| Summary | Corrected handling of {SSHA} and {SMD5} salt |
| Queue | Horde Framework Packages |
| Queue Version | FRAMEWORK_3 |
| Type | Bug |
| State | Resolved |
| Priority | 2. Medium |
| Owners | Horde Developers (at) |
| Requester | ulrich-horde (at) topfen (dot) net |
| Created | 10/26/2005 (7227 days ago) |
| Due | |
| Updated | 11/22/2006 (6835 days ago) |
| Assigned | 12/27/2005 (7165 days ago) |
| Resolved | 11/22/2006 (6835 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | Yes |
State ⇒ Resolved
State ⇒ Assigned
base64_encode(hash(password . salt) . salt). getSalt() did return the
the still encoded value when $seed was set, and a raw value when
generating a new one.
tree, right? Auth is not only for LDAP servers.
or SMD5, so I can't really comment on that. I simply thought that
other applications will store the password in the same format.
State ⇒ Feedback
base64_encode(hash(password . salt) . salt). getSalt() did return the
the still encoded value when $seed was set, and a raw value when
generating a new one.
right? Auth is not only for LDAP servers.
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ Corrected handling of {SSHA} and {SMD5} salt
Queue ⇒ Horde Framework Packages
New Attachment: Auth.php.patch
State ⇒ Unconfirmed
the SSHA and SMD5 password schemes in Auth::getSalt().
+) When looking for the salt, be case-insentive to avoid problems when the
scheme specification is in lower case (c.f.
bug #2708).+) The format for both schemes is (in pseudo-code)
base64_encode(hash(password . salt) . salt). getSalt() did return the
the still encoded value when $seed was set, and a raw value when
generating a new one.
+) The size of the salt is not fixed. While OpenLDAP and Horde both appear
to be using 4 byte salts, others may not. The only part of which we know
the exact length is the hash (128 and 160 bits, respectively). Therefore,
substr() needs to count from the beginning of the binary string,
not the end.