You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by ha...@cathand.com on 2004/03/04 01:55:01 UTC
funny action of crypt
Hi
I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
and some CGI scripts with password encryption.
Script is ...
$password = crypt($password, &mkSalt($name.$password.$value) );
sub mkSalt {
local($t, $sum, @salt ) = @_;
@salt = split(//,
'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz');
if ($t) {
$sum = unpack("%12C*", $t);
} else { # ハンドルが空の場合
return 'No';
}
$salt[$sum % 64] . $salt[int($sum/64) % 64];
}
While comparing local password file with password POSTed by users will not
be matched.
This script works fine without mod_perl but not with mod_perl..
But it was working fine with mod_perl.. But Suddenly stops working..
Is anybody can help me??
nh
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: funny action of crypt
Posted by Mark Hawkes <ha...@onetel.net.uk>.
>Perhaps you need to rewrite mkSalt() so it supports MD5 salts as well, if
>that's what your system's crypt() expects (?).
Talking of which, I've managed to find a subroutine I wrote that does
exactly this...
#----------------------------------------------------------------------------
# generate_salt()
# generates a random "salt" for use with crypt(3), which Perl's crypt()
# is based on.
#
# Notes
# The DES based algorithm uses a salt of 2 characters drawn from the range
# [a-zA-Z0-9./]. MD5 uses a variable length salt: '$1$' (the signature
# that tells crypt(3) the caller wants MD5 encryption rather than DES)
# followed by 0-8 characters of the same range as the DES salt, followed
# optionally by '$'.
#
# /\A[a-zA-Z0-9.\/]{2}\z/ // regex for DES salt
# /\A\$1\$[a-zA-Z0-9.\/]{0,8}\$?\z/ // regex for MD5 salt
#
# Returns
# a "salt" string appropriate for crypt(3) - may be DES or MD5 salt
#----------------------------------------------------------------------------
sub generate_salt {
my $algo = choose_crypt_algo($PREFERRED_CRYPT_ALGO);
my @salt_chars = ('a'..'z', 'A'..'Z', 0..9, '.', '/');
my ($salt, $salt_length);
srand; ### set random number seed for CORE::rand
if ( $algo & $DES_CRYPT ) { ### chosen crypt algorithm is DES
$salt = '';
$salt_length = 2;
}
else { ### chosen crypt algorithm is MD5
$salt = '$1$'; # MD5 salt prefix
$salt_length = int rand 9; # random integer from 0 to 8 inclusive
}
while ($salt_length--) { ### randomly generate the salt
my $idx = int rand @salt_chars;
$salt .= $salt_chars[$idx];
}
return $salt;
}
hth,
Mark
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: funny action of crypt
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> On Thu, 2004-03-04 at 14:21 -0800, Stas Bekman wrote:
>
>>Philippe M. Chiasson wrote:
>>
>>>On Wed, 2004-03-03 at 18:14 -0800, Stas Bekman wrote:
>>>
>>>
>>>>hara@cathand.com wrote:
>>>>
>>>>
>>>>>Hi
>>>>>
>>>>>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
>>>>>and some CGI scripts with password encryption.
>>>>>
>>>>>Script is ...
>>>>>
>>>>>$password = crypt($password, &mkSalt($name.$password.$value) );
>>>>>
>>>>>[...]
>>>>
>>>>mod_perl 2 has a workaround for 5.8.0:
>>>>
>>>>/* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
>>>>#if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
>>>> defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
>>>> /* workaround perl5.8.0/glibc bug */
>>>> PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
>>>>#endif
>>>>
>>>>I haven't seen it in the mp1 code.
>>>
>>>
>>>Is this workaround worth considering for backporting in mp1 ?
>>
>>Looks like so. Hara has failed to respond back to the list and emailed me
>>privately. And this did solve his problem after he stuck the above code
>>somewhere in mod_perl.c. And yes, he was running 5.8.0.
>
>
> Allright, I'll apply this fix to mp1 soon then.
I thought this had to do with threads... writing a test case that you can
reproduce the problem with should be helpful. Could probably check the
archives to find the discussion about the original report. The issue was with
rand always starting from the same init value under threads. But I'm not sure
how this affects a single interpreter-process.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: funny action of crypt
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> On Thu, 2004-03-04 at 14:21 -0800, Stas Bekman wrote:
>
>>Philippe M. Chiasson wrote:
>>
>>>On Wed, 2004-03-03 at 18:14 -0800, Stas Bekman wrote:
>>>
>>>
>>>>hara@cathand.com wrote:
>>>>
>>>>
>>>>>Hi
>>>>>
>>>>>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
>>>>>and some CGI scripts with password encryption.
