Stas Bekman wrote:
Steve Hay wrote:
Stas Bekman wrote:
Can you take a look at apr_password_validate and see why it doesn't validate on windows?
Doh! -- it contains this:
#if defined(WIN32) || defined(BEOS) || defined(NETWARE)
apr_cpystrn(sample, passwd, sizeof(sample) - 1);
#elif...
Hmm, what's the point of having APR function which doesn't work crossplatform?
Well apr_password_validate() actually kicks off like this:
if (!strncmp(hash, apr1_id, strlen(apr1_id))) { /* * The hash was created using our custom algorithm. */ apr_md5_encode(passwd, hash, sample, sizeof(sample)); } else { /* * It's not our algorithm, so feed it to crypt() if possible. */ #if defined(WIN32) || defined(BEOS) || defined(NETWARE) apr_cpystrn(sample, passwd, sizeof(sample) - 1); #else ... do stuff using crypt ...
so it's only the case where "it's not our algorithm" in which the password gets crypted at all, but copied rather than crypted on Win32 (no doubt because Win32 doesn't have a native crypt() function -- Perl only has crypt() on Win32 by default since 5.8.1 when an fcrypt() implementation was added to the Perl source to provide it.)
So literally we can only use that function for apr_md5_encoded comparisons. I'd rather not call it password_validate.
Do we want to support it at all?
Maybe, since the apr_md5_encode() does look to be portable, but it would be most useful if apr_md5_encode() was supported in the Perl glue too so that apr m5 hashes can be produced in the first place.
What do we need it for? (besides the test?)
so the below patch makes it pass on Win32.
More like hiding the problem, IMHO. Making a test pass is easy, the question is whether it actually tests something.
What problem? It tests what the function does! The question is whether the function actually does something useful :)
No, there is a problem. What I meant is that the test makes a special case for win32, hiding the problem, that this API is not crossplatform and may be shouldn't be supported at all.
Which is correct given that the function simply calls apr_cpystrn() on Win32, isn't it?
Again, if mp2 gives you the API people will use it in their apps. Then things won't work on certain platforms. They will come complaining. We'd rather not support such APIs in first place.
So I think we should (a) support apr_md5_encode() and (b) add a note to the APR::Util::password_validate() docs that whilst it is possible to call crypt() in Perl on Win32 (at least as of 5.8.1), password_validate() doesn't support that format of smashed password on Win32 because of limitations in the APR C library.
as suggested above, it is no longer password_validate() then. but rather apr_md5_validate
(Or: see if the APR C library maintainers would be interested in adding the fcrypt() that Perl uses to provide crypt() on Win32?)
That's a good idea.
-- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
