[Tickets #2863] NEW: Corrected handling of {SSHA} and {SMD5} salt
bugs@bugs.horde.org
bugs at bugs.horde.org
Wed Oct 26 04:59:43 PDT 2005
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=2863
-----------------------------------------------------------------------
Ticket | 2863
Created By | ulrich-horde at topfen.net
Summary | Corrected handling of {SSHA} and {SMD5} salt
Queue | Horde Framework Packages
Version | FRAMEWORK_3
State | Unconfirmed
Priority | 2. Medium
Type | Bug
Owners |
+New Attachment | Auth.php.patch
-----------------------------------------------------------------------
ulrich-horde at topfen.net (2005-10-26 04:59) wrote:
The attached patch fixes two real and one potential problem(s) with the SSHA
and SMD5 password schemes in Auth::getSalt().
+) When looking for the salt, be case-insentive to avoid problems when the
scheme specification is in lower case (c.f. bug #2708).
+) The format for both schemes is (in pseudo-code)
base64_encode(hash(password . salt) . salt). getSalt() did return the
the still encoded value when $seed was set, and a raw value when
generating a new one.
+) The size of the salt is not fixed. While OpenLDAP and Horde both appear
to be using 4 byte salts, others may not. The only part of which we know
the exact length is the hash (128 and 160 bits, respectively).
Therefore,
substr() needs to count from the beginning of the binary string, not the
end.
More information about the bugs
mailing list