You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by di...@hyperreal.org on 1999/08/02 12:13:51 UTC
cvs commit: apache-1.3/src/support/SHA1 README.sha1 convert-sha1.pl htpasswd-sha1.pl ldif-sha1.example
dirkx 99/08/02 03:13:51
Modified: htdocs/manual new_features_1_3.html
htdocs/manual/new_features_1_3.html src/CHANGES
src/ap/Makefile.tmpl src/ap/ap_md5c.c
src/include/ap_md5.h
src/modules/standard/mod_auth.c
src/modules/standard/mod_auth_db.c
src/modules/standard/mod_auth_dbm.c
src/support/README src/support/htpasswd.1
src/support/htpasswd.c
src CHANGES htdocs/manual/new_features_1_3.html
src/CHANGES src/ap/Makefile.tmpl src/ap/ap_md5c.c
src/include/ap_md5.h
src/modules/standard/mod_auth.c
src/modules/standard/mod_auth_db.c
src/modules/standard/mod_auth_dbm.c
src/support/README src/support/htpasswd.1
src/support/htpasswd.c
src/ap Makefile.tmpl ap_md5c.c
htdocs/manual/new_features_1_3.html src/CHANGES
src/ap/Makefile.tmpl src/ap/ap_md5c.c
src/include/ap_md5.h
src/modules/standard/mod_auth.c
src/modules/standard/mod_auth_db.c
src/modules/standard/mod_auth_dbm.c
src/support/README src/support/htpasswd.1
src/support/htpasswd.c
src/include ap_md5.h htdocs/manual/new_features_1_3.html
src/CHANGES src/ap/Makefile.tmpl src/ap/ap_md5c.c
src/include/ap_md5.h
src/modules/standard/mod_auth.c
src/modules/standard/mod_auth_db.c
src/modules/standard/mod_auth_dbm.c
src/support/README src/support/htpasswd.1
src/support/htpasswd.c
src/modules/standard mod_auth.c mod_auth_db.c mod_auth_dbm.c
htdocs/manual/new_features_1_3.html src/CHANGES
src/ap/Makefile.tmpl src/ap/ap_md5c.c
src/include/ap_md5.h
src/modules/standard/mod_auth.c
src/modules/standard/mod_auth_db.c
src/modules/standard/mod_auth_dbm.c
src/support/README src/support/htpasswd.1
src/support/htpasswd.c
src/support README htpasswd.1 htpasswd.c
htdocs/manual/new_features_1_3.html src/CHANGES
src/ap/Makefile.tmpl src/ap/ap_md5c.c
src/include/ap_md5.h
src/modules/standard/mod_auth.c
src/modules/standard/mod_auth_db.c
src/modules/standard/mod_auth_dbm.c
src/support/README src/support/htpasswd.1
src/support/htpasswd.c
src/support/SHA1 htdocs/manual/new_features_1_3.html
src/CHANGES src/ap/Makefile.tmpl src/ap/ap_md5c.c
src/include/ap_md5.h
src/modules/standard/mod_auth.c
src/modules/standard/mod_auth_db.c
src/modules/standard/mod_auth_dbm.c
src/support/README src/support/htpasswd.1
src/support/htpasswd.c
Added: htdocs/manual src/ap/ap_checkpass.c
src/include/ap_checkpass.h src/ap/ap_sha1.c
src/include/ap_sha1.h src/support/SHA1/README.sha1
src/support/SHA1/convert-sha1.pl
src/support/SHA1/htpasswd-sha1.pl
src/support/SHA1/ldif-sha1.example
src src/ap/ap_checkpass.c src/include/ap_checkpass.h
src/ap/ap_sha1.c src/include/ap_sha1.h
src/support/SHA1/README.sha1
src/support/SHA1/convert-sha1.pl
src/support/SHA1/htpasswd-sha1.pl
src/support/SHA1/ldif-sha1.example
src/ap ap_checkpass.c ap_sha1.c src/ap/ap_checkpass.c
src/include/ap_checkpass.h src/ap/ap_sha1.c
src/include/ap_sha1.h src/support/SHA1/README.sha1
src/support/SHA1/convert-sha1.pl
src/support/SHA1/htpasswd-sha1.pl
src/support/SHA1/ldif-sha1.example
src/include ap_checkpass.h ap_sha1.h src/ap/ap_checkpass.c
src/include/ap_checkpass.h src/ap/ap_sha1.c
src/include/ap_sha1.h src/support/SHA1/README.sha1
src/support/SHA1/convert-sha1.pl
src/support/SHA1/htpasswd-sha1.pl
src/support/SHA1/ldif-sha1.example
src/modules/standard src/ap/ap_checkpass.c
src/include/ap_checkpass.h src/ap/ap_sha1.c
src/include/ap_sha1.h src/support/SHA1/README.sha1
src/support/SHA1/convert-sha1.pl
src/support/SHA1/htpasswd-sha1.pl
src/support/SHA1/ldif-sha1.example
src/support src/ap/ap_checkpass.c src/include/ap_checkpass.h
src/ap/ap_sha1.c src/include/ap_sha1.h
src/support/SHA1/README.sha1
src/support/SHA1/convert-sha1.pl
src/support/SHA1/htpasswd-sha1.pl
src/support/SHA1/ldif-sha1.example
src/support/SHA1 README.sha1 convert-sha1.pl
htpasswd-sha1.pl ldif-sha1.example
src/ap/ap_checkpass.c src/include/ap_checkpass.h
src/ap/ap_sha1.c src/include/ap_sha1.h
src/support/SHA1/README.sha1
src/support/SHA1/convert-sha1.pl
src/support/SHA1/htpasswd-sha1.pl
src/support/SHA1/ldif-sha1.example
Log:
In order to fold in support for SHA / LDAP Directory Interchange
Format style passwords (which make integration or migration between
apache and netscape intstallations easier) the following has been done:
1. move ap_validate_passwd() out into its own function, and
change includes from ap_md5.h into ap_checkpasswd.h in the
various auth sections.
