Date: Fri, 22 Sep 1995 10:08:36 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: questions@freebsd.org Cc: ports@freebsd.org Subject: A crypt problem Message-ID: <199509220808.KAA08220@labinfo.iet.unipi.it>
next in thread | raw e-mail | index | archive | help
[this has been crossposted to ports, because it is of some relevance
there]
I have a question on the use of MD5 crypt routines in cern_httpd.
I suspect the problem also arises with other software packages
which use crypt().
The cern package assumes the presence of DES crypt, and uses multiple
invocation of the crypt routine to encode the password and then
compare it with the correct one. The code is the following (in
/usr/ports/net/cern_httpd/work/WWW/Daemon/Implementation/HTPasswd.c):
while (len > 0) {
char *tmp, salt[3], chunk[9];
CONST char *cur1 = password, *cur2 = encrypted;
salt[0] = *cur2;
salt[1] = *(cur2+1);
salt[2] = (char)0;
strncpy(chunk, cur1, 8);
chunk[8] = (char)0;
tmp = crypt((char*)password, salt);
strcat(result, tmp);
cur1 += 8;
cur2 += 13;
len -= 13;
} /* while */
status = strncmp(result, encrypted, strlen(encrypted));
This does not work with MD5, so I had to replace it with the
following simple sequence (MD5 can deal with strings longer than 8 chars):
result=crypt(password, encrypted);
status = strcmp(result, encrypted);
My question is: would the above work with DES crypt ? I don't have
DES installed, so I cannot try it.
If the code works, then this is something that should be fixed on
cern_httpd and possibly other ports which use crypt.
Luigi
====================================================================
Luigi Rizzo Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it Universita' di Pisa
tel: +39-50-568533 via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522 http://www.iet.unipi.it/~luigi/
====================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199509220808.KAA08220>