You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/07/04 13:11:05 UTC

DO NOT REPLY [Bug 45340] New: Example Java code produces wrong digest-authentication passwords

https://issues.apache.org/bugzilla/show_bug.cgi?id=45340

           Summary: Example Java code produces wrong digest-authentication
                    passwords
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
               URL: http://httpd.apache.org/docs/2.3/misc/password_encryptio
                    ns.html
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jwagner@computing.dcu.ie


The code fragment in "Miscellaneous Documentation > Password Formats > Digest
Authentication > Database password fields for mod_dbd > Java" will produce
30-character or even shorter hexdigit strings if the upper 8 bits are 0. This
will happen for 0.39% (1/256) of passwords.

if (s.length() % 2 != 0) s = "0" + s;

(apparently, the 6.25% (1/16) of cases in which the upper 4 bits are 0 have
been addressed) should be replaced by

while (s.length() < 32) s = "0" + s;

Note that I didn't test this code. If you don't like the loop due to its worst
case runtime, please consider its expected runtime (random average). The body
of the loop is rarely entered.

Best regards,
JJ


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 45340] Example Java code produces wrong digest-authentication passwords

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45340


Tom Donovan <To...@acm.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #1 from Tom Donovan <To...@acm.org>  2008-07-07 04:01:19 PST ---
Java example code fixed in trunk for length and sign problems with hash value.

  http://svn.apache.org/viewvc?view=rev&revision=674445

re: "...don't like the loop due to its worst case runtime..."
No problem - correctness & clarity are more important in example code.

Tested with Java 1.4 & Java 6.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org