Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Feb 1997 12:11:24 -0800 (PST)
From:      pgiffuni@fps.biblos.unal.edu.co
To:        freebsd-gnats-submit@freebsd.org
Subject:   ports/2669: Fix for W3c-httpd 3.0relevant patch must be included a
Message-ID:  <199702052011.MAA08258@freefall.freebsd.org>
Resent-Message-ID: <199702052020.MAA08761@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         2669
>Category:       ports
>Synopsis:       Fix for W3c-httpd 3.0relevant patch must be included a
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb  5 12:20:02 PST 1997
>Last-Modified:
>Originator:     Pedro Giffuni S.
>Organization:
Universidad Nacional de Colombia
>Release:        2.1.5 Release
>Environment:
Non relevant
>Description:
User Sergei Vnotchenko <sergey@ns.extech.msk.su>, reported and solved a
problem with W3C-httpd's passwords. The relevant patch must be included
as patch-bc in our distribution
>How-To-Repeat:

>Fix:
*** Daemon/Implementation/HTPasswd.c.orig	Wed Feb  5 13:54:35 1997
--- Daemon/Implementation/HTPasswd.c	Wed Feb  5 14:14:34 1997
***************
*** 77,82 ****
--- 77,83 ----
  **	string at once, but then again, we are not that paranoid
  **	about the security inside the machine.
  **
+    NOTE: MD5: 28 characters (8 - setting, 20 - crypted password)
  */
  PUBLIC char *HTAA_encryptPasswd ARGS1(CONST char *, password)
  {
***************
*** 101,107 ****
  	strncpy(chunk, cur, 8);
  	chunk[8] = (char)0;
  
! 	tmp = crypt((char*)password, salt);  /*crypt() doesn't change its args*/
  	strcat(result, tmp);
  
  	cur += 8;
--- 102,108 ----
  	strncpy(chunk, cur, 8);
  	chunk[8] = (char)0;
  
! 	tmp = crypt((char*)chunk , salt);  /*crypt() doesn't change its args*/
  	strcat(result, tmp);
  
  	cur += 8;
***************
*** 139,149 ****
--- 140,163 ----
      char *result;
      int len;
      int status;
+ #ifdef MD5
+     char salt[9];
+ #else
+     char salt[3];
+ #endif
+     char chunk[9];
+     CONST char *cur1 = password;
+     CONST char *cur2 = encrypted;
+     char *tmp;
  
      if (!password || !encrypted)
  	return NO;
  
+ #ifdef MD5
+     len = 28*(((int)strlen(password)+7)/8);
+ #else
      len = 13*(((int)strlen(password)+7)/8);
+ #endif
      if (len < (int)strlen(encrypted))
  	return NO;
  
***************
*** 152,176 ****
  
      *result = (char)0;
      while (len > 0) {
- 	char salt[3];
- 	char chunk[9];
- 	CONST char *cur1 = password;
- 	CONST char *cur2 = encrypted;
- 	char *tmp;
  
  	salt[0] = *cur2;
  	salt[1] = *(cur2+1);
  	salt[2] = (char)0;
  
  	strncpy(chunk, cur1, 8);
  	chunk[8] = (char)0;
  
! 	tmp = crypt((char*)password, salt);
  	strcat(result, tmp);
  
  	cur1 += 8;
  	cur2 += 13;
  	len -= 13;
      } /* while */
  
      status = strncmp(result, encrypted, strlen(encrypted));
--- 166,195 ----
  
      *result = (char)0;
      while (len > 0) {
  
+ #ifdef MD5
+ 	for(status=0;status<8;status++) salt[status]=cur2[status];
+ 	salt[8]=0;
+ #else
  	salt[0] = *cur2;
  	salt[1] = *(cur2+1);
  	salt[2] = (char)0;
+ #endif
  
  	strncpy(chunk, cur1, 8);
  	chunk[8] = (char)0;
  
! 	tmp = crypt((char*)chunk, salt);
  	strcat(result, tmp);
  
  	cur1 += 8;
+ #ifdef MD5
+ 	cur2 += 28;
+ 	len -= 28;
+ #else
  	cur2 += 13;
  	len -= 13;
+ #endif
      } /* while */
  
      status = strncmp(result, encrypted, strlen(encrypted));
***************
*** 289,292 ****
--- 308,313 ----
      if (status == EOF)  return NO;  /* We traversed to the end without luck */
      else                return YES; /* The user was found */
  }
+ 
+ 
  

>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052011.MAA08258>