So I'm still (foolishly?) trying to use the authdaemond to allow users to change their userdb passwords. I guess I'm using completely untested code at the moment in authuserdbpwd.c, cause I've found another crash bug, and another noncrash fatal bug. :)

First off: authuserdbpwd.c line 56: - char *q=malloc(hmac->hh_L*2+1); + char *q=malloc(hmac->hh_L*4+1); Caused a segfault when trying to set a hmac password.

Now, what I think are more bugs. line 98: if (strncmp(service, "hmac-", 5) == 0) This misses out on services like imap-hmac-md5pw, which are valid.

When it calls authcheckpassword at line 182, it gives it two strings of the form that hmacpw spits out, namely unadorned hashes. authcheckpassword doesn't know to do anything special with those and tries to crypt the incoming string and compare that against the other instead of doing a straight strcmp. I'm not sure where the bug lies here, whether its supposed to call authcheckpassword with different things or what, but its certainly not working right.

On a slightly different note: It'd be really nice also if changing foopw would also change foo-hmac-md5pw and foo-hmac-sha1pw if they exist, so that the passwords are always kept in synch without having to do anything special. In my password changing code now I am (well will be as soon as its working) calling authdaemon.passwd twice, once for the normal password and once for the hmac-md5 password.

James