2. collate some to64 encodings into a single ap_to64
3. Add a ap_sha1.c along the lines of ap_md5.c
4. Add some flags to htpasswd, and make some man page chnages
Added some blurp in the html docs.
5. add a directory SHA1 in support with some usefull examples
for peoply trying to integrate or migrate from/to netscape
servers.
Obtained from Clinton Wong <cl...@netcom.com> and reworked into
something sepearate from ap_mda5c.c
But it could benefit from further abstraction; same goed for the
various base64, uunecode and mime-style base64 encoders we have
floating around.
Also, we could deal with string lenghts and verify lengths better.
Revision Changes Path
1.80 +9 -0 apache-1.3/htdocs/manual/new_features_1_3.html
Index: new_features_1_3.html
===================================================================
RCS file: /x3/home/cvs/apache-1.3/htdocs/manual/new_features_1_3.html,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- new_features_1_3.html 1999/03/23 14:30:40 1.79
+++ new_features_1_3.html 1999/08/02 10:13:40 1.80
@@ -675,6 +675,15 @@
</DL>
+<DT><STRONG>Support for Netscape style SHA1 encrypted passwords</STRONG><BR>
+<DD>To facilitate migration or integration of BasicAuth password
+ schemes where the password is encrypted using SHA1 (as opposed
+ to apache's build in MD5 and/or the OS specific crypt(3) function
+ ) passwords prefixed with with <CODE>{SHA1}</CODE> are taken
+ as Base64 encoded SHA1 passwords. More information and
+ some utilities to convert Netscape ldap/ldif entries can be
+ found in support/SHA1.
+
<!--#include virtual="footer.html" -->
</BODY>
</HTML>
1.1407 +9 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1406
retrieving revision 1.1407
diff -u -r1.1406 -r1.1407
--- CHANGES 1999/07/31 03:30:16 1.1406
+++ CHANGES 1999/08/02 10:13:42 1.1407
@@ -1,5 +1,14 @@
Changes with Apache 1.3.8
+ *) Added SHA1 password encryption support to easy migration from
+ Netscape servers. See support/SHA1 for more information; based
+ on the code contributed by Clinton Wong <cl...@netcom.com>.
+ Caused the separation of ap_md5.c into md5, sha1 and a general
+ ap_checkpass.c with just a validate_passwd routine. Added a
+ couple of flags to support/htpasswd. Some reuse of the to64()
+ function; hence renamed to ap_to64().
+ [dirkx]
+
*) Change for EBCDIC platforms (TPF and BS2000) to correctly deal
with ASCII/EBCDIC conversions in "ident" query.
[David McCreedy <Mc...@us.ibm.com>]
1.33 +1 -1 apache-1.3/src/ap/Makefile.tmpl
Index: Makefile.tmpl
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/ap/Makefile.tmpl,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- Makefile.tmpl 1999/05/31 17:09:30 1.32
+++ Makefile.tmpl 1999/08/02 10:13:44 1.33
@@ -6,7 +6,7 @@
LIB=libap.a
OBJS=ap_cpystrn.o ap_execve.o ap_fnmatch.o ap_getpass.o ap_md5c.o ap_signal.o \
- ap_slack.o ap_snprintf.o
+ ap_slack.o ap_snprintf.o ap_sha1.o ap_checkpass.o
.c.o:
$(CC) -c $(INCLUDES) $(CFLAGS) $<
1.28 +8 -46 apache-1.3/src/ap/ap_md5c.c
Index: ap_md5c.c
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/ap/ap_md5c.c,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- ap_md5c.c 1999/04/27 20:36:28 1.27
+++ ap_md5c.c 1999/08/02 10:13:44 1.28
@@ -415,15 +415,14 @@
* Define the Magic String prefix that identifies a password as being
* hashed using our algorithm.
*/
-static const char *apr1_id = "$apr1$";
+const char *apr1_id = "$apr1$";
/*
* The following MD5 password encryption code was largely borrowed from
* the FreeBSD 3.0 /usr/src/lib/libcrypt/crypt.c file, which is
* licenced as stated at the top of this file.
*/
-
-static void to64(char *s, unsigned long v, int n)
+API_EXPORT(void) ap_to64(char *s, unsigned long v, int n)
{
static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
@@ -572,12 +571,12 @@
p = passwd + strlen(passwd);
- l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p, l, 4); p += 4;
- l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p, l, 4); p += 4;
- l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p, l, 4); p += 4;
- l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p, l, 4); p += 4;
- l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p, l, 4); p += 4;
- l = final[11] ; to64(p, l, 2); p += 2;
+ l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; ap_to64(p, l, 4); p += 4;
+ l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; ap_to64(p, l, 4); p += 4;
+ l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; ap_to64(p, l, 4); p += 4;
+ l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; ap_to64(p, l, 4); p += 4;
+ l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; ap_to64(p, l, 4); p += 4;
+ l = final[11] ; ap_to64(p, l, 2); p += 2;
*p = '\0';
/*
@@ -586,41 +585,4 @@
memset(final, 0, sizeof(final));
ap_cpystrn(result, passwd, nbytes - 1);
-}
-
-/*
- * Validate a plaintext password against a smashed one. Use either
- * crypt() (if available) or ap_MD5Encode(), depending upon the format
- * of the smashed input password. Return NULL if they match, or
- * an explanatory text string if they don't.
