apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45679] SHA1 passwords starting with {SHA} don't work and cause a minor buffer overrun
Date Tue, 26 Aug 2008 07:15:59 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45679





--- Comment #6 from Ben Noordhuis <bnoordhuis@gmail.com>  2008-08-26 00:15:58 PST ---
> Maybe long, long time ago someone wanted to
> identify SHA1 password hashing by passing that
> prefix in front of clear passwords or something.
> No idea...

That thought struck me as well but. grepping through the source, I don't find
anything that would require - let alone justify - stripping the prefix (see
below). So what do we do now? I still think those three lines have to go.

$ find . -name '*.c' | xargs egrep '(apr_sha1_base64|ap_hack_apr_sha1_base64)'
./support/htpasswd.c:        apr_sha1_base64(pw,strlen(pw),cpw);
./support/htdbm.c:           
apr_sha1_base64(htdbm->userpass,strlen(htdbm->userpass),cpw);
./srclib/apr-util/crypto/apr_md5.c: * crypt() (if available) or
apr_md5_encode() or apr_sha1_base64(), depending
./srclib/apr-util/crypto/apr_md5.c:        apr_sha1_base64(passwd,
(int)strlen(passwd), sample);
./srclib/apr-util/crypto/apr_sha1.c: *   apr_sha1_base64(const char *clear, int
len, char *out);
./srclib/apr-util/crypto/apr_sha1.c:APU_DECLARE(void) apr_sha1_base64(const
char *clear, int len, char *out)
./srclib/apr-util/exports.c:const void *ap_hack_apr_sha1_base64 = (const void
*)apr_sha1_base64;
./srclib/apr-util/test/testpass.c:    apr_sha1_base64(pass, (int)strlen(pass),
hash);
./server/exports.c:const void *ap_hack_apr_sha1_base64 = (const void
*)apr_sha1_base64;


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message