So I'm still (foolishly?) trying to use the authdaemond to allow users
to change their userdb passwords. I guess I'm using completely untested
code at the moment in authuserdbpwd.c, cause I've found another crash
bug, and another noncrash fatal bug. :)
authuserdbpwd.c line 56:
- char *q=malloc(hmac->hh_L*2+1);
+ char *q=malloc(hmac->hh_L*4+1);
Caused a segfault when trying to set a hmac password.
Now, what I think are more bugs.
if (strncmp(service, "hmac-", 5) == 0)
This misses out on services like imap-hmac-md5pw, which are valid.
When it calls authcheckpassword at line 182, it gives it two strings of
the form that hmacpw spits out, namely unadorned hashes.
authcheckpassword doesn't know to do anything special with those and
tries to crypt the incoming string and compare that against the other
instead of doing a straight strcmp. I'm not sure where the bug lies
here, whether its supposed to call authcheckpassword with different
things or what, but its certainly not working right.
On a slightly different note:
It'd be really nice also if changing foopw would also change
foo-hmac-md5pw and foo-hmac-sha1pw if they exist, so that the passwords
are always kept in synch without having to do anything special. In my
password changing code now I am (well will be as soon as its working)
calling authdaemon.passwd twice, once for the normal password and once
for the hmac-md5 password.