- */
-
-API_EXPORT(char *) ap_validate_password(const char *passwd, const char *hash)
-{
- char sample[120];
- char *crypt_pw;
-
- if (!strncmp(hash, apr1_id, strlen(apr1_id))) {
- /*
- * The hash was created using our custom algorithm.
- */
- ap_MD5Encode((const unsigned char *)passwd,
- (const unsigned char *)hash, sample, sizeof(sample));
- }
- else {
- /*
- * It's not our algorithm, so feed it to crypt() if possible.
- */
-#if defined(WIN32) || defined(TPF)
- /*
- * On Windows, the only alternative to our MD5 algorithm is plain
- * text.
- */
- ap_cpystrn(sample, passwd, sizeof(sample) - 1);
-#else
- crypt_pw = crypt(passwd, hash);
- ap_cpystrn(sample, crypt_pw, sizeof(sample) - 1);
-#endif
- }
- return (strcmp(sample, hash) == 0) ? NULL : "password mismatch";
}
1.1 apache-1.3/src/ap/ap_checkpass.c
Index: ap_checkpass.c
===================================================================
/* ====================================================================
* Copyright (c) 1996-1999 The Apache Group. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* 4. The names "Apache Server" and "Apache Group" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Group and was originally based
* on public domain software written at the National Center for
* Supercomputing Applications, University of Illinois, Urbana-Champaign.
* For more information on the Apache Group and the Apache HTTP server
* project, please see <http://www.apache.org/>.
*
* Simple password verify, which 'know's about various password
* types, such as the simple base64 encoded crypt()s, MD5 $ marked
* FreeBSD style and netscape SHA1's.
*/
#include <string.h>
#include "ap_config.h"
#include "ap_md5.h"
#include "ap_sha1.h"
#include "ap.h"
#ifdef CHARSET_EBCDIC
#include "ebcdic.h"
#endif /*CHARSET_EBCDIC*/
#if HAVE_CRYPT_H
#include <crypt.h>
#endif
/*
* Validate a plaintext password against a smashed one. Use either
* crypt() (if available), ap_MD5Encode() or ap_SHA1Encode depending
* upon the format of the smashed input password.
*
* Return NULL if they match, or an explanatory text string if they don't.
*/
API_EXPORT(char *) ap_validate_password(const char *passwd, const char *hash)
{
char sample[120];
char *crypt_pw;
/* FreeBSD style MD5 string
*/
if (!strncmp(hash, apr1_id, strlen(apr1_id))) {
ap_MD5Encode((const unsigned char *)passwd,
(const unsigned char *)hash, sample, sizeof(sample));
}
/* Netscape / SHA1 ldap style strng
*/
else if (!strncmp(hash, sha1_id, strlen(sha1_id))) {
ap_sha1_base64(passwd, strlen(passwd), sample);
}
else {
/*
* It's not our algorithm, so feed it to crypt() if possible.
*/
#if defined(WIN32) || defined(TPF)
/*
* On Windows, the only alternative to our MD5 algorithm is plain
* text.
*/
ap_cpystrn(sample, passwd, sizeof(sample) - 1);
#else
crypt_pw = crypt(passwd, hash);
ap_cpystrn(sample, crypt_pw, sizeof(sample) - 1);
#endif
}
return (strcmp(sample, hash) == 0) ? NULL : "password mismatch";
}
1.1 apache-1.3/src/ap/ap_sha1.c
Index: ap_sha1.c
===================================================================
/* ====================================================================
* Copyright (c) 1996-1999 The Apache Group. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* 4. The names "Apache Server" and "Apache Group" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Group and was originally based
* on public domain software written at the National Center for
* Supercomputing Applications, University of Illinois, Urbana-Champaign.
* For more information on the Apache Group and the Apache HTTP server
* project, please see <http://www.apache.org/>.
*
* The only exported function:
*
* ap_sha1_base64(char *clear, int len, char *out);
*
* provides a means to SHA1 crypt/encode a plaintext password in
* a way which makes password files compatible with those commonly
* used in netscape web and ldap installations. It was put together
* by Clinton Wong <cl...@netcom.com>, who also notes that:
*
* Note: SHA1 support is useful for migration purposes, but is less
* secure than Apache's password format, since Apache's (MD5)
* password format uses a random eight character salt to generate
* one of many possible hashes for the same password. Netscape
* uses plain SHA1 without a salt, so the same password
* will always generate the same hash, making it easier
* to break since the search space is smaller.
*
* See also the documentation in support/SHA1 as to hints on how to
* migrate an existing netscape installation and other supplied utitlites.
