Taking a look at the adduser code, it looks like a semi-random salt is being
used:
-- snip --
if (strncasecmp(argv[1], "{crypt:}", strlen("{crypt:}")) == 0)
{
/* encrypt using crypt() */
strcat(pw,crypt(&argv[1][strlen("{crypt:}")], cget_salt()));
useridnr = auth_adduser(argv[0], pw, "crypt",argv[2],argv[3]);
}
...
char *cget_salt()
{
unsigned long seed[2];
const char *const seedchars =
"./0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz";
int i;
seed[0] = time(NULL);
seed[1] = getpid() ^ (seed[0] >> 14 & 0x30000);
for (i = 0; i < 8; i++)
csalt[i] = seedchars[(seed[i / 5] >> (i % 5) * 6) & 0x3f];
return csalt;
}
-- snip --
Yet, the auth function in mysqlauth.c uses the password as the salt:
-- snip --
else if ( strcasecmp(__auth_row[2], "crypt") == 0)
{
trace (TRACE_DEBUG,"auth_validate(): validating using crypt()
encryption");
is_validated = (strcmp( (const char *) crypt(password, __auth_row[1]),
__auth_row[1]) == 0) ? 1 : 0;
}
-- snip --
or am I misreading this?
On Wednesday 02 June 2004 12:44 pm, Micah wrote:
> Hi again,
>
> When comparing a supplied password with a stored pw using crypt(), what
> salt should I use? Doesn't this have to match the salt originally used to
> generate the crypt()'d password?
>
> I haven't dealt with this function before. Sorry if it's a dumb question.
>
> -Micah
> _______________________________________________
> Dbmail-dev mailing list
> [email protected]
> http://twister.fastxs.net/mailman/listinfo/dbmail-dev
