Mailing List Archive: Newbie help

Newbie help - password hash

Sep 13, 2009, 11:52 AM

Post #1 of 5 (1845 views)

Hi,

I am very new to libgcrypt. I am trying to write a simple system, where a
user in order to login needs a password. I'd like to store this password
hashed in md5 on the computer. This is what I did so far:

char userPass[16]; // password of the user (string)
scanf("%s", &userPass);

char userPassHash[16]; // hash of the password
gcry_md_hash_buffer(1, userPassHash, userPass, strlen(userPass));

I was hoping that userPassHash would give me the hash of the password (which
I then convert to hex for storage), but it is not the case. I am sure I am
doing something stupid (my guess is that I cannot use the string as an input
in the hash function, but I am not sure what type of input it needs to be).
Can anyone help?

Thank you,
Charles
--
View this message in context: http://www.nabble.com/Newbie-help---password-hash-tp25425990p25425990.html
Sent from the GnuPG - Libgcrypt - Dev mailing list archive at Nabble.com.

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Re: Newbie help - password hash [ In reply to ]

bradh at frogmouth

Sep 14, 2009, 3:21 AM

Post #2 of 5 (1781 views)

Permalink

On Monday 14 September 2009 04:52:42 cc10 wrote:
> char userPass[16]; // password of the user (string)
> scanf("%s", &userPass);
Nothing to do with gcrypt, but what do you think will happen if the user
writes more than about 16 characters here?

> char userPassHash[16]; // hash of the password
> gcry_md_hash_buffer(1, userPassHash, userPass, strlen(userPass));

You didn't post most of your code, so it is a bit difficult to know, but did you
remember to initialize the library?

If so, can you post a minimal compilable example that shows the problem?

Brad

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Re: Newbie help - password hash [ In reply to ]

cmouse at desteem

Sep 14, 2009, 4:46 AM

Post #3 of 5 (1777 views)

Permalink

On Sun, Sep 13, 2009 at 11:52:42AM -0700, cc10 wrote:
>
> Hi,
>
> I am very new to libgcrypt. I am trying to write a simple system, where a
> user in order to login needs a password. I'd like to store this password
> hashed in md5 on the computer. This is what I did so far:
>
> char userPass[16]; // password of the user (string)
> scanf("%s", &userPass);

This is dangerous, and wrong.

scanf("%16s", userPass); is bit more correct.

>
> char userPassHash[16]; // hash of the password
> gcry_md_hash_buffer(1, userPassHash, userPass, strlen(userPass));
>

this is wrong, as well. You are supposed to say

gcry_md_hash_buffer(GCRY_MD_MD5, userPassHash, userPass, strlen(userPass));

> I was hoping that userPassHash would give me the hash of the password (which
> I then convert to hex for storage), but it is not the case. I am sure I am
> doing something stupid (my guess is that I cannot use the string as an input
> in the hash function, but I am not sure what type of input it needs to be).
> Can anyone help?
>
> Thank you,
> Charles
> --

----- End forwarded message -----

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Re: Newbie help - password hash [ In reply to ]

tsubidio at gmail

Sep 14, 2009, 6:11 AM

Post #4 of 5 (1789 views)

Permalink

>This is dangerous, and wrong.

>scanf("%16s", userPass); is bit more correct.

Thank you, will fix it.

>gcry_md_hash_buffer(GCRY_MD_MD5, userPassHash, userPass, strlen(userPass));

Tried it both ways (1, and GCRY_MD_MD5), still won't give me the right hash.
It is weird as it seems the beginning is right, and then it's a bunch of
f's.

--
View this message in context: http://www.nabble.com/Newbie-help---password-hash-tp25425990p25435527.html
Sent from the GnuPG - Libgcrypt - Dev mailing list archive at Nabble.com.

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Re: Newbie help - password hash [ In reply to ]

cmouse at desteem

Sep 15, 2009, 2:56 AM

Post #5 of 5 (1765 views)

Permalink

On Mon, Sep 14, 2009 at 06:11:17AM -0700, cc10 wrote:
>
> >This is dangerous, and wrong.
>
> >scanf("%16s", userPass); is bit more correct.
>
> Thank you, will fix it.
>
> >gcry_md_hash_buffer(GCRY_MD_MD5, userPassHash, userPass, strlen(userPass));
>
> Tried it both ways (1, and GCRY_MD_MD5), still won't give me the right hash.
> It is weird as it seems the beginning is right, and then it's a bunch of
> f's.
>

Did you initialize the library correctly?

Here's how I would do this:

{
char pw[16];
char hash[16];
int i;

if (!gcry_check_version(GCRYPT_VERSION)) exit(1);
gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);

fgets(pw, sizeof pw, stdin); // prevents buffer overflow

gcry_md_hash_buffer(GCRY_MD_MD5, hash, pw, strlen(pw));

for (i = 0; i < sizeof hash; i++)
printf("%02x", hash[i]);
printf("\n");
}

Aki Tuomi

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel