Crypto.Hash for htaccess

Thomas_ROBISSON · June 14, 2022, 3:11pm

Hi, I play with ":CryptoExample.xojo_binary_project in the folder “Framework” of “Example Projects”.
And I try to obtain the same result as on this page :
http://aspirine.org/htpasswd.html
I enter in the left TextArea :

MyUser1 MyPassword1
MyUser2 MyPassword2

I choose “MD5” and I click the button under the right TextArea “Générer le contenu du fichier htpasswd” = “Generate content of file htpasswd”.
The result is :

MyUser1:$apr1$QRcPnCFU$zac2iljvdiBqtP0ramNJn/
MyUser2:$apr1$AV/B/do3$puil8RQuh044ORX3PVie41

In the “Pressed” event of “GenerateButton” of the Xojo project, I removed the EncodeHex() :
ResultArea.Text = EncodeHex(hash)
become
ResultArea.Text = hash

If I enter “MyPassword1” in the Xojo project and choose MD5, the result is “�’MVR��"��E�_”.
How to get the result “QRcPnCFU$zac2iljvdiBqtP0ramNJn/”

AlbertoD · June 14, 2022, 3:25pm

Use htpasswd or openssl:
https://httpd.apache.org/docs/2.4/misc/password_encryptions.html

Edit: MD5 is not the same as MD5 (APR).

Thomas_ROBISSON · June 14, 2022, 3:27pm

Ahh, it is specific to Apache. Then the Xojo algorithm is not the same? There are many MD5 ???

Andrew_Lambert · June 14, 2022, 3:58pm

MD5 produces binary data, which is usually encoded in hex for display/editing:

result = EncodeHex(result)

Tim_Parnell · June 14, 2022, 5:56pm

I got the impression from someone that the crypto lib can support these things, we just need to request the algorithms we need.

Would someone make a ticket that provides the things we need to Bcrypt? Or should I just make a ticket for “Please add bcrypt methods to Crypto”? The Module Kem wrote is too slow to use for serious matters, and currently you need plugins as a workaround.

I’m okay with plugins, but it’d be cool to be able to use Bcrypt with the framework if it can already support it. Especially to promote secure password hashing with Web 2.0 apps.

Sorry to derail, it’s sort of related and I’ve been pondering this for a while.

Kem_Tekinay · June 14, 2022, 6:22pm

I agree that this should be added natively, but…

We use that module in production code and have for years. When compiled in Aggressive mode, it is around as fast, or even faster than, other implementations I’ve tested.

Thom_McGrath · June 14, 2022, 6:51pm

You’ll have more luck if you are very specific about what you need.

Tim_Parnell · June 14, 2022, 6:54pm

That’s what I was hoping someone else knew. I don’t know the technicals beyond how to do this with M_Crypt, Einhugur, and MBS. I can describe how I want it to work, but not the crypto lib we need.

Christian_Schmitz · June 14, 2022, 8:21pm

For my own use, we just use Shell class to run htpasswd command line tool to make a password if needed.

Rick_Araujo · June 14, 2022, 9:15pm

MD5 APR uses a random salt. If you run the same password twice you will get 2 different hashes for the same “password”. You just can’t compare it. There’s a validation algorithm for it. You must provide the MD5 APR hash originated with an unknown salt, the tentative password, and the algorithm will return true/false if it’s a valid hash for such password.

Thomas_ROBISSON · June 15, 2022, 7:07am

Thank you all. I search how to use the Shell command “htpasswd” and the code below seems to work :

Dim CdeShell as New Shell
Dim TampText as String

CdeShell.Execute "htpasswd -n -b -m " + DataUser.Text + " " + DataPassword.Text
If CdeShell.ExitCode = 0 Then '  -m  (MD5) is the default
  TampText = CdeShell.Result
Else
  TampText = ""
End If
CdeShell.Close

TampText contains the line I need : “MyUserName:MyEncryptPassword” .