[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7869) [PATCH] contrib passwd/apr1 do_phk_hash arguments
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7869) [PATCH] contrib passwd/apr1 do_phk_hash arguments
- From: hyc@symas.com
- Date: Thu, 17 Jul 2014 21:00:35 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Howard Chu wrote:
> ryan@nardis.ca wrote:
>> Full_Name: Ryan Tandy
>> Version: master/33e12f4 RE24/b000d95
>> OS: Debian unstable
>> URL:
>> Submission from: (NULL) (24.68.121.206)
>>
>>
>> Hi,
>>
>> The apr1 passwd plugin calls do_phk_hash with the arguments in the wrong order,
>> so the digest updates are done in a different order than md5crypt does. The
>> following patch fixes that, restoring compatibility with existing htpasswd
>> files.
>>
>> However, existing {APR1} hashes that were generated while the bug existed are
>> going to be broken... I'm not sure what to do about that. :/
>
> According to ITS#6826, where this code came from originally, the generated
> {APR1} hashes are currently compatible with htpasswd. As such, your patch
> would break htpasswd compatibility. As such it seems like a bad idea to commit
> your change.
I've also confirmed, using perl Crypt::PasswdMD5, that the hashes generated by
the current code are compatible. In particular, a password generated by this
script:
###
use strict;
use warnings;
use Crypt::PasswdMD5;
my($password) = 'seekrit';
my($salt) = 'pepperoni';
my($unix_crypted) = unix_md5_crypt($password, $salt);
my($apache_crypted) = apache_md5_crypt($password, $salt);
print "$unix_crypted\n";
print "$apache_crypted\n";
###
can be converted to OpenLDAP {BSDMD5} and {APR1} format, respectively, and
matches the output generated by the current module using the same salt and
plaintext.
Rejecting this patch, closing this ITS.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/