>>>>>
>>>>>Script is ...
>>>>>
>>>>>$password = crypt($password, &mkSalt($name.$password.$value) );
>>>>>
>>>>>[...]
>>>>
>>>>mod_perl 2 has a workaround for 5.8.0:
>>>>
>>>>/* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
>>>>#if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
>>>> defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
>>>> /* workaround perl5.8.0/glibc bug */
>>>> PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
>>>>#endif
>>>>
>>>>I haven't seen it in the mp1 code.
>>>
>>>
>>>Is this workaround worth considering for backporting in mp1 ?
>>
>>Looks like so. Hara has failed to respond back to the list and emailed me
>>privately. And this did solve his problem after he stuck the above code
>>somewhere in mod_perl.c. And yes, he was running 5.8.0.
>
>
> Allright, I'll apply this fix to mp1 soon then.
I thought this had to do with threads... writing a test case that you can
reproduce the problem with should be helpful. Could probably check the
archives to find the discussion about the original report. The issue was with
rand always starting from the same init value under threads. But I'm not sure
how this affects a single interpreter-process.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: funny action of crypt
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Thu, 2004-03-04 at 14:21 -0800, Stas Bekman wrote:
> Philippe M. Chiasson wrote:
> > On Wed, 2004-03-03 at 18:14 -0800, Stas Bekman wrote:
> >
> >>hara@cathand.com wrote:
> >>
> >>>Hi
> >>>
> >>>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
> >>>and some CGI scripts with password encryption.
> >>>
> >>>Script is ...
> >>>
> >>>$password = crypt($password, &mkSalt($name.$password.$value) );
> >>>
> >>>[...]
> >>
> >>mod_perl 2 has a workaround for 5.8.0:
> >>
> >>/* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
> >>#if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
> >> defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
> >> /* workaround perl5.8.0/glibc bug */
> >> PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
> >>#endif
> >>
> >>I haven't seen it in the mp1 code.
> >
> >
> > Is this workaround worth considering for backporting in mp1 ?
>
> Looks like so. Hara has failed to respond back to the list and emailed me
> privately. And this did solve his problem after he stuck the above code
> somewhere in mod_perl.c. And yes, he was running 5.8.0.
Allright, I'll apply this fix to mp1 soon then.
> __________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide ---> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org http://apacheweek.com
> http://modperlbook.org http://apache.org http://ticketmaster.com
Re: funny action of crypt
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Thu, 2004-03-04 at 14:21 -0800, Stas Bekman wrote:
> Philippe M. Chiasson wrote:
> > On Wed, 2004-03-03 at 18:14 -0800, Stas Bekman wrote:
> >
> >>hara@cathand.com wrote:
> >>
> >>>Hi
> >>>
> >>>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
> >>>and some CGI scripts with password encryption.
> >>>
> >>>Script is ...
> >>>
> >>>$password = crypt($password, &mkSalt($name.$password.$value) );
> >>>
> >>>[...]
> >>
> >>mod_perl 2 has a workaround for 5.8.0:
> >>
> >>/* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
> >>#if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
> >> defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
> >> /* workaround perl5.8.0/glibc bug */
> >> PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
> >>#endif
> >>
> >>I haven't seen it in the mp1 code.
> >
> >
> > Is this workaround worth considering for backporting in mp1 ?
>
> Looks like so. Hara has failed to respond back to the list and emailed me
> privately. And this did solve his problem after he stuck the above code
> somewhere in mod_perl.c. And yes, he was running 5.8.0.
Allright, I'll apply this fix to mp1 soon then.
> __________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide ---> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org http://apacheweek.com
> http://modperlbook.org http://apache.org http://ticketmaster.com
Re: funny action of crypt
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> On Wed, 2004-03-03 at 18:14 -0800, Stas Bekman wrote:
>
>>hara@cathand.com wrote:
>>
>>>Hi
>>>
>>>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
>>>and some CGI scripts with password encryption.
>>>
>>>Script is ...
>>>
>>>$password = crypt($password, &mkSalt($name.$password.$value) );
>>>
>>>[...]
>>
>>mod_perl 2 has a workaround for 5.8.0:
>>
>>/* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
>>#if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
>> defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
>> /* workaround perl5.8.0/glibc bug */
>> PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
>>#endif
>>
>>I haven't seen it in the mp1 code.
>
>
> Is this workaround worth considering for backporting in mp1 ?
Looks like so. Hara has failed to respond back to the list and emailed me
privately. And this did solve his problem after he stuck the above code
somewhere in mod_perl.c. And yes, he was running 5.8.0.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: funny action of crypt
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> On Wed, 2004-03-03 at 18:14 -0800, Stas Bekman wrote:
>
>>hara@cathand.com wrote:
>>
>>>Hi
>>>
>>>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
>>>and some CGI scripts with password encryption.