*
* This software also makes use of the following components:
*
* NIST Secure Hash Algorithm
* heavily modified by Uwe Hollerbach uh@alumni.caltech edu
* from Peter C. Gutmann's implementation as found in
* Applied Cryptography by Bruce Schneier
* This code is hereby placed in the public domain
*
* MIME Base 64 encoding based on src/metamail/codes.c in metamail,
* available at: ftp://thumper.bellcore.com/pub/nsb/
*
* Metamail's copyright is:
* Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore)
* Permission to use, copy, modify, and distribute this material
* for any purpose and without fee is hereby granted, provided
* that the above copyright notice and this permission notice
* appear in all copies, and that the name of Bellcore not be
* used in advertising or publicity pertaining to this
* material without the specific, prior written permission
* of an authorized representative of Bellcore. BELLCORE
* MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY
* OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS",
* WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
*/
#include <string.h>
#include "ap_config.h"
#include "ap_sha1.h"
#include "ap.h"
#ifdef CHARSET_EBCDIC
#include "ebcdic.h"
#endif /*CHARSET_EBCDIC*/
/* a bit faster & bigger, if defined */
#define UNROLL_LOOPS
/* NIST's proposed modification to SHA, 7/11/94 */
#define USE_MODIFIED_SHA
/* SHA f()-functions */
#define f1(x,y,z) ((x & y) | (~x & z))
#define f2(x,y,z) (x ^ y ^ z)
#define f3(x,y,z) ((x & y) | (x & z) | (y & z))
#define f4(x,y,z) (x ^ y ^ z)
/* SHA constants */
#define CONST1 0x5a827999L
#define CONST2 0x6ed9eba1L
#define CONST3 0x8f1bbcdcL
#define CONST4 0xca62c1d6L
/* 32-bit rotate */
#define ROT32(x,n) ((x << n) | (x >> (32 - n)))
#define FUNC(n,i) \
temp = ROT32(A,5) + f##n(B,C,D) + E + W[i] + CONST##n; \
E = D; D = C; C = ROT32(B,30); B = A; A = temp
typedef unsigned char BYTE; /* an 8-bit quantity */
typedef unsigned long LONG; /* a 32-bit quantity */
#define SHA_BLOCKSIZE 64
#define SHA_DIGESTSIZE 20
typedef struct {
LONG digest[5]; /* message digest */
LONG count_lo, count_hi; /* 64-bit bit count */
LONG data[16]; /* SHA data buffer */
int local; /* unprocessed amount in data */
} SHA_INFO;
void sha_init(SHA_INFO *);
void sha_update(SHA_INFO *, BYTE *, int);
void sha_final(SHA_INFO *);
void sha_raw_swap(SHA_INFO *);
void output64chunk(unsigned char, unsigned char, unsigned char,
int, unsigned char **);
void encode_mime64(unsigned char *, unsigned char *, int);
void sha1_base64(char *, int, char *);
/* do SHA transformation */
static void sha_transform(SHA_INFO *sha_info)
{
int i;
LONG temp, A, B, C, D, E, W[80];
for (i = 0; i < 16; ++i) {
W[i] = sha_info->data[i];
}
for (i = 16; i < 80; ++i) {
W[i] = W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16];
#ifdef USE_MODIFIED_SHA
W[i] = ROT32(W[i], 1);
#endif /* USE_MODIFIED_SHA */
}
A = sha_info->digest[0];
B = sha_info->digest[1];
C = sha_info->digest[2];
D = sha_info->digest[3];
E = sha_info->digest[4];
#ifdef UNROLL_LOOPS
FUNC(1, 0); FUNC(1, 1); FUNC(1, 2); FUNC(1, 3); FUNC(1, 4);
FUNC(1, 5); FUNC(1, 6); FUNC(1, 7); FUNC(1, 8); FUNC(1, 9);
FUNC(1,10); FUNC(1,11); FUNC(1,12); FUNC(1,13); FUNC(1,14);
FUNC(1,15); FUNC(1,16); FUNC(1,17); FUNC(1,18); FUNC(1,19);
FUNC(2,20); FUNC(2,21); FUNC(2,22); FUNC(2,23); FUNC(2,24);
FUNC(2,25); FUNC(2,26); FUNC(2,27); FUNC(2,28); FUNC(2,29);
FUNC(2,30); FUNC(2,31); FUNC(2,32); FUNC(2,33); FUNC(2,34);
FUNC(2,35); FUNC(2,36); FUNC(2,37); FUNC(2,38); FUNC(2,39);
FUNC(3,40); FUNC(3,41); FUNC(3,42); FUNC(3,43); FUNC(3,44);
FUNC(3,45); FUNC(3,46); FUNC(3,47); FUNC(3,48); FUNC(3,49);
FUNC(3,50); FUNC(3,51); FUNC(3,52); FUNC(3,53); FUNC(3,54);
FUNC(3,55); FUNC(3,56); FUNC(3,57); FUNC(3,58); FUNC(3,59);
FUNC(4,60); FUNC(4,61); FUNC(4,62); FUNC(4,63); FUNC(4,64);
FUNC(4,65); FUNC(4,66); FUNC(4,67); FUNC(4,68); FUNC(4,69);
FUNC(4,70); FUNC(4,71); FUNC(4,72); FUNC(4,73); FUNC(4,74);
FUNC(4,75); FUNC(4,76); FUNC(4,77); FUNC(4,78); FUNC(4,79);
#else /* !UNROLL_LOOPS */
for (i = 0; i < 20; ++i) {
FUNC(1,i);
}
for (i = 20; i < 40; ++i) {
FUNC(2,i);
}
