Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4D267272.8050702@quelrod.net>
Date: Thu, 06 Jan 2011 19:54:58 -0600
From: James Nobis <quel@...lrod.net>
To: Robert Harris <rs904c@...scape.net>
CC: john-users@...ts.openwall.com
Subject: Re: Re: hmailserver patch has errors, error when compiling
 in Linux x86 64-bit and 32-bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Robert,

> You may possibly require a minimum version of GCC and/or OpenSSL, or
> something. Do you?  I'm using Owl version from September, the same exact
> version and configuration I used to build JtR with the jumbo 9 patch, and it
> worked fine.

Thanks for your follow up.  You are correct that there is a minimum
version requirement.  I had not considered the possibility of OpenSSL
that doesn't have SHA-2 support in active use.

> Here are the gcc and openssl version in the September versions of Owl:
> gcc version 3.4.5

Wow that's quite an old version though it isn't a factor here.  gcc 3.x
had a lot of performance regressions for the code it generated and 4.x
especially in the 4.3.x, 4.4.x, and 4.5.x lines are really producing
some excellent optimizations.  I keep finding more cases of the compiler
actually doing the right things with c code such that less inline
assembly is necessary.

> OpenSSL 0.9.7m 23 Feb 2007

The changelog indicates in the Changes between 0.9.7h and 0.9.8  [05 Jul
2005] that "New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are
implemented."  I don't think 0.9.7 has any upstream security support at
this point.  All US government agencies were suppose to cease all use of
MD5 and SHA-1 at the end of last year, though they didn't meet the
deadline.  With improving attacks on SHA-1 Owl really should have SHA-2
support.  SHA-1 at 160 bits only provides 80bits of security which is
insufficient even for 128-bit rc4 or aes.  The picture is more bleak if
you take current improvements on cryptanalytic analysis of SHA-1 into
account.  The minimum for 128-bits of security is currently SHA-256.

Is there a way to specify a minimum OpenSSL version in JtR?  The most
time I spent in the code was writing this quick patch for a friend.

Thanks,
James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCgAGBQJNJnJxAAoJEGUWgJyjXssu4CcP/3heFTxIkt61O0NEOHQRm1/W
4u+T0kGKqt9glVaPc/yDhOyn9w+5IPuA6FhcqsuR7ClBAocc5aPywXOGIDgVwaRd
wIZWcqu6+Kd4DKNGW2oZqm8HydHg2+101p8TjnD4Y2YwO50gc3qr3zZXPXwssSop
YmfVPzaO5qd4DYvt1tqbGaM2p1vJDJRwYL0UIVn7G69mudUiL9fGkQnX5Zeuy4R3
ZnM6zBy8tCuAVOSfrsrzF6ffX49afesNh1ZxTRF5uUP9fcOwbyqkKpuQgL65sDCg
S8U1WB5FiNlQaSPqP3RifHXUZxPuUHO8qOLyEXMwH8259Szxqin/PVtDYzvfPXMg
YfZ4uIphdbQGhD5BVHrImGdrfw8mN7zckR+3dtPK3rg+lNdX6mdK6NTnIu0X+QN8
4yIGmWyceM34FpVYBw//YeLzOpDIBcvKw/Cop87b582LB6GsbfbES6Z9VeHs65Ss
fCbIsN4oB7aM3WqD9hE8y+8dbAcRTyrn7kJAaxHpVwhsQ0orwGJjxX8Ra8JyNl3b
VziTzje2DaP7NKpORsaZVuzEWdNYej2R2P+8zclhqTOtRwy6PTLJuEGb/0yMlMSP
X23nzkj+i2JEcCsi2EmAs4YPqsYZZPnT45Kqv+SRv8kxsHSlkKGzpA0aYOp+zWRf
vnnTbzpX0wmOp3G+Kgqx
=deOj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.