[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP To Do List

> Create ldappasswd to support generation of crypt, sha1, md5 passwords.

I've started working on ldappasswd and have come up with a possible bug in
ldap/servers/slapd/back-ldbm/bind.c.  The source uses an MD5digest of 160
bits.  Last time I read, MD5 was a 128 bit algorithm.  (pg 436, Applied
Cryptography, 2nd Edition) To test this out, I initialized two MD5digests to
'a' and to 'b', ran it through base64encode and came out with different results
in the last few bytes.  In theory, it should make no difference what MD5 is
initialized to. (which is why it isn't initialized)  But when it goes through
the base64 encoding, the extra stuff at the end DOES matter and a password
comparison will fail.  When the variable in bind.c gets declared there can be
some garbage in there that gets base64encoded differently every time even
though the MD5 hash was 100% on target.

To fix, declaring the variables (starting on line 58 of bind.c) as,

    unsigned char MD5digest[16];
    char base64digest[25];

instead of [20], [29] respectively, should work fine.

for those of you that celebrate, Happy Thanksgiving.  (And for the vegans, have
another sweet potato!)