Notes on password comparisons...
Posted on 8/20/2005 7:01 pm in This Old Site
I finally broke down and looked at the code for MySQL, particularly the
portion for creating MD5 hashes. Apparently, MySQl, takes the
result that was being used in the SASL code and converts it to an ASCII
representation of the result in hexadecimal notation. It was an
easy fix to checkpw.c to make it operate the same way. I've included the function where I made the changes. My notes are in bold. Code that we're not using anymore is in italics.
static int _sasl_make_plain_secret(const char *salt,
const char *passwd, size_t passlen,
sasl_secret_t **secret)
{
MD5_CTX ctx;
unsigned sec_len = 16 + 1 + 16; /* salt + "�" + hash */
*secret = (sasl_secret_t *) sasl_ALLOC(sizeof(sasl_secret_t) +
sec_len * sizeof(char));
if (*secret == NULL) {
return SASL_NOMEM;
}
_sasl_MD5Init(&ctx);
/* Were eliminating the salt functions here since our code to generate the password hash originally doesn't use them. */
/*
_sasl_MD5Update(&ctx, salt, 16);
_sasl_MD5Update(&ctx, "sasldb", 6);
*/
/* Here, we're going to add a digest variable to temporarily store the result. */
unsigned char digest[16];
_sasl_MD5Update(&ctx, passwd, passlen);
memcpy((*secret)->data, salt, 16);
(*secret)->data[16] = '�';
/* Once again, we're skipping the hash. */
/*
_sasl_MD5Final((*secret)->data + 17, &ctx);
*/
_sasl_MD5Final(digest, &ctx);
/* Were going to set the secret length to the length of our new result instead. */
(*secret)->len = (uint) 32 + 1;
/* Here, we convert the digest result into a readable hexadecimal format */
sprintf((char *) (*secret)->data,
"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
digest[0], digest[1], digest[2], digest[3],
digest[4], digest[5], digest[6], digest[7],
digest[8], digest[9], digest[10], digest[11],
digest[12], digest[13], digest[14], digest[15]);
return SASL_OK;
}
