summaryrefslogtreecommitdiffstats
path: root/support
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--support/ab.c52
-rw-r--r--support/dbmmanage.in88
-rw-r--r--support/htcacheclean.c2
-rw-r--r--support/htdbm.c10
-rw-r--r--support/htpasswd.c26
-rw-r--r--support/passwd_common.c57
-rw-r--r--support/passwd_common.h8
7 files changed, 165 insertions, 78 deletions
diff --git a/support/ab.c b/support/ab.c
index 3aa2660..1e9dc71 100644
--- a/support/ab.c
+++ b/support/ab.c
@@ -166,13 +166,18 @@
#if defined(HAVE_OPENSSL)
-#include <openssl/rsa.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/rand.h>
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/core_names.h>
+#endif
+
#define USE_SSL
#define SK_NUM(x) sk_X509_num(x)
@@ -555,22 +560,33 @@ static void set_conn_state(struct connection *c, connect_state_e new_state)
*
*/
#ifdef USE_SSL
-static long ssl_print_cb(BIO *bio,int cmd,const char *argp,int argi,long argl,long ret)
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static long ssl_print_cb(BIO *bio, int cmd, const char *argp,
+ size_t len, int argi, long argl, int ret,
+ size_t *processed)
+#else
+static long ssl_print_cb(BIO *bio, int cmd, const char *argp,
+ int argi, long argl, long ret)
+#endif
{
BIO *out;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ (void)len;
+ (void)processed;
+#endif
out=(BIO *)BIO_get_callback_arg(bio);
if (out == NULL) return(ret);
if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) {
BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n",
- bio, argp, argi, ret, ret);
+ bio, argp, argi, (long)ret, (long)ret);
BIO_dump(out,(char *)argp,(int)ret);
return(ret);
}
else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) {
BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n",
- bio, argp, argi, ret, ret);
+ bio, argp, argi, (long)ret, (long)ret);
BIO_dump(out,(char *)argp,(int)ret);
}
return ret;
@@ -765,17 +781,29 @@ static void ssl_proceed_handshake(struct connection *c)
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC: {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ size_t len;
+ char cname[80];
+ if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME,
+ cname, sizeof(cname), &len)) {
+ cname[0] = '?';
+ len = 1;
+ }
+ cname[len] = '\0';
+#else
const char *cname = NULL;
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
EC_KEY_free(ec);
cname = EC_curve_nid2nist(nid);
- if (!cname)
+ if (!cname) {
cname = OBJ_nid2sn(nid);
-
+ if (!cname)
+ cname = "?";
+ }
+#endif
apr_snprintf(ssl_tmp_key, 128, "ECDH %s %d bits",
- cname,
- EVP_PKEY_bits(key));
+ cname, EVP_PKEY_bits(key));
break;
}
#endif
@@ -1428,7 +1456,11 @@ static void start_connect(struct connection * c)
SSL_set_bio(c->ssl, bio, bio);
SSL_set_connect_state(c->ssl);
if (verbosity >= 4) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ BIO_set_callback_ex(bio, ssl_print_cb);
+#else
BIO_set_callback(bio, ssl_print_cb);
+#endif
BIO_set_callback_arg(bio, (void *)bio_err);
}
#ifdef HAVE_TLSEXT
@@ -2095,14 +2127,14 @@ static void test(void)
static void copyright(void)
{
if (!use_html) {
- printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1903618 $>");
+ printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1913912 $>");
printf("Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n");
printf("Licensed to The Apache Software Foundation, http://www.apache.org/\n");
printf("\n");
}
else {
printf("<p>\n");
- printf(" This is ApacheBench, Version %s <i>&lt;%s&gt;</i><br>\n", AP_AB_BASEREVISION, "$Revision: 1903618 $");
+ printf(" This is ApacheBench, Version %s <i>&lt;%s&gt;</i><br>\n", AP_AB_BASEREVISION, "$Revision: 1913912 $");
printf(" Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n");
printf(" Licensed to The Apache Software Foundation, http://www.apache.org/<br>\n");
printf("</p>\n<p>\n");
diff --git a/support/dbmmanage.in b/support/dbmmanage.in
index 2dd8c86..881d230 100644
--- a/support/dbmmanage.in
+++ b/support/dbmmanage.in
@@ -32,9 +32,9 @@ sub usage {
die <<SYNTAX;
Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]]
- where enc is -d for crypt encryption (default except on Win32, Netware)
- -m for MD5 encryption (default on Win32, Netware)
- -s for SHA1 encryption
+ where enc is -d for crypt hashing (default except on Win32, Netware)
+ -m for MD5 hashing (default on Win32, Netware)
+ -s for SHA1 hashing
-p for plaintext
command is one of: $cmds
@@ -48,7 +48,7 @@ Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]]
SYNTAX
}
-sub need_sha1_crypt {
+sub need_sha1_hash {
if (!eval ('require "Digest/SHA1.pm";')) {
print STDERR <<SHAERR;
dbmmanage SHA1 passwords require the interface or the module Digest::SHA1
@@ -56,21 +56,21 @@ available from CPAN:
http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.12.tar.gz
-Please install Digest::SHA1 and try again, or use a different crypt option:
+Please install Digest::SHA1 and try again, or use a different hashing option:
SHAERR
usage();
}
}
-sub need_md5_crypt {
+sub need_md5_hash {
if (!eval ('require "Crypt/PasswdMD5.pm";')) {
print STDERR <<MD5ERR;
dbmmanage MD5 passwords require the module Crypt::PasswdMD5 available from CPAN
http://www.cpan.org/modules/by-module/Crypt/Crypt-PasswdMD5-1.1.tar.gz
-Please install Crypt::PasswdMD5 and try again, or use a different crypt option:
+Please install Crypt::PasswdMD5 and try again, or use a different hashing option:
MD5ERR
usage();
@@ -93,10 +93,10 @@ my $newstyle_salt = $^O =~ /(?:$newstyle_salt_platforms)/;
my $crypt_not_supported_platforms = join '|', qw{MSWin32 NetWare}; #others?
