You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Kathleen Thiel <th...@pinky.acsu.buffalo.edu> on 2000/06/05 23:07:53 UTC

general/6149: ap_MD5 calls return a null for some combinations of username/password

>Number:         6149
>Category:       general
>Synopsis:       ap_MD5 calls return a null for some combinations of username/password
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jun 05 14:10:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     thiel@pinky.acsu.buffalo.edu
>Release:        1.3.12
>Organization:
apache
>Environment:
SunOS fitproxy.acsu.buffalo.edu 5.6 Generic_105181-17 sun4u sparc SUNW,Ultra-4
>Description:
I am currently running apache1.3.12 and am using the DCE authentication 
module from Paul Henson (auth_dce 2.5). He uses the following calls in the auth_dce
code that are returning an empty string for various combinations of usernames a
and passwords:

(We wrote a small program using the calls that we could run at
the command line)
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_main.h"
#include "http_protocol.h"
#include "util_script.h"
#include "ap_md5.h"

int main(int argc, char **argv) {
  AP_MD5_CTX md5_context;
  unsigned char input_digest[16];
      
  ap_MD5Init(&md5_context);
  ap_MD5Update(&md5_context, (const unsigned char *)argv[1], strlen(argv[1]));
  ap_MD5Update(&md5_context, (const unsigned char *)argv[2], strlen(argv[2]));
  ap_MD5Final(input_digest, &md5_context);

  printf("%s\n", input_digest);
}

Unfortunately, I can not give you an example because the strings
we have tried because they are actual usernames/passwords of users at UB.

The problem is that the auth_dce code uses this output as a hash
in a DCE credential array. Users that fall into this catagory (get
an empty string back) all hash to the same set of credentials.

I understand the problem is with the auth_dce module, but it is caused
by the ap_MD5* calls. Shouldn't every string pair return a unique
hash?

Thanks
Kathleen



>How-To-Repeat:
Code above, but I can not give you example strings.
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]