Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20210219152124.GC20715@openwall.com>
Date: Fri, 19 Feb 2021 16:21:24 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Cc: Misgac04 <Misgac04@...tonmail.com>
Subject: Re: HMAC-SHA256 Max length / Bug ?

Hi,

On Thu, Feb 18, 2021 at 09:04:59AM +0000, Misgac04 wrote:
> I'm using john 1.9.0.jumbo1-5, from blackarch.
> I'm having issues at cracking hmac-sha256 key because john skip my hash, I think my message/signature combination seems too long.

Yes, it is too long.  Looking in hmacSHA256_fmt_plug.c, we have this:

#ifndef SIMD_COEF_32
#define SALT_LENGTH                     1023
#define SALT_ALIGN                      1
#else
#define SALT_LIMBS                      12  /* 12*64-9 == 759 bytes */
#define SALT_LENGTH                     (SALT_LIMBS * PAD_SIZE - 9)
#define SALT_ALIGN                      MEM_ALIGN_SIMD
#endif

As you can see, for a SIMD-enabled build the maximum salt length is 759
bytes.  I've just confirmed that your sample is loaded when the salt is
shortened to 759, and stops being loaded at 760.

For a SIMD-less build, the limit would apparently be 1023, but it'd run
slower.

I've just tried increasing SIMD_LIMBS like this:

#define SALT_LIMBS                      24 /* 24*64-9 == 1527 bytes */

along with changing "#ifndef SIMD_COEF_32" to "#if 1" inside the tests[]
initializer, to have support for higher salt lengths actually tested.
The format still passes self-tests after a rebuild, and starts loading
your sample hash fine.  So you can probably do the same.  I only tested
this using the latest code off GitHub, and I suggest you use the latest
too - not a distro package.

> For instance this works well:
> 
> john.txt
> hello#750f39f4f1bc9dfb785a9a939d324227e910cf33af8bbd4e7a65012d385e508c
> 
> However this is not loaded by john
> 
> john.txt

FWIW, you got the line wrapped at 190 characters there.  With such
wrapping, the last one of the resulting multiple lines is actually
loaded fine, but that's not what you intended.  I ran my tests above
with the line unwrapped back to its full length.

> My practical case is with a message of 3kbytes.

Oh, then you need an even higher value in SALT_LIMBS, and you need to
create your own test vector to make sure this actually works right.

Alexander

P.S. You don't appear to be subscribed to the list, so I am CC'ing you
on this reply.  You might want to subscribe so that you don't miss any
other replies people might post, and so that you can reply to those into
this same thread.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.