[Date Prev][Date Next] [Chronological] [Thread] [Top]

NS-MTA-MD5 broken in HEAD, RELENG_2_1, RELENG_2_2 (ITS#2899)

Full_Name: John Morrissey
Version: HEAD
URL: http://horde.net/~jwm/software/misc/openldap-fix-nsmta-bustage.patch
Submission from: (NULL) (

The length check on passwd->bv_len for NS-MTA-MD5 hashes is incorrect. An
MS-MTA-MD5 password consists of 32 hex digits of MD5 hash (LUTIL_MD5_BYTES * 2)
followed by 32 hex digits of salt. Checking this 64-byte length for 32 bytes
causes authentication of this type of has to fail.

Patch is at http://horde.net/~jwm/software/misc/openldap-fix-nsmta-bustage.patch.

I chose to use LUTIL_MD5_BYTES*2+32 instead of LUTIL_MD5_BYTES*4 because I don't
think it's semantically correct to assume that the salt length correlates with
the length of an MD5 hash.