httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Life is hard, and then you die." <ron...@innovation.ch>
Subject Re: PATCH: ap_md5c.c understands SHA1 (Netscape web server) passwords
Date Sun, 01 Aug 1999 04:41:38 GMT

> >Thanks for sharing this Clinton. 1.3.7 has just been completed, so
> >we'll attempt to add this to a future release.
> 
> There is a different implementation of SHA1 in the new digest auth
> patches, using separate ap_sha1.c+.h files.  I have no idea how they
> compare, but I know it doesn't belong in ap_md5.c.

I had a quick look at the patch. Basically they're comparable, with
most differences in the external API. Here's my (biased, of course)
result:

([1] refers to the implementation I posted with the mod_digest stuff,
[2] refers the patch supplied earlier in this thread).

Speed: both implementations are identical, if you take the wiping of
       intermediate variables out of the transform function in [1].
       This wiping is for security sensitive applications, and could
       arguably be removed. The speed penalty for the wipe is about
       1.5%.

Functionality: [2] contains both binary and ascii versions of the
	       update function, with the two only different for
	       ebcdic machines. [1] adds the sha1 stuff to
	       ap_validate_password.

Interface: I rewrote the original code that [1] is based on to have
	   the same interface as the md5 stuff (modulo MD5 -> SHA1
	   in the names). [2] is similar, but not quite the same.

Either can be converted into the other in about 10 minutes.


  Cheers,

  Ronald


Mime
View raw message