[john-users] Rule bug in John proper

Solar Designer

2018-12-06 02:18:11 UTC

Hi magnum,

Post by magnum
While auditing rules for performance, I found a minor bug in john.conf
# mary -> marie
-[:c] <* (?\p1[za] \p1[lc] )y omi $e

Here we require with the "<*" command that there's room to add one
character. If not, we don't(?) want to try e.g. "mari" instead of
"mary", which would be redundant with simpler overstrike rules - but
then we don't appear to have those in the same ruleset, so this is
arguably a bug (add overstrike rules to there or use "<+" here).

Also, there are two distinct cases: a hash type genuinely having a low
length limit (then it makes sense to try a truncated password, e.g.
"ladymari" against descrypt) vs. a user requesting a low length limit
(jumbo's "--max-length=8", in which case I think jumbo's own code would
reject the string "ladymarie" after this rule has wasted a bit of time
processing it). As I understand, we currently have means to distinguish
these cases inside jumbo (we even have a format flag indicate whether
its length limit is genuine or implementation-specific), but not from
rules. Maybe that's too much detail to bother with in rules, but you
said you were "auditing rules for performance" and this is relevant.

Post by magnum
# marie -> mary
-[:c] <* (?\p1[za] \p1[lc] )e \] )i val1 oay
The last line should use `<+` instead. The current rule will reject
words that would (barely) fit in max_length.

Thanks.

It's actually trickier than that. I think the check was off by 2 (and
my testing confirms that), and this is a proper fix:

# marie -> mary
-[:c] (?\p1[za] \p1[lc] )e \] <+ )i val1 oay

Alexander