Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140706073528.GA9205@openwall.com>
Date: Sun, 6 Jul 2014 11:35:28 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Salt dupe removal logic and format changes (Comments wanted)

On Sun, Jul 06, 2014 at 12:51:11AM +0200, magnum wrote:
> Not sure why this was moved here from john-dev but anyways,

Jim started this thread on john-users right away.  I agree that it's
probably john-dev material since we're discussing source code changes
in some detail.

> On 2014-07-05 15:40, Solar Designer wrote:
> >Here's another idea: add a new FMT_SALT_STRUCT flag that would indicate
> >that the "binary salt" as used by the format is actually of a specific
> >struct type containing a pointer to the actual salt value and a size
> >(just these two fields, so it's 16 bytes on a 64-bit arch).  When the
> >flag is set, memcmp() would be called after the extra pointer
> >dereference and using the actual salt size read from that struct.  With
> >this approach, you don't need to make any changes to existing formats.
> >You start to use this new feature in formats that need it, one by one.
> 
> I really like this idea, for being KISS and easy to experiment with. I'd 
> vote for trying this first.

Great.  Here's yet another idea: instead of the above, have a flag like
FMT_DYNAMIC_SALT that would tell the rest of JtR that salt() returns a
dynamically allocated salt of arbitrary size and encodes the actual size
in first size_t of the returned buffer.  It's almost the same as above,
except that it has less pointer indirection.  Since we intend to use
this for cases where salts are large, I think the dynamic allocation
should be made in a way that can be free()d, and the rest of JtR should
actually be free()ing these as appropriate.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.