[Date Prev][Date Next] [Chronological] [Thread] [Top]

Wrong naming of password hash fns (ITS#2093)

To: openldap-its@OpenLDAP.org
Subject: Wrong naming of password hash fns (ITS#2093)
From: rick@vanrein.org
Date: Fri, 20 Sep 2002 10:15:39 GMT

Full_Name: Rick van Rein
Version: all
OS: FreeBSD
URL: 
Submission from: (NULL) (130.89.15.246)


Hello folks,

This is a matter of using the wrong name for a hash algorithm.  SHA should be
SHA1 in slappasswd.

The sha algorithm was a predecessor to sha1, and it is a different algorithm
(AFAIK, sha1 solved a security issue in sha).

Try
  echo -n tralala | openssl sha  -binary | mimencode
  echo -n tralala | openssl sha1 -binary | mimencode
to see the difference in outcome, respectively:
  Ec+su2hndQhOFygzY00gPCUnwBE=
  uzH7/4+skcF+5gUtmAhObmMYSFk=

Now try encrypting with slappassword,
  slappasswd -s tralala -h '{SHA}'
and see that the result is
  {SHA}uzH7/4+skcF+5gUtmAhObmMYSFk=
this is the SHA1 hash, but it's been named SHA.   That's wrong and confusing.

Also, I was not particularly pleased by the reference from slappasswd's man page
to
an RFC.  The general idea of a man page (as I see it) is that it is
self-contained.
Would you like me to rewrite the page (with the change from SHA to SHA1
included)?


Cheers,
Rick van Rein.

Prev by Date: RE: index based search does not work correctly (ITS#2088)
Next by Date: Re: Wrong naming of password hash fns (ITS#2093)
Index(es):
- Chronological
- Thread