Return-Path: Delivered-To: apmail-apr-bugs-archive@www.apache.org Received: (qmail 68789 invoked from network); 26 Aug 2008 07:16:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Aug 2008 07:16:20 -0000 Received: (qmail 67405 invoked by uid 500); 26 Aug 2008 07:16:18 -0000 Delivered-To: apmail-apr-bugs-archive@apr.apache.org Received: (qmail 67388 invoked by uid 500); 26 Aug 2008 07:16:18 -0000 Mailing-List: contact bugs-help@apr.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@apr.apache.org Delivered-To: mailing list bugs@apr.apache.org Received: (qmail 67377 invoked by uid 99); 26 Aug 2008 07:16:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 00:16:18 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 07:15:29 +0000 Received: by brutus.apache.org (Postfix, from userid 33) id 98A5C234C1B3; Tue, 26 Aug 2008 00:15:59 -0700 (PDT) From: bugzilla@apache.org To: bugs@apr.apache.org Subject: DO NOT REPLY [Bug 45679] SHA1 passwords starting with {SHA} don't work and cause a minor buffer overrun X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: newchanged X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: APR X-Bugzilla-Component: APR-util X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bnoordhuis@gmail.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@apr.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Message-Id: <20080826071559.98A5C234C1B3@brutus.apache.org> Date: Tue, 26 Aug 2008 00:15:59 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=45679 --- Comment #6 from Ben Noordhuis 2008-08-26 00:15:58 PST --- > Maybe long, long time ago someone wanted to > identify SHA1 password hashing by passing that > prefix in front of clear passwords or something. > No idea... That thought struck me as well but. grepping through the source, I don't find anything that would require - let alone justify - stripping the prefix (see below). So what do we do now? I still think those three lines have to go. $ find . -name '*.c' | xargs egrep '(apr_sha1_base64|ap_hack_apr_sha1_base64)' ./support/htpasswd.c: apr_sha1_base64(pw,strlen(pw),cpw); ./support/htdbm.c: apr_sha1_base64(htdbm->userpass,strlen(htdbm->userpass),cpw); ./srclib/apr-util/crypto/apr_md5.c: * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(), depending ./srclib/apr-util/crypto/apr_md5.c: apr_sha1_base64(passwd, (int)strlen(passwd), sample); ./srclib/apr-util/crypto/apr_sha1.c: * apr_sha1_base64(const char *clear, int len, char *out); ./srclib/apr-util/crypto/apr_sha1.c:APU_DECLARE(void) apr_sha1_base64(const char *clear, int len, char *out) ./srclib/apr-util/exports.c:const void *ap_hack_apr_sha1_base64 = (const void *)apr_sha1_base64; ./srclib/apr-util/test/testpass.c: apr_sha1_base64(pass, (int)strlen(pass), hash); ./server/exports.c:const void *ap_hack_apr_sha1_base64 = (const void *)apr_sha1_base64; -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org For additional commands, e-mail: bugs-help@apr.apache.org