On Tue, 19 Aug 2014, Pontus Wiberg wrote:
Yes, I use xauthby=file and the /etc/ipsec.d/passwd file is: pontus:$apr1$G/Yn3NSQ$xBq7LyNNYCBc0COKWM6Dj0:roadwarrior
So $apr1$ is not standard crypt(), it is apache specific: https://httpd.apache.org/docs/current/misc/password_encryptions.html "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm. https://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup and htpasswd claims it has been the default since apache 2.2.18 Perhaps someone wants to write a small python script or C binary for managing a /etc/ipsec.d/passwd file that only uses crypt() with one of the more secure options specified via the $id$ salts? Alternatively, we can recognise the salt $apr1$ as special, and use a copy of the apr_md5.c code to verify the password. Although since it is based on md5, it would not be functional in FIPS mode. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
