Hi Jon, > $ ./pil lib/adm.l + > : (de *Salt 16 . "$6$@1$") > -> *Salt > : (passwd "somestring") > -> "$6bsuufIMFxJE" > > So it seems that the 'passwd' function is working in 32-bit PicoLisp on > Mac, right?
Hmm, yes and no ... It works, but obviously only with the (worthless) DES algorithm, because the generated hash is much too short. In glibc's crypt() more modern algorithms are supported: The glibc2 version of this function supports additional encryption algorithms. If salt is a character string starting with the characters "$id$" fol‐ lowed by a string terminated by "$": $id$salt$encrypted then instead of using the DES machine, id identifies the encryption method used and this then determines how the rest of the password string is interpreted. The following values of id are supported: ID | Method ───────────────────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7) So $5$salt$encrypted is an SHA-256 encoded password and $6$salt$encrypted is an SHA-512 encoded one. "salt" stands for the up to 16 characters following "$id$" in the salt. The encrypted part of the password string is the actual computed pass‐ word. The size of this string is fixed: MD5 | 22 characters SHA-256 | 43 characters SHA-512 | 86 characters So when passing a salt with the "$6$@1$" pattern would generate a SHA-512 hash with a total of 106 characters (86 plus the salt). The DES algorithm has nowadays no practical use. The old crypt() function uses only the first two characters of the salt, that's why we see > : (passwd "somestring") > -> "$6bsuufIMFxJE" i.e. the first two characters "$6" in the generated hash. crypt() obviously didn't understand the special encoding of the salt. Do you think that on the Mac some other version of crypt() is available? There must be some secure hash function too. ♪♫ Alex -- UNSUBSCRIBE: mailto:firstname.lastname@example.org?subject=Unsubscribe