apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <...@rkbloom.net>
Subject Re: apr_password_validate on win32 silently mishandles crypted hashes
Date Thu, 27 May 2004 12:47:18 GMT
On Thu, 27 May 2004, Geoffrey Young wrote:

>
> > I beg your pardon, gentlemen. Would you be so kind to decide first
> > between yourself whether this is a bug or not? According to Ryan it's
> > not a bug, according to your comment above, Bill, it is.
>
> I think there is a bug lurking around, at least someplace.
>
> while I've been up most of the night, so I might not be thinking clearly, it
> seems as though if someone were to move a unix-generated crypt .htpasswd
> file to win32, mod_auth's call to apr_password_validate would end up simply
> comparing the two values for equality.  meaning that passing the actual hash
> as cleartext would succeed.  at least that's what I see when I boil down the
> logic.
>
> APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
>                                                 const char *hash)
> {
> ...
>     else {
>         /*
>          * It's not our algorithm, so feed it to crypt() if possible.
>          */
> #if defined(WIN32) || defined(BEOS) || defined(NETWARE)
>         apr_cpystrn(sample, passwd, sizeof(sample) - 1);
> ...
>     return (strcmp(sample, hash) == 0) ? APR_SUCCESS : APR_EMISMATCH;
> }

This should move to the httpd list, but since I wrote this code originally
for 1.3, I'll just answer it here.  Apache on Windows doesn't support
.htpasswd files that were generated on Unix using crypt().  It never has.
Yes, if you try to use it, and send the crypt() encoded password, it will
succeed.  But, that just doesn't happen in practice.  In practice, people
try to copy their .htpasswd file to Windows, try sending the real password
as a test to make sure things work.  When it doesn't. they either ask
questions or read the htpasswd docs which are quite clear that crypt
passwords don't work on Windows.  There may be other docs, but I just
looked where I knew they were.

Ryan


Mime
View raw message