Re: [SOGo] Mysql source w/ crypt broken after 1.3.5a upgrade?
2011-02-01 01:10:49 GMT
Dear All, after a bit (well, several hours...) of investigation, I found that: 1) md5 works flawlessly on my installation, while crypt does not. So it's not a configuration problem. 2) The code pre-1.3.5a, i.e. the one attached to bug report #703 (http://www.sogo.nu/bugs/view.php?id=703) worked fine (I've been using it on 1.3.4 without any problems). 3) In 1.3.5 the crypt() code was modularized and moved to NSstring+Utilities.m: > 2010-12-29 Ludovic Marcotte <lmarcotte@...> > > * Moved the string encryption code from SoObjects/SOGo/SQLSource.m > to SoObjects/SOGo/NSString+Utilites.m 4) Feel free to correct me if I'm wrong, but it seems to me that the new implementation doesn't use the right salt. To perform a check against an existing md5-crypted password, you must fetch it from the DB and pass it as the second parameter to the crypt() function (the first will be the user-provided password to validate). This is because the salt to use is embedded into the crypted password (if you're using md5-crypt, it's the substring that starts with "$1$" and ends with "$"). The crypt() function will recognize the salt part automagically and use it to encode the user provided password. If you look at the patch code, you'll see the following lines: > buf = (char *) crypt([plainPassword UTF8String], [encryptedPassword UTF8String]); > NSString *s = [NSString stringWithUTF8String: buf]; > return [s isEqualToString: encryptedPassword]; In the new code (lines 548-556 from NSString-Utilities.m), the password to check is provided also as the(Continue reading)