[Date Prev][Date Next] [Chronological] [Thread] [Top]

NS-MTA-MD5 broken in HEAD, RELENG_2_1, RELENG_2_2 (ITS#2899)

To: openldap-its@OpenLDAP.org
Subject: NS-MTA-MD5 broken in HEAD, RELENG_2_1, RELENG_2_2 (ITS#2899)
From: jwm@horde.net
Date: Sun, 4 Jan 2004 18:16:45 GMT

Full_Name: John Morrissey
Version: HEAD
OS: N/A
URL: http://horde.net/~jwm/software/misc/openldap-fix-nsmta-bustage.patch
Submission from: (NULL) (24.93.15.178)


The length check on passwd->bv_len for NS-MTA-MD5 hashes is incorrect. An
MS-MTA-MD5 password consists of 32 hex digits of MD5 hash (LUTIL_MD5_BYTES * 2)
followed by 32 hex digits of salt. Checking this 64-byte length for 32 bytes
causes authentication of this type of has to fail.

Patch is at http://horde.net/~jwm/software/misc/openldap-fix-nsmta-bustage.patch.

I chose to use LUTIL_MD5_BYTES*2+32 instead of LUTIL_MD5_BYTES*4 because I don't
think it's semantically correct to assume that the salt length correlates with
the length of an MD5 hash.

Prev by Date: Re: slow search when out-of-scope entries match (ITS#2897)
Next by Date: Re: slow search when out-of-scope entries match (ITS#2897)
Index(es):
- Chronological
- Thread