>>>
>>>Script is ...
>>>
>>>$password = crypt($password, &mkSalt($name.$password.$value) );
>>>
>>>[...]
>>
>>mod_perl 2 has a workaround for 5.8.0:
>>
>>/* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
>>#if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
>> defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
>> /* workaround perl5.8.0/glibc bug */
>> PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
>>#endif
>>
>>I haven't seen it in the mp1 code.
>
>
> Is this workaround worth considering for backporting in mp1 ?
Looks like so. Hara has failed to respond back to the list and emailed me
privately. And this did solve his problem after he stuck the above code
somewhere in mod_perl.c. And yes, he was running 5.8.0.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: funny action of crypt
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Wed, 2004-03-03 at 18:14 -0800, Stas Bekman wrote:
> hara@cathand.com wrote:
> > Hi
> >
> > I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
> > and some CGI scripts with password encryption.
> >
> > Script is ...
> >
> > $password = crypt($password, &mkSalt($name.$password.$value) );
> >
> > [...]
> mod_perl 2 has a workaround for 5.8.0:
>
> /* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
> #if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
> defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
> /* workaround perl5.8.0/glibc bug */
> PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
> #endif
>
> I haven't seen it in the mp1 code.
Is this workaround worth considering for backporting in mp1 ?
> --
> __________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide ---> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org http://apacheweek.com
> http://modperlbook.org http://apache.org http://ticketmaster.com
>
> --
> Report problems: http://perl.apache.org/bugs/
> Mail list info: http://perl.apache.org/maillist/modperl.html
> List etiquette: http://perl.apache.org/maillist/email-etiquette.html
>
Re: funny action of crypt
Posted by Stas Bekman <st...@stason.org>.
hara@cathand.com wrote:
> Hi
>
> I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
> and some CGI scripts with password encryption.
>
> Script is ...
>
> $password = crypt($password, &mkSalt($name.$password.$value) );
>
> sub mkSalt {
> local($t, $sum, @salt ) = @_;
> @salt = split(//,
> './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz');
> if ($t) {
> $sum = unpack("%12C*", $t);
> } else { # ハンドルが空の場合
> return 'No';
> }
> $salt[$sum % 64] . $salt[int($sum/64) % 64];
> }
>
> While comparing local password file with password POSTed by users will not
> be matched.
>
> This script works fine without mod_perl but not with mod_perl..
> But it was working fine with mod_perl.. But Suddenly stops working..
>
> Is anybody can help me??
Most likely you have upgraded your perl to 5.8.0. If so the problem will go
away with 5.8.1
In the future always follow the guidelines on submitting the bug reports:
http://perl.apache.org/bugs/. So we don't have to guess your environment.
mod_perl 2 has a workaround for 5.8.0:
/* This was fixed in 5.9.0/5.8.1 (17775), but won't compile after 19122 */
#if PERL_REVISION == 5 && PERL_VERSION == 8 && PERL_SUBVERSION == 0 && \
defined(USE_REENTRANT_API) && defined(HAS_CRYPT_R) && defined(__GLIBC__)
/* workaround perl5.8.0/glibc bug */
PL_reentrant_buffer->_crypt_struct.current_saltbits = 0;
#endif
I haven't seen it in the mp1 code.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: funny action of crypt
Posted by Mark Hawkes <ha...@onetel.net.uk>.
At 16:55 2004-03-03 -0800, you wrote:
>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
>and some CGI scripts with password encryption.
>$password = crypt($password, &mkSalt($name.$password.$value) );
I'm no expert, but here goes... There are 2 ways of implementing crypt(3):
using DES or MD5 based algorithms. If the value of $password is undef or an
empty string, chances are your glibc only supports the MD5 flavor of crypt,
because your mkSalt() always generates a salt that only DES can use. MD5
salt values begin with '$1$'. See
http://unixhelp.ed.ac.uk/CGI/man-cgi?crypt+3.
# 1st value is DES crypt, 2nd is MD5
print crypt $password, mkSalt($name . $password . $value);
print crypt $password, '$1$';
Perhaps you need to rewrite mkSalt() so it supports MD5 salts as well, if
that's what your system's crypt() expects (?).
>sub mkSalt {
> local($t, $sum, @salt ) = @_;
> @salt = split(//,
>'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz');
> if ($t) {
> $sum = unpack("%12C*", $t);
> } else { # �$B%O%s%I%k$,6u$N>l9g�(B
> return 'No';
> }
> $salt[$sum % 64] . $salt[int($sum/64) % 64];
>}
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html