hi,
it seems that Crypto.crypt_md5() has changed from 7.5.17 to 7.5.19:
Pike v7.5 release 19 running Hilfe v3.5:
Crypto.crypt_md5("steam", "$1$Kc1wkp//$NZDtxhZkKVLHflUk71E0n0");
(8) Result: 1
while in all older versions the result is: "$1$Kc1wkp//$NZDtxhZkKVLHflUk71E0n0"
ie instead of encrypting the string with the salt of the second argument, it now does a comparison.
while i agree that giving a second argument is most often used to compare two passwords i to think that this should be done with a new function (eg Crypt.check_md5()) and that crypt_md5() remains as it was.
greetings, martin.
It works with #pike 7.4.
Pike v7.5 release 19 running Hilfe v3.5 (Incremental Pike Frontend)
__VERSION__;
(1) Result: 7.400000
Crypto.crypt_md5("steam", "$1$Kc1wkp//$NZDtxhZkKVLHflUk71E0n0");
(2) Result: "$1$Kc1wkp//$NZDtxhZkKVLHflUk71E0n0"
It even emulates the bugs...
/ Martin Nilsson (saturator)
Previous text:
2004-03-08 16:34: Subject: Crypto.crypt_md5();
hi,
it seems that Crypto.crypt_md5() has changed from 7.5.17 to 7.5.19:
Pike v7.5 release 19 running Hilfe v3.5:
Crypto.crypt_md5("steam", "$1$Kc1wkp//$NZDtxhZkKVLHflUk71E0n0");
(8) Result: 1
while in all older versions the result is: "$1$Kc1wkp//$NZDtxhZkKVLHflUk71E0n0"
ie instead of encrypting the string with the salt of the second argument, it now does a comparison.
while i agree that giving a second argument is most often used to compare two passwords i to think that this should be done with a new function (eg Crypt.check_md5()) and that crypt_md5() remains as it was.
greetings, martin.
/ Brevbäraren
well, that requires one to find out that the semantics change. took me a while to track this one down, because it's not abvious that
foo==Crypt.crypt_md5(bar, foo);
would now always fail. typechecking might help if Crypt.crypt_md5() would now return only int, then the error would be abvious and easy to fix.
as it is, i suspect that this change will bite a number of people.
greetings, martin.
Ok. Splitting crypt_md5 into make_crypt_m5 and verify_crypt_md5.
/ Martin Nilsson (saturator)
Previous text:
2004-03-08 17:01: Subject: Re: Crypto.crypt_md5();
well, that requires one to find out that the semantics change. took me a while to track this one down, because it's not abvious that
foo==Crypt.crypt_md5(bar, foo);
would now always fail. typechecking might help if Crypt.crypt_md5() would now return only int, then the error would be abvious and easy to fix.
as it is, i suspect that this change will bite a number of people.
greetings, martin.
/ Brevbäraren
If you're changing the name, why not call it hash instead of crypt? I mean, md5 is not encryption so it's illogical to include it in the function name.
/ David Hedbor
Previous text:
2004-03-08 17:36: Subject: Re: Crypto.crypt_md5();
Ok. Splitting crypt_md5 into make_crypt_m5 and verify_crypt_md5.
/ Martin Nilsson (saturator)
Because it's a replacement for crypt(3C)? Note that md5_crypt() does not perform an single md5 hash of its input.
/ Henrik Grubbström (Lysator)
Previous text:
2004-03-08 17:55: Subject: Re: Crypto.crypt_md5();
If you're changing the name, why not call it hash instead of crypt? I mean, md5 is not encryption so it's illogical to include it in the function name.
/ David Hedbor
It is really braindamaged in what it does as well, I might add. Never use it unless you really have too. Read src/post_modules/Nettle/crypt_md5.c for more insights...
/ Martin Nilsson (saturator)
Previous text:
2004-03-08 17:59: Subject: Re: Crypto.crypt_md5();
Because it's a replacement for crypt(3C)? Note that md5_crypt() does not perform an single md5 hash of its input.
/ Henrik Grubbström (Lysator)
better, thanks.
though given that the result of unix crypt(3) is also an excrypted string i nee no reason to move from crypt to make_crypt.
greetings, martin.
pike-devel@lists.lysator.liu.se
-
David Hedbor @ Pike developers forum -
Henrik Grubbstr�m (Lysator) @ Pike (-) developers forum
-
Martin Baehr -
Martin Bähr
-
Martin Nilsson (saturator) @ Pike (-) developers forum