From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Sep 8 20:15:04 2014 Return-Path: Delivered-To: freebsd-ports-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 67EC3B64 for ; Mon, 8 Sep 2014 20:15:04 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35E59151D for ; Mon, 8 Sep 2014 20:15:04 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s88KF4vB044962 for ; Mon, 8 Sep 2014 20:15:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 193469] New: defective crypt() implementation affects Apache 2.4, possibly 2.2 Date: Mon, 08 Sep 2014 20:15:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports Tree X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: papowell@astart.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 20:15:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193469 Bug ID: 193469 Summary: defective crypt() implementation affects Apache 2.4, possibly 2.2 Product: Ports Tree Version: Latest Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: papowell@astart.com Another port hit by the defective crypt() implementation for FreeBSD 9.3 See Apache documentation for authentication: http://httpd.apache.org/docs/2.2/howto/auth.html and http://httpd.apache.org/docs/2.4/howto/auth.html See password formats for Apache 2.4 http://httpd.apache.org/docs/2.4/misc/password_encryptions.html CRYPT $ htpasswd -nbd myName myPassword myName:rqXexS6ZhobKA And when run on FreeBSD 9.3:htpasswd -nbd myName myPassword myName:$6$Xaxjf5o0$4qAdV/N7OKPGsqM3KuD7D4HkkneCsAz752VFuDfsoRCV15c2AV295cEtBss9X.zErMK0OLYLS2P7pOzpDGGXY1 Question: does Apache 2.4 recognize this format for encrypted passwords? Server version: Apache/2.4.10 (FreeBSD) I put this value into an htpasswd file and discovered that it did not. >From the Apache 2.4 documentation, and the Apache 2.2 documentation is almost identical: There are five formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform: bcrypt "$2y$" + the result of the crypt_blowfish algorithm. See the APR source file crypt_blowfish.c for the details of the algorithm. MD5 "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm. SHA1 "{SHA}" + Base64-encoded SHA-1 digest of the password. Insecure. CRYPT Unix only. Uses the traditional Unix crypt(3) function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password. Insecure. So it appears that the $6$ is not documented as being valid and using it as an encrypted password value does not work. -- You are receiving this mail because: You are the assignee for the bug.