You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by Stas Bekman <st...@stason.org> on 2004/05/27 00:53:45 UTC
apr_password_validate is not testing md5/sha1 in the apr test suite
So I'm trying to drop crypt and trying to write tests for the md5 and sha1
parts of the apr_password_validate. I fail to come up with any test input that
will pass the test. I try various md5 and sha1 functions, and none of them
matches. Is it supposed to work only with hash values generated by apr's own
md5 and sha1 functions? I suppose I miss something, since for example digest
auth hash is generated by the client, and certainly can't know about apr's
function.
I hoped to find the tests in apr-util/test/testpass.c, but alas neither md5
nor sha1 hashes are tested at all. Only crypt which is not available
crossplatform.
Suggestions?
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: apr_password_validate is not testing md5/sha1 in the apr test
suite
Posted by rb...@rkbloom.net.
On Wed, 26 May 2004, Stas Bekman wrote:
> rbb@rkbloom.net wrote:
> > Also it will show you how to generate the data for yourself.
>
> Unfortunately at the moment I have no time to figure it out. Though it worries
> me that I couldn't get non-apr md5/sha1 generators' output pass password_validate.
This one, at least, is easy to explain. We use a non-standard prefix in
the encrypted password to tell APR what type of password it is. That way,
the one function can decrypt _any_ format it understands without having to
be re-built. If you look at the passwords htpasswd generated, the
prefix for all md5 passwords is the same, same for sha1 (although it is
different from the md5 prefix). This is the same model that *BSD uses
IIRC.
Ryan
Re: apr_password_validate is not testing md5/sha1 in the apr test
suite
Posted by Stas Bekman <st...@stason.org>.
rbb@rkbloom.net wrote:
> On Wed, 26 May 2004, Stas Bekman wrote:
>
>
>>So I'm trying to drop crypt and trying to write tests for the md5 and sha1
>>parts of the apr_password_validate. I fail to come up with any test input that
>>will pass the test. I try various md5 and sha1 functions, and none of them
>>matches. Is it supposed to work only with hash values generated by apr's own
>>md5 and sha1 functions? I suppose I miss something, since for example digest
>>auth hash is generated by the client, and certainly can't know about apr's
>>function.
>>
>>I hoped to find the tests in apr-util/test/testpass.c, but alas neither md5
>>nor sha1 hashes are tested at all. Only crypt which is not available
>>crossplatform.
>>
>>Suggestions?
>
>
> Use htpasswd to generate some passwords. That should give you some data
> to test with.
Thanks for the suggestion, Ryan. It worked fine. I wasn't aware it was doing
md5 and sha1 too.
> Also it will show you how to generate the data for yourself.
Unfortunately at the moment I have no time to figure it out. Though it worries
me that I couldn't get non-apr md5/sha1 generators' output pass password_validate.
> The APR-util test suite is taking a back-seat to the APR test
> suite currently.
Understood.
Thanks.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: apr_password_validate is not testing md5/sha1 in the apr test
suite
Posted by rb...@rkbloom.net.
On Wed, 26 May 2004, Stas Bekman wrote:
> So I'm trying to drop crypt and trying to write tests for the md5 and sha1
> parts of the apr_password_validate. I fail to come up with any test input that
> will pass the test. I try various md5 and sha1 functions, and none of them
> matches. Is it supposed to work only with hash values generated by apr's own
> md5 and sha1 functions? I suppose I miss something, since for example digest
> auth hash is generated by the client, and certainly can't know about apr's
> function.
>
> I hoped to find the tests in apr-util/test/testpass.c, but alas neither md5
> nor sha1 hashes are tested at all. Only crypt which is not available
> crossplatform.
>
> Suggestions?
Use htpasswd to generate some passwords. That should give you some data
to test with. Also it will show you how to generate the data for
yourself. The APR-util test suite is taking a back-seat to the APR test
suite currently.
Ryan