for (i = 40; i < 60; ++i) {
FUNC(3,i);
}
for (i = 60; i < 80; ++i) {
FUNC(4,i);
}
#endif /* !UNROLL_LOOPS */
sha_info->digest[0] += A;
sha_info->digest[1] += B;
sha_info->digest[2] += C;
sha_info->digest[3] += D;
sha_info->digest[4] += E;
}
union endianTest {
long Long;
char Char[sizeof(long)];
};
char isLittleEndian() {
static union endianTest u;
u.Long = 1;
return(u.Char[0]==1);
}
/* change endianness of data */
/* count is the number of bytes to do an endian flip */
static void maybe_byte_reverse(LONG *buffer, int count)
{
int i;
BYTE ct[4], *cp;
if (isLittleEndian()) { /* do the swap only if it is little endian */
count /= sizeof(LONG);
cp = (BYTE *) buffer;
for (i = 0; i < count; ++i) {
ct[0] = cp[0];
ct[1] = cp[1];
ct[2] = cp[2];
ct[3] = cp[3];
cp[0] = ct[3];
cp[1] = ct[2];
cp[2] = ct[1];
cp[3] = ct[0];
cp += sizeof(LONG);
}
}
}
/* initialize the SHA digest */
void sha_init(SHA_INFO *sha_info)
{
sha_info->digest[0] = 0x67452301L;
sha_info->digest[1] = 0xefcdab89L;
sha_info->digest[2] = 0x98badcfeL;
sha_info->digest[3] = 0x10325476L;
sha_info->digest[4] = 0xc3d2e1f0L;
sha_info->count_lo = 0L;
sha_info->count_hi = 0L;
sha_info->local = 0;
}
/* update the SHA digest */
void sha_update(SHA_INFO *sha_info, BYTE *buffer, int count)
{
int i;
if ((sha_info->count_lo + ((LONG) count << 3)) < sha_info->count_lo) {
++sha_info->count_hi;
}
sha_info->count_lo += (LONG) count << 3;
sha_info->count_hi += (LONG) count >> 29;
if (sha_info->local) {
i = SHA_BLOCKSIZE - sha_info->local;
if (i > count) {
i = count;
}
memcpy(((BYTE *) sha_info->data) + sha_info->local, buffer, i);
count -= i;
buffer += i;
sha_info->local += i;
if (sha_info->local == SHA_BLOCKSIZE) {
maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE);
sha_transform(sha_info);
} else {
return;
}
}
while (count >= SHA_BLOCKSIZE) {
memcpy(sha_info->data, buffer, SHA_BLOCKSIZE);
buffer += SHA_BLOCKSIZE;
count -= SHA_BLOCKSIZE;
maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE);
sha_transform(sha_info);
}
memcpy(sha_info->data, buffer, count);
sha_info->local = count;
}
/* finish computing the SHA digest */
void sha_final(SHA_INFO *sha_info)
{
int count;
LONG lo_bit_count, hi_bit_count;
lo_bit_count = sha_info->count_lo;
hi_bit_count = sha_info->count_hi;
count = (int) ((lo_bit_count >> 3) & 0x3f);
((BYTE *) sha_info->data)[count++] = 0x80;
if (count > SHA_BLOCKSIZE - 8) {
memset(((BYTE *) sha_info->data) + count, 0, SHA_BLOCKSIZE - count);
maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE);
sha_transform(sha_info);
memset((BYTE *) sha_info->data, 0, SHA_BLOCKSIZE - 8);
} else {
memset(((BYTE *) sha_info->data) + count, 0,
SHA_BLOCKSIZE - 8 - count);
}
maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE);
sha_info->data[14] = hi_bit_count;
sha_info->data[15] = lo_bit_count;
sha_transform(sha_info);
}
/*
internally implemented as an array of longs, need to swap if
you're going to access the memory in the raw, instead of looping
through with arrays of longs.
*/
void sha_raw_swap(SHA_INFO *sha_info) {
int i;
for (i=0; i<5; ++i)
maybe_byte_reverse((LONG *) &sha_info->digest[i], 4);
}
static char basis_64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
void output64chunk(unsigned char c1, unsigned char c2, unsigned char c3,
int pads, unsigned char **outfile) {
*(*outfile)++ = basis_64[c1>>2];
*(*outfile)++ = basis_64[((c1 & 0x3)<< 4) | ((c2 & 0xF0) >> 4)];
if (pads == 2) {
*(*outfile)++ = '=';
*(*outfile)++ = '=';
} else if (pads) {
*(*outfile)++ = basis_64[((c2 & 0xF) << 2) | ((c3 & 0xC0) >>6)];
*(*outfile)++ = '=';
} else {
*(*outfile)++ = basis_64[((c2 & 0xF) << 2) | ((c3 & 0xC0) >>6)];
*(*outfile)++ = basis_64[c3 & 0x3F];
}
}
void encode_mime64(unsigned char *in, unsigned char *out, int length) {
int diff, ct=0;
while ( (diff= length - ct) ) {
if ( diff >= 3 ) {
diff = 3;
output64chunk(in[ct], in[ct+1], in[ct+2], 0, &out);
}
else if ( diff == 2 ) {
output64chunk(in[ct], in[ct+1], 0, 1, &out);
}
else if ( diff == 1 ) {
output64chunk(in[ct], 0, 0, 2, &out);
}
ct += diff;
}
*out++ = 0;
}
/* {SHA} is the prefix used for base64 encoded sha1 in
* ldap data interchange format.
