[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7869) [PATCH] contrib passwd/apr1 do_phk_hash arguments

Howard Chu wrote:
> ryan@nardis.ca wrote:
>> Full_Name: Ryan Tandy
>> Version: master/33e12f4 RE24/b000d95
>> OS: Debian unstable
>> URL:
>> Submission from: (NULL) (
>> Hi,
>> The apr1 passwd plugin calls do_phk_hash with the arguments in the wrong order,
>> so the digest updates are done in a different order than md5crypt does. The
>> following patch fixes that, restoring compatibility with existing htpasswd
>> files.
>> However, existing {APR1} hashes that were generated while the bug existed are
>> going to be broken...  I'm not sure what to do about that. :/
> According to ITS#6826, where this code came from originally, the generated
> {APR1} hashes are currently compatible with htpasswd. As such, your patch
> would break htpasswd compatibility. As such it seems like a bad idea to commit
> your change.

I've also confirmed, using perl Crypt::PasswdMD5, that the hashes generated by 
the current code are compatible. In particular, a password generated by this 

use strict;
use warnings;
use Crypt::PasswdMD5;

my($password)       = 'seekrit';
my($salt)           = 'pepperoni';
my($unix_crypted)   = unix_md5_crypt($password, $salt);
my($apache_crypted) = apache_md5_crypt($password, $salt);

print "$unix_crypted\n";
print "$apache_crypted\n";

can be converted to OpenLDAP {BSDMD5} and {APR1} format, respectively, and 
matches the output generated by the current module using the same salt and 

Rejecting this patch, closing this ITS.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/