s...@apache.org wrote: > Author: sf > Date: Fri Oct 23 18:13:46 2009 > New Revision: 829162 > > URL: http://svn.apache.org/viewvc?rev=829162&view=rev > Log: > Print a warning if a password is truncated by crypt. > > Modified: > httpd/httpd/trunk/support/htpasswd.c > > Modified: httpd/httpd/trunk/support/htpasswd.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=829162&r1=829161&r2=829162&view=diff > ============================================================================== > --- httpd/httpd/trunk/support/htpasswd.c (original) > +++ httpd/httpd/trunk/support/htpasswd.c Fri Oct 23 18:13:46 2009 > @@ -186,6 +186,10 @@ > pw = pwin; > memset(pwv, '\0', sizeof(pwin)); > } > + if (alg == ALG_CRYPT && strlen(pw) > 8) { > + apr_file_printf(errfile, "Warning: Password truncated to 8 > characters " > + "by CRYPT algorithm." NL); > + }
Isn't this platform specific? Seems wrong. Why not test the pw and the pw+1 char to determine if this is, in fact, true. With all our integration into openssl maybe we should add 3des strong crypt for all platforms that don't otherwise offer it? So much easier now that the rules about crypto munitions in open source have been relaxed.
