I was researching some odd behavior in Apache and mod_dbd and thanks to the apr-devel mailing list I was informed that my problem was not a bug in mod_dbd, but was actually the way crypt() behaved. I am posting here because in my mind this is a bug, but I can also see how there might be arguments to the contrary and would like the communities opinion on the matter.
If the hash given to crypt() as a salt is an empty string, then the crypt function returns an empty string and the resulting strcmp will always match regardless of the password the user provides. This makes an empty string invalid as a password, which is not the case on Windows, BeOS, or Netware (according to Tom Donovan from the apr-dev mailing list. http://thread.gmane.org/gmane.comp.apache.apr.devel/13795). Modifying the demo source in the GNU Manual for crypt to the following shows the bug rather plainly. --begin--code-- #include <stdio.h> #include <string.h> #include <unistd.h> #include <crypt.h> int main(void) { /* Empty hash */ const char *const pass = ""; char *result; int ok; /* Read in the user's password and encrypt it, passing the expected password in as the salt. */ result = crypt(getpass("Password:"), pass); /* Test the result. (This will always succeed!) */ ok = strcmp (result, pass) == 0; puts(ok ? "Access granted." : "Access denied."); return ok ? 0 : 1; } --end--code-- Please help me understand why this is behaving this way if it is correct, otherwise I would be glad to file a bug report on it. -Scott _______________________________________________ gnu-crypto-discuss mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-crypto-discuss