*/
const char *sha1_id = "{SHA}";
API_EXPORT(void) ap_sha1_base64(char *clear, int len, char *out) {
SHA_INFO context;
if (!strncmp(clear,sha1_id,strlen(sha1_id)))
clear+=strlen(sha1_id);
sha_init(&context);
sha_update(&context, clear, len);
sha_final(&context);
sha_raw_swap(&context);
/* private marker. */
strcpy(out,sha1_id);
/* SHA1 hash is always 20 chars */
encode_mime64((char *)context.digest, out+strlen(sha1_id), 20);
/* output of MIME Base 64 encoded SHA1 is always 28 characters + strlen(sha1_id) */
}
1.6 +3 -0 apache-1.3/src/include/ap_md5.h
Index: ap_md5.h
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/include/ap_md5.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- ap_md5.h 1999/04/08 20:56:39 1.5
+++ ap_md5.h 1999/08/02 10:13:45 1.6
@@ -104,6 +104,8 @@
unsigned char buffer[64]; /* input buffer */
} AP_MD5_CTX;
+const char *apr1_id; /* MD5 passwd marker string */
+
API_EXPORT(void) ap_MD5Init(AP_MD5_CTX *context);
API_EXPORT(void) ap_MD5Update(AP_MD5_CTX *context, const unsigned char *input,
unsigned int inputLen);
@@ -111,6 +113,7 @@
API_EXPORT(void) ap_MD5Encode(const unsigned char *password,
const unsigned char *salt,
char *result, size_t nbytes);
+API_EXPORT(void) ap_to64(char *s, unsigned long v, int n);
API_EXPORT(char *) ap_validate_password(const char *passwd, const char *hash);
#ifdef __cplusplus
1.1 apache-1.3/src/include/ap_checkpass.h
Index: ap_checkpass.h
===================================================================
/* ====================================================================
* Copyright (c) 1996-1999 The Apache Group. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* 4. The names "Apache Server" and "Apache Group" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Group and was originally based
* on public domain software written at the National Center for
* Supercomputing Applications, University of Illinois, Urbana-Champaign.
* For more information on the Apache Group and the Apache HTTP server
* project, please see <http://www.apache.org/>.
*
*/
#ifndef APACHE_CHECKPASS_H
#define APACHE_CHECKPASS_H
#ifdef __cplusplus
extern "C" {
#endif
API_EXPORT(char *) ap_validate_password(const char *passwd, const char *hash);
#ifdef __cplusplus
}
#endif
#endif /* !APACHE_MD5_H */
1.1 apache-1.3/src/include/ap_sha1.h
Index: ap_sha1.h
===================================================================
/* ====================================================================
* Copyright (c) 1996-1999 The Apache Group. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* 4. The names "Apache Server" and "Apache Group" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Group and was originally based
* on public domain software written at the National Center for
* Supercomputing Applications, University of Illinois, Urbana-Champaign.
* For more information on the Apache Group and the Apache HTTP server
* project, please see <http://www.apache.org/>.
*
* NIST Secure Hash Algorithm
* heavily modified by Uwe Hollerbach uh@alumni.caltech edu
* from Peter C. Gutmann's implementation as found in
* Applied Cryptography by Bruce Schneier
* This code is hereby placed in the public domain
*
* MIME Base 64 encoding based on src/metamail/codes.c in metamail,
* available at: ftp://thumper.bellcore.com/pub/nsb/
*
* Metamail's copyright is:
* Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore)
*
* Permission to use, copy, modify, and distribute this material
* for any purpose and without fee is hereby granted, provided
* that the above copyright notice and this permission notice
* appear in all copies, and that the name of Bellcore not be
* used in advertising or publicity pertaining to this
* material without the specific, prior written permission
* of an authorized representative of Bellcore. BELLCORE
* MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY
* OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS",
* WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
*/
#ifndef APACHE_SHA1_H
#define APACHE_SHA1_H
#ifdef __cplusplus
extern "C" {
#endif
const char * sha1_id; /* passwd prefix marker for SHA1 */
API_EXPORT(void) ap_sha1_base64(char *, int, char *);
#ifdef __cplusplus
}
#endif
#endif /* !APACHE_MD5_H */
1.46 +1 -1 apache-1.3/src/modules/standard/mod_auth.c
Index: mod_auth.c
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/modules/standard/mod_auth.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- mod_auth.c 1999/02/03 16:22:32 1.45
+++ mod_auth.c 1999/08/02 10:13:46 1.46
@@ -74,7 +74,7 @@
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
-#include "ap_md5.h"
+#include "ap_checkpass.h"
typedef struct auth_config_struct {
char *auth_pwfile;
1.41 +1 -1 apache-1.3/src/modules/standard/mod_auth_db.c
Index: mod_auth_db.c
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/modules/standard/mod_auth_db.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- mod_auth_db.c 1999/02/03 16:22:32 1.40
+++ mod_auth_db.c 1999/08/02 10:13:47 1.41
@@ -96,7 +96,7 @@
#include "http_log.h"
#include "http_protocol.h"
#include <db.h>
-#include "ap_md5.h"
+#include "ap_checkpass.h"
#if defined(DB_VERSION_MAJOR) && (DB_VERSION_MAJOR == 2)
#define DB2
1.47 +1 -1 apache-1.3/src/modules/standard/mod_auth_dbm.c
Index: mod_auth_dbm.c
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/modules/standard/mod_auth_dbm.c,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- mod_auth_dbm.c 1999/06/09 11:13:55 1.46
+++ mod_auth_dbm.c 1999/08/02 10:13:47 1.47
@@ -80,7 +80,7 @@
#else
#include <ndbm.h>
#endif
-#include "ap_md5.h"
+#include "ap_checkpass.h"
/*
* Module definition information - the part between the -START and -END
1.2 +5 -0 apache-1.3/src/support/README
Index: README
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/support/README,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- README 1999/04/05 13:52:20 1.1
+++ README 1999/08/02 10:13:48 1.2
@@ -55,3 +55,8 @@
see the document `Apache suEXEC Support'
under http://www.apache.org/docs/suexec.html .
