From 5ed1619e1d1507a8c181153ca78fdfd2ceb0f96c Mon Sep 17 00:00:00 2001
From: Stefan Fritsch <sf@apache.org>
Date: Mon, 19 Oct 2009 20:53:04 +0000
Subject: [PATCH] Change the default algorithm for htpasswd to MD5 on all
 platforms. Crypt with its 8 character limit is not useful anymore.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@826805 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                           |  2 ++
 docs/manual/programs/htpasswd.xml | 22 ++++++++++------------
 support/htpasswd.c                | 14 +++++---------
 3 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6973be2319..702d4a6c1b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,8 @@ Changes with Apache 2.3.3
      mod_proxy_ftp: NULL pointer dereference on error paths.
      [Stefan Fritsch <sf fritsch.de>, Joe Orton]
 
+  *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
+
   *) mod_sed: Reduce memory consumption when processing very long lines.
      PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>]
 
diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml
index 86bffcf968..259af6cd83 100644
--- a/docs/manual/programs/htpasswd.xml
+++ b/docs/manual/programs/htpasswd.xml
@@ -103,14 +103,12 @@ distribution.</seealso>
     one) is omitted. It cannot be combined with the <code>-c</code> option.</dd>
 
     <dt><code>-m</code></dt>
-    <dd>Use MD5 encryption for passwords. On Windows and Netware, this is
-    the default.</dd>
+    <dd>Use MD5 encryption for passwords. This is the default.</dd>
 
     <dt><code>-d</code></dt>
-    <dd>Use <code>crypt()</code> encryption for passwords. The default on all
-    platforms but Windows and Netware. Though possibly supported by
-    <code>htpasswd</code> on all platforms, it is not supported by the
-    <program>httpd</program> server on Windows and Netware.</dd>
+    <dd>Use <code>crypt()</code> encryption for passwords. This is not
+    supported by the <program>httpd</program> server on Windows and
+    Netware.</dd>
 
     <dt><code>-s</code></dt>
     <dd>Use SHA encryption for passwords. Facilitates migration from/to Netscape
@@ -161,10 +159,9 @@ distribution.</seealso>
     </example>
 
     <p>Adds or modifies the password for user <code>jsmith</code>. The user
-    is prompted for the password. If executed on a Windows system, the password
-    will be encrypted using the  modified Apache MD5 algorithm; otherwise, the
-    system's <code>crypt()</code> routine will be used. If the file does not
-    exist, <code>htpasswd</code> will do nothing except return an error.</p>
+    is prompted for the password. The password will be encrypted using the
+    modified Apache MD5 algorithm. If the file does not exist,
+    <code>htpasswd</code> will do nothing except return an error.</p>
 
     <example>
       htpasswd -c /home/doe/public_html/.htpasswd jane
@@ -176,11 +173,12 @@ distribution.</seealso>
     will display a message and return an error status.</p>
 
     <example>
-      htpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve
+      htpasswd -db /usr/web/.htpasswd-all jones Pwd4Steve
     </example>
 
     <p>Encrypts the password from the command line (<code>Pwd4Steve</code>)
-    using the MD5 algorithm, and stores it in the specified file.</p>
+    using the <code>crypt()</code> algorithm, and stores it in the specified
+    file.</p>
 </section>
 
 <section id="security"><title>Security Considerations</title>
diff --git a/support/htpasswd.c b/support/htpasswd.c
index f2961c361f..8022bca2e9 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -243,14 +243,9 @@ static void usage(void)
     apr_file_printf(errfile, " -n  Don't update file; display results on "
                     "stdout." NL);
     apr_file_printf(errfile, " -m  Force MD5 encryption of the password"
-#if defined(WIN32) || defined(NETWARE)
         " (default)"
-#endif
         "." NL);
     apr_file_printf(errfile, " -d  Force CRYPT encryption of the password"
-#if (!(defined(WIN32) || defined(NETWARE)))
-            " (default)"
-#endif
             "." NL);
     apr_file_printf(errfile, " -p  Do not encrypt the password (plaintext)." NL);
     apr_file_printf(errfile, " -s  Force SHA encryption of the password." NL);
@@ -258,10 +253,11 @@ static void usage(void)
             "rather than prompting for it." NL);
     apr_file_printf(errfile, " -D  Delete the specified user." NL);
     apr_file_printf(errfile,
-            "On Windows and NetWare systems the '-m' flag is used by "
-            "default." NL);
+            "On other systems than Windows and NetWare the '-p' flag will "
+            "probably not work." NL);
     apr_file_printf(errfile,
-            "On all other systems, the '-p' flag will probably not work." NL);
+            "The SHA algorithm does not use a salt and is less secure than "
+            "the MD5 algorithm." NL);
     exit(ERR_SYNTAX);
 }
 
@@ -428,7 +424,7 @@ int main(int argc, const char * const argv[])
     char *scratch, cp[MAX_STRING_LEN];
     int found = 0;
     int i;
-    int alg = ALG_CRYPT;
+    int alg = ALG_APMD5;
     int mask = 0;
     apr_pool_t *pool;
     int existing_file = 0;
-- 
2.40.0