[dev] passwd and Auth_sql encryption
Max Kalika
max+lists.horde.dev at lsit.ucsb.edu
Tue Jul 22 16:18:28 PDT 2003
I don't know who maintains this code, but I wanted to clean up some stuff
here and port over the crypt-md5 and friends over to Auth_sql (as that is
the only Auth driver that uses similar semantics) and I came across some
confusion.
First in Auth/sql.php:
The ssha and smd5 encryption types will always generate a random salt in
_encryptPassword() but we make a call to that function in _authenticate()
which (if I'm reading this right) will always fail.
Second in passwd/lib/Driver.php
The ssha and smd5 encryption append the salt to the result of
base64_encode() in _encryptPassword(), but we go ahead and attempt to
base64_decode() in _comparePasswords() without first stripping the salt
off. How is that supposed to work?
In the latter case can we change the ssha and smd5 cases to:
case 'ssha':
$encrypted = preg_replace('|^{SSHA}|', '', $encrypted);
$salt = substr($encrypted, -20)
if ($encrypted == base64_encode(mHash(MHASH_SHA1, $plaintext .
$salt) . $salt);
return true;
}
break;
case 'smd5':
$encrypted = preg_replace('|^{SMD5}|', '', $encrypted);
$salt = substr($encrypted, -16)
if ($encrypted == base64_encode(mHash(MHASH_SMD5, $plaintext .
$salt) . $salt);
return true;
}
break;
The numbers -20 and -16 are what is currently used for substr() in those
two checks, but I know nothing of how these are supposed to work, so if
they're incorrect now is the time to fix.
As far as Auth/sql.php goes, I'd like to add a _comparePasswords() function
to that too to port over all the crypt-* support and (if applicable) fix
the ssha and smd5 portions too.
Thoughts?
BTW: Eric, I got the composite driver flushed out for password changing.
Huzzah!
---max kalika
--max at lsit.ucsb.edu
-lsit systems administrator
More information about the dev
mailing list