Re: funny action of crypt

[Mark Hawkes]

At 16:55 2004-03-03 -0800, you wrote:
>I have a problem when my apache_1.3.29 w/ mod_perl 1.29 runs PerlRun
>and some CGI scripts with password encryption.

>$password = crypt($password, &mkSalt($name.$password.$value) );

I'm no expert, but here goes... There are 2 ways of implementing crypt(3):
using DES or MD5 based algorithms. If the value of $password is undef or an
empty string, chances are your glibc only supports the MD5 flavor of crypt,
because your mkSalt() always generates a salt that only DES can use. MD5
salt values begin with '$1$'. See
http://unixhelp.ed.ac.uk/CGI/man-cgi?crypt+3.

  # 1st value is DES crypt, 2nd is MD5
  print crypt $password, mkSalt($name . $password . $value);
  print crypt $password, '$1$';

Perhaps you need to rewrite mkSalt() so it supports MD5 salts as well, if
that's what your system's crypt() expects (?).

>sub mkSalt {
>  local($t, $sum, @salt ) = @_;
>  @salt = split(//,
>'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz');
>  if ($t) {
>    $sum = unpack("%12C*", $t);
>  } else { # $B%O%s%I%k$,6u$N>l9g(B
>    return 'No';
>  }
>  $salt[$sum % 64] . $salt[int($sum/64) % 64];
>}

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html