Heya,

Please let me know if this question doesn't make any sense, I'm still trying to wrap my mind around it.

I'm working on a clients server that only has blowfish available for its crypt(3) functions. Ecrypting thingies in Perl doesn't seem to work - observe:

 

#!/usr/bin/perl 
my $pw   = 'secret'; 
my $salt = 'sa'l
print crypt($pw, $salt);
[download]

Should print the same encrypted pass over and over again, like, "saHW9GdxihkGQ"

But, on the blowfish-only server, it prints out things like:

$2a$04$sbKVIAQsDwhO1/am9JaVI.qr13R.8.Cn5Xxqbj6aSqcad/9z3p0Jy

Obviously, I'm doing something wrong. For one - I do not see the salt number in the string. The length is much different, but I chalk that up to the different encryption spec. The string, "$2a$04$" is always present, so I'm assuming that this is some sort of marker that tells me I'm working with a blowfish encryption.

The question is - how do I now compare this encrypted string to an unencrypted string to validate a password?

Regularly, you would just encrypt the password you want to challenge the encrypted password with (using the same salt) - if they match, you've entered the correct password.

I'm missing a step. Sort of a:

 

if($mySavedPassword =~ s/^\$2a\$04\$/){ 
  # ... blowfish!
}
[download]

Does anyone care to enlighten? I know about the Crypt::Blowfish module, I don't necessarily want to use it - I'm sort of asking also why Perl's crypt function isn't working as expected.

Thanks, y'all