Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CABtNtWGYAtw9=K=BVuFppTyS+u6vdHuBZ3_3UtKp_5zap-oU8w@mail.gmail.com>
Date: Tue, 11 Aug 2015 00:48:55 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: auditing our use of FMT_* flags (was: more robustness)

Hi Alexander,

On Fri, Aug 7, 2015 at 2:20 AM, Solar Designer <solar@...nwall.com> wrote:
> Kai,
>
> On Thu, Aug 06, 2015 at 09:09:15PM +0300, Solar Designer wrote:
>> Testing: skein-512, Skein 512 [Skein 32/64]... (32xOMP) FAILED (format:skein-512 have set FMT_8_BIT but all passwords ignore the 8th bit)
>>
>> This is weird.  I think it's a bug in the code, to be found and fixed.
>> Kai, please try to find the bug.
>
> I took a look.  No, it's a bug in lacking proper test vectors, and
> another in your extended test not handling this situation well.  Please
> fix both of these.  That is, please add more test vectors to
> skein_256_tests[] and skein_512_tests[], and please enhance your tests
> to handle this situation reasonably.  Just why is it that when there's
> only one non-empty test vector, which is the string "\xff", your test
> thinks that "all passwords ignore the 8th bit"?  A quick test with
> --stdin shows that the skein-512 format only cracks that hash when I
> feed it "\xff" as input, and does not when I feed it "\x7f".  Perhaps
> your test is buggy in that it doesn't correctly handle test vectors that
> already have 8-bit characters in them?
>
> Alexander

1.  Add more test vectors to skein_256_tests[] and skein_512_tests[]

Have not done, since I can not generate skein-256 and skein-512 now.
I will add when I get the pots or other ways to generate those hashes.

2. Enhance your tests to handle this situation reasonably

This is fixed by:

https://github.com/magnumripper/JohnTheRipper/pull/1640/files

After I rewrite the test_fmt_8_bit(), I find a new bug of FMT_8_BIT
with tripcode. The old test_fmt_8_bit() only change the first character
of the password. The new one change all the characters to OR '\x80',
and to AND '\x7F'.

 static struct fmt_tests tests[] = {
-       {"Rk7VUsDT2U", "simpson"},
+       {"Rk7VUsDT2U", "si\xEDpson"},
        {"3GqYIJ3Obs", "tripcode"},
        {"Id1gMYGA52", "ponytail"},
        {NULL}

The self-test result is: FAILED (cmp_all(1)). So the tripcode should
set the FMT_8_BIT flag. Does it ?


Thanks,

Kai

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.