions are allowed" (and you essentially have a restriction not
specified in that license)?  What exactly is meant by having the
original author "referenced" (e.g., is keeping the notice in the source
code sufficient or is the "reference" supposed to be on the project's
website or in a GUI program's "About" box? what if the source code is
not included with a certain derived program's release?)  My original
proposed wording was a strict subset of the BSD license, only with
purely restrictive clauses removed, so it was obviously compatible at
least with the same licenses that BSD licenses are; this can't be said
of yours.  Even if it is in fact just as compatible in practice, that is
not obvious anymore.

Of course, it is up to you how to license your contribution.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.