Should we be including/moving this discussion to dev@apr ? On Feb 20, 2013, at 3:07 AM, Rainer Jung <[email protected]> wrote:
> On 20.02.2013 08:07, William A. Rowe Jr. wrote: >> On Wed, 20 Feb 2013 16:42:56 +1000 >> Noel Butler <[email protected]> wrote: >> >>> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote: >>> >>> >>> >>>> >>>> Note he mentioned SHA512, not crypt(). I don't know that this makes >>>> a difference on that architecture. >>>> >>> >>> >>> But isn't it just a hand off to system crypt() (modern crypt(), not >>> the ancient 8 char one), since httpd is limited in native options, >>> what it doesn't understand is passes to system crypt() to handle. > > Yes. > >> Which remains my point... our current 2.4 and 2.2 candidates should >> suffer the same flaw. > > Indeed, that's likely. Note that Noel uses SHA512, which is supported in > apr_password_validate(), but for instance not wired in htpasswd. So it > might not be the most often used password hash in combination with > httpd. Nevertheless we need to fix. > > I prepared another round of patches t check, what's wrong in > apr_password_validate. All patches can be applied in srclib/apr-util. > They are *not* cumulative: > > 1) Undo one change in the password validation function and check whether > it works then: > > http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch > > 2) Keep original validation code but ad some debug output to STDERR: > > http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch > > 3) Combination of 1) and 2): > > http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch > > All patches only change one file, so if you apply on top of your build > tree, make will only compile one file and you only need to copy over the > new .libs/libaprutil-1.so to your httpd installation lib. > > Regards, > > Rainer >
