From owner-freebsd-ports  Fri Sep 22 01:06:05 1995
Return-Path: owner-ports
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id BAA19524
          for ports-outgoing; Fri, 22 Sep 1995 01:06:05 -0700
Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id BAA19497
          ; Fri, 22 Sep 1995 01:05:02 -0700
Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id KAA08220; Fri, 22 Sep 1995 10:08:37 +0200
From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Message-Id: <199509220808.KAA08220@labinfo.iet.unipi.it>
Subject: A crypt problem
To: questions@freebsd.org
Date: Fri, 22 Sep 1995 10:08:36 +0200 (MET DST)
Cc: ports@freebsd.org
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1805      
Sender: owner-ports@freebsd.org
Precedence: bulk

[this has been crossposted to ports, because it is of some relevance
there]

I have a question on the use of MD5 crypt routines in cern_httpd.
I suspect the problem also arises with other software packages
which use crypt().

The cern package assumes the presence of DES crypt, and uses multiple
invocation of the crypt routine to encode the password and then
compare it with the correct one. The code is the following (in
/usr/ports/net/cern_httpd/work/WWW/Daemon/Implementation/HTPasswd.c):

    while (len > 0) {
        char *tmp, salt[3], chunk[9];
        CONST char *cur1 = password, *cur2 = encrypted;

        salt[0] = *cur2;
        salt[1] = *(cur2+1);
        salt[2] = (char)0;

        strncpy(chunk, cur1, 8);
        chunk[8] = (char)0;

        tmp = crypt((char*)password, salt);
        strcat(result, tmp);

        cur1 += 8;
        cur2 += 13;
        len -= 13;
    } /* while */
    status = strncmp(result, encrypted, strlen(encrypted));

This does not work with MD5, so I had to replace it with the
following simple sequence (MD5 can deal with strings longer than 8 chars):

    result=crypt(password, encrypted);
    status = strcmp(result, encrypted);

My question is: would the above work with DES crypt ? I don't have
DES installed, so I cannot try it.

If the code works, then this is something that should be fixed on
cern_httpd and possibly other ports which use crypt.

	Luigi
====================================================================
Luigi Rizzo                     Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it       Universita' di Pisa
tel: +39-50-568533              via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522              http://www.iet.unipi.it/~luigi/
====================================================================