apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject apr_password_validate on win32 silently mishandles crypted hashes
Date Wed, 26 May 2004 19:40:04 GMT
I thought that P in APR stands for Portable, but I guess it is not quite true.

I wrote code using apr_password_validate and it works perfectly fine on linux, 
but it doesn't on windows. apr_password_validate can't handle crypted hashes 
on several platforms which don't have this function:

#if defined(WIN32) || defined(BEOS) || defined(NETWARE)
         apr_cpystrn(sample, passwd, sizeof(sample) - 1);

Why is this function in the public API then? Granted it's useful for checking 
md5 checksums and base64 encodes, but for crypt inputs it doesn't give users 
any indication whether it does the verification or not. On the listed three 
platforms it silently does nothing.

May be the function should be renamed apr_checksum_validate and do just that? 
If crypt is not supported, the word password is very misleading. Besides the 
documentation must be more specific than just saying:

  * Validate any password encypted with any algorithm that APR understands
  * @param passwd The password to validate
  * @param hash The password to validate against

APR doesn't commit here to what algorithms it actually understands, leaving 
the user in need to go and read the source code to figure that out. IMHO, it 
should say:

  * Validate hashes created by APR supported algorithms: md5 and base64.
  * hashes created by crypt are supported only on platforms that provide
  * crypt(3), so don't rely on that function unless you know that your
  * application will be run only on platforms that support it.
  * @param passwd The password to validate
  * @param hash The password to validate against

And the function should assert if crypted hash is attempted to be verified on 
platforms that don't support it.

Steve Hay, who originally reported this problem, suggests that apr may want to 
include the implementation of fcrypt, which is how perl provides the crypt() 
function on win32 starting from 5.9.1.

Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

View raw message