FWIW, from looking at the suggested code (html.inc.php) it looks like not only does the do_login function check md5 but it also checks a simple crypt(), salted with itself (I presume for legacy support).
It does _not_ seem to update crypted passwords (which is consistent with what I've seen from doing testing).
In any case I think that gives me what I need, which is to check both md5 AND crypt when I compare passwords.
Thanks for the pointer to the code!--David