+SHA1
+ This directory includes some utilities to allow Apache 1.3.6 to
+ recognize passwords in SHA1 format, as used by Netscape web
+ servers. It is not installed by default.
+
1.12 +21 -2 apache-1.3/src/support/htpasswd.1
Index: htpasswd.1
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/support/htpasswd.1,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- htpasswd.1 1999/06/03 15:42:38 1.11
+++ htpasswd.1 1999/08/02 10:13:48 1.12
@@ -72,6 +72,9 @@
]
[
.B \-m
+.B \-d
+.B \-p
+.B \-s
]
.I passwdfile
.I username
@@ -120,8 +123,23 @@
Create the \fIpasswdfile\fP. If \fIpasswdfile\fP already exists, it
is rewritten and truncated.
.IP \-m
-Use MD5 encryption for passwords. On Windows, this is the only format
-supported.
+Use MD5 encryption for passwords. On Windows and TPF, this is the default.
+.IP \-d
+Use crypt() encryption for passwords. The default on all platforms but
+Windows and TPF. Though possibly supported by
+.B htpasswd
+onm all platforms, it is not supported by the
+.B httpd
+server on Windows and TPF.
+.IP \-s
+Use SHA encryption for passwords. Faciliates migration from/to Netscape
+servers using the LDAP Directory Interchange Format (ldif).
+.IP \-p
+Use plaintext passwords. Though
+.B htpasswd
+will support creation on all platofrms, the
+.B httpd
+deamon will only accept plain text passwords on Windows and TPF.
.IP \fB\fIpasswdfile\fP
Name of the file to contain the user name and password. If \-c
is given, this file is created if it does not already exist,
@@ -192,3 +210,4 @@
Usernames are limited to 255 bytes and may not include the character ':'.
.SH SEE ALSO
.BR httpd(8)
+and the scripts in support/SHA1 which come with the distribution.
1.32 +59 -23 apache-1.3/src/support/htpasswd.c
Index: htpasswd.c
===================================================================
RCS file: /x3/home/cvs/apache-1.3/src/support/htpasswd.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- htpasswd.c 1999/06/03 15:42:38 1.31
+++ htpasswd.c 1999/08/02 10:13:48 1.32
@@ -84,6 +84,7 @@
#include <errno.h>
#include "ap.h"
#include "ap_md5.h"
+#include "ap_sha1.h"
#ifdef WIN32
#include <conio.h>
@@ -100,8 +101,10 @@
#endif /*CHARSET_EBCDIC*/
#define MAX_STRING_LEN 256
+#define ALG_PLAIN 0
#define ALG_CRYPT 1
#define ALG_APMD5 2
+#define ALG_APSHA 3
#define ERR_FILEPERM 1
#define ERR_SYNTAX 2
@@ -149,19 +152,6 @@
fputc('\n', f);
}
-
-/* From local_passwd.c (C) Regents of Univ. of California blah blah */
-static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
- "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
-static void to64(register char *s, register long v, register int n)
-{
- while (--n >= 0) {
- *s++ = itoa64[v & 0x3f];
- v >>= 6;
- }
-}
-
/*
* Make a password record from the given information. A zero return
* indicates success; failure means that the output buffer contains an
@@ -172,9 +162,9 @@
{
char *pw;
char cpw[120];
- char salt[9];
char pwin[MAX_STRING_LEN];
char pwv[MAX_STRING_LEN];
+ char salt[9];
if (passwd != NULL) {
pw = passwd;
@@ -191,20 +181,39 @@
return ERR_PWMISMATCH;
}
pw = pwin;
+ bzero(pwv,sizeof(pwin));
}
- (void) srand((int) time((time_t *) NULL));
- to64(&salt[0], rand(), 8);
- salt[8] = '\0';
-
switch (alg) {
- case ALG_APMD5:
+
+ case ALG_APSHA:
+ /* XXX cpw >= 28 + strlen(sha1) chars - fixed len SHA */
+ ap_sha1_base64(pw,strlen(pw),cpw);
+ break;
+
+ case ALG_APMD5:
+ (void) srand((int) time((time_t *) NULL));
+ ap_to64(&salt[0], rand(), 8);
+ salt[8] = '\0';
+
ap_MD5Encode((const unsigned char *)pw, (const unsigned char *)salt,
cpw, sizeof(cpw));
break;
+
+ case ALG_PLAIN:
+ /* XXX this len limitation is not in sync with any HTTPd len. */
+ ap_cpystrn(cpw,pw,sizeof(cpw));
+ break;
+
case ALG_CRYPT:
+ default:
+ (void) srand((int) time((time_t *) NULL));
+ ap_to64(&salt[0], rand(), 8);
+ salt[8] = '\0';
+
ap_cpystrn(cpw, (char *)crypt(pw, salt), sizeof(cpw) - 1);
break;
}
+ bzero(pw,strlen(pw));
/*
* Check to see if the buffer is large enough to hold the username,
@@ -223,13 +232,25 @@
static int usage(void)
{
fprintf(stderr, "Usage:\n");
- fprintf(stderr, "\thtpasswd [-cm] passwordfile username\n");
- fprintf(stderr, "\thtpasswd -b[cm] passwordfile username password\n\n");
+ fprintf(stderr, "\thtpasswd [-cmdps] passwordfile username\n");
+ fprintf(stderr, "\thtpasswd -b[cmdps] passwordfile username password\n\n");
fprintf(stderr, " -c Create a new file.\n");
- fprintf(stderr, " -m Force MD5 encryption of the password.\n");
+ fprintf(stderr, " -m Force MD5 encryption of the password"
+#if defined(WIN32) || defined(TPF)
+ " (default)"
+#endif
+ ".\n");
+ fprintf(stderr, " -d Force CRYPT encryption of the password"
+#if (!(defined(WIN32) || defined(TPF)))
+ " (default)"
