httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rasmus Lerdorf <>
Subject Re: basic auth broken
Date Mon, 01 Feb 1999 04:35:55 GMT
> This whole issue is about how we can tell, while reading it, if the
> password we are reading from the htpasswd file is in native or portable
> format.

Ok, I guess I got lost somewhere along the way then.  I thought that
particular concept was known.  Through experimentation and as per my
earlier post, this is what I have found:

Standard DES: 13 chars, first two chars is the SALT and rest is encoded str
          eg: rl.3StKT.4T8M

Extended DES: 20 chars, first 9 chars is the SALT and rest is encoded str
          eg: _J9..rasmBYk8r9AiWNc

MD5: 34 chars made up of $1$ + 8 chars of SALT + $ + encoded string
          eg: $1$rasmusle$rISCgZzpwk3UhDidwXvin0

BlowFish: 60 chars, $2a$07$ + 9 chars of SALT + encoded string
          eg: $2a$07$rasmuslerO............gl95GkTKn53Of.H4YchXl5PwvvW.5ri

I guess as far as we are concerned we should just make sure that the MD5
encoded string we generate match the MD5 case above.  I have tested that
one on OpenBSD, FreeBSD and Linux.  Those were the only platforms I could
find out of the set I have access to that supported MD5 natively in their
crypt() function.

Currently in htpasswd.c it is generating a 2-char salt for the md5
encoding and the ap_MD5Encode() function only groks a 2-char salt.  Like
you said, yank the MD5Encode() code out of crypt.c on FreeBSD or Linux
(since they seem to be using the same algorithm) and change htpasswd.c to
generate a salt with something like:

        strcpy(salt, "$1$");
        to64(&salt[3], rand(), 4);
        to64(&salt[7], rand(), 4);
        strcpy(&salt[11], "$");

And call this the portable format.  It should correspond to the native
formats on the systems that have an MD5-capable crypt() function.


View raw message