+#endif
+ ".\n");
+ fprintf(stderr, " -p Force NO encryption of the password.\n");
+ fprintf(stderr, " -s Force SHA encryption of the password.\n");
fprintf(stderr, " -b Use the password from the command line rather ");
fprintf(stderr, "than prompting for it.\n");
- fprintf(stderr, "On Windows systems the -m flag is used by default.\n");
+ fprintf(stderr, "On Windows and TPF systems the '-m' flag is used by default.\n");
+ fprintf(stderr, "On all other systems, the '-p' will propably not work.\n");
return ERR_SYNTAX;
}
@@ -356,6 +377,15 @@
else if (*arg == 'm') {
alg = ALG_APMD5;
}
+ else if (*arg == 's') {
+ alg = ALG_APSHA;
+ }
+ else if (*arg == 'p') {
+ alg = ALG_PLAIN;
+ }
+ else if (*arg == 'd') {
+ alg = ALG_CRYPT;
+ }
else if (*arg == 'b') {
noninteractive++;
args_left++;
@@ -406,6 +436,12 @@
}
#endif
+#if (!(defined(WIN32) || defined(TPF)))
+ if (alg == ALG_PLAIN) {
+ fprintf(stderr,"Warning: storing passwords as plain text might "
+ "just not work on this platform.\n");
+ }
+#endif
/*
* Verify that the file exists if -c was omitted. We give a special
* message if it doesn't.
1.1 apache-1.3/src/support/SHA1/README.sha1
Index: README.sha1
===================================================================
This directory includes some utilities to allow Apache 1.3.6 to
recognize passwords in SHA1 format, as used by Netscape web servers.
From Netscape's admin interface, export the password database to an
ldif file and then use convert.pl in this distribution to generate
apache style password files.
Note: SHA1 support is useful for migration purposes, but is less
secure than Apache's password format, since Apache's (MD5)
password format uses a random eight character salt to generate
one of many possible hashes for the same password. Netscape
uses plain SHA1 without a salt, so the same password
will always generate the same hash, making it easier
to break since the search space is smaller.
This code was contributed by Clinton Wong <cl...@netcom.com>.
README.sha1
this file
convert-sha1.pl
takes an ldif dump from Netscape's web server on
standard in, outputs apache htpasswd format on standard out.
Usage: convert.pl < ldif > passwords
htpasswd-sha1.pl
perl script to generate entries in apache htpasswd format.
Usage: htpasswd-sha1.pl some_user some_password
ldif-sha1.example
sample ldif dump with one sha1 password and one crypt password.
1.1 apache-1.3/src/support/SHA1/convert-sha1.pl
Index: convert-sha1.pl
===================================================================
#!/usr/bin/perl -w
use strict;
# This is public domain code. Do whatever you want with it.
# It was originally included in Clinton Wong's Apache 1.3.6 SHA1/ldif
# patch distribution as sample code for converting accounts from
# ldif format (as used by Netscape web servers) to Apache password format.
my $uid='';
my $passwd='';
while (my $line = <>) {
chomp $line;
if ( $line =~ /uid:\s*(.+)/) { $uid = $1 }
if ( $line =~ /userpassword:\s*(\{\w+\}.+)/) {
$passwd = $1;
$passwd =~ s/^\{crypt\}//i; # Apache stores crypt without a magic string
}
if (length($line)==0) {
if (length $uid and length $passwd) {
print $uid, ':', $passwd, "\n";
} # output if we have something to print
$uid = '';
$passwd = '';
} # if newline
} # while something to read
# handle last entry if there isn't a newline before EOF
if (length $uid and length $passwd) {
print $uid, ':', $passwd, "\n";
}
1.1 apache-1.3/src/support/SHA1/htpasswd-sha1.pl
Index: htpasswd-sha1.pl
===================================================================
#!/usr/bin/perl -w
use strict;
#
# Utility which takes a username and password
# on the command line and generates a username
# sha1-encrytped password on the stdout.
#
# Typical useage:
# ./htpasswd-sha1.pl dirkx MySecret >> sha1-passwd
#
# This is public domain code. Do whatever you want with it.
# It was originally included in Clinton Wong's Apache 1.3.6 SHA1/ldif
# patch distribution as sample code for generating entries for
# Apache password files using SHA1.
use MIME::Base64; # http://www.cpan.org/modules/by-module/MIME/
use Digest::SHA1; # http://www.cpan.org/modules/by-module/MD5/
if ($#ARGV!=1) { die "Usage $0: user password\n" }
print $ARGV[0], ':{SHA}', encode_base64( Digest::SHA1::sha1($ARGV[1]) );
1.1 apache-1.3/src/support/SHA1/ldif-sha1.example
Index: ldif-sha1.example
===================================================================
dn: cn=someuser
cn: someuser
sn: someuser
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: someuser
userpassword: {SHA}GvF+c3IdvgxAARuC7Uuxp9vjzik=
dn: cn=anotheruser
cn: anotheruser
sn: anotheruser
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: anotheruser
userpassword: {crypt}eFnp.4sz5XnH6