my $crypt_not_supported = $^O =~ /(?:$crypt_not_supported_platforms)/;
-my $crypt_method = "crypt";
+my $hash_method = "crypt";
if ($crypt_not_supported) {
- $crypt_method = "md5";
+ $hash_method = "md5";
}
# Some platforms won't jump through our favorite hoops
@@ -105,7 +105,7 @@ my $not_unix_platforms = join '|', qw{MSWin32 NetWare}; #others?
my $not_unix = $^O =~ /(?:$not_unix_platforms)/;
if ($crypt_not_supported) {
- $crypt_method = "md5";
+ $hash_method = "md5";
}
if (@ARGV[0] eq "-d") {
@@ -114,12 +114,12 @@ if (@ARGV[0] eq "-d") {
print STDERR
"Warning: Apache/$^O does not support crypt()ed passwords!\n\n";
}
- $crypt_method = "crypt";
+ $hash_method = "crypt";
}
if (@ARGV[0] eq "-m") {
shift @ARGV;
- $crypt_method = "md5";
+ $hash_method = "md5";
}
if (@ARGV[0] eq "-p") {
@@ -128,20 +128,20 @@ if (@ARGV[0] eq "-p") {
print STDERR
"Warning: Apache/$^O does not support plaintext passwords!\n\n";
}
- $crypt_method = "plain";
+ $hash_method = "plain";
}
if (@ARGV[0] eq "-s") {
shift @ARGV;
- need_sha1_crypt();
- $crypt_method = "sha1";
+ need_sha1_hash();
+ $hash_method = "sha1";
}
-if ($crypt_method eq "md5") {
- need_md5_crypt();
+if ($hash_method eq "md5") {
+ need_md5_hash();
}
-my($file,$command,$key,$crypted_pwd,$groups,$comment) = @ARGV;
+my($file,$command,$key,$hashed_pwd,$groups,$comment) = @ARGV;
usage() unless $file and $command and defined &{$dbmc::{$command}};
@@ -188,7 +188,7 @@ sub saltpw_crypt {
randchar(2);
}
-sub cryptpw_crypt {
+sub hashpw_crypt {
my ($pw, $salt) = @_;
$salt = saltpw_crypt unless $salt;
crypt $pw, $salt;
@@ -199,24 +199,24 @@ sub saltpw_md5 {
randchar(8);
}
-sub cryptpw_md5 {
+sub hashpw_md5 {
my($pw, $salt) = @_;
$salt = saltpw_md5 unless $salt;
Crypt::PasswdMD5::apache_md5_crypt($pw, $salt);
}
-sub cryptpw_sha1 {
+sub hashpw_sha1 {
my($pw, $salt) = @_;
'{SHA}' . Digest::SHA1::sha1_base64($pw) . "=";
}
-sub cryptpw {
- if ($crypt_method eq "md5") {
- return cryptpw_md5(@_);
- } elsif ($crypt_method eq "sha1") {
- return cryptpw_sha1(@_);
- } elsif ($crypt_method eq "crypt") {
- return cryptpw_crypt(@_);
+sub hashpw {
+ if ($hash_method eq "md5") {
+ return hashpw_md5(@_);
+ } elsif ($hash_method eq "sha1") {
+ return hashpw_sha1(@_);
+ } elsif ($hash_method eq "crypt") {
+ return hashpw_crypt(@_);
}
@_[0]; # otherwise return plaintext
}
@@ -243,10 +243,10 @@ sub getpass {
sub dbmc::update {
die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
- $crypted_pwd = (split /:/, $DB{$key}, 3)[0] if $crypted_pwd eq '.';
+ $hashed_pwd = (split /:/, $DB{$key}, 3)[0] if $hashed_pwd eq '.';
$groups = (split /:/, $DB{$key}, 3)[1] if !$groups || $groups eq '.';
$comment = (split /:/, $DB{$key}, 3)[2] if !$comment || $comment eq '.';
- if (!$crypted_pwd || $crypted_pwd eq '-') {
+ if (!$hashed_pwd || $hashed_pwd eq '-') {
dbmc->adduser;
}
else {
@@ -255,23 +255,23 @@ sub dbmc::update {
}
sub dbmc::add {
- die "Can't use empty password!\n" unless $crypted_pwd;
+ die "Can't use empty password!\n" unless $hashed_pwd;
unless($is_update) {
die "Sorry, user `$key' already exists!\n" if $DB{$key};
}
$groups = '' if $groups eq '-';
$comment = '' if $comment eq '-';
$groups .= ":" . $comment if $comment;
- $crypted_pwd .= ":" . $groups if $groups;
- $DB{$key} = $crypted_pwd;
+ $hashed_pwd .= ":" . $groups if $groups;
+ $DB{$key} = $hashed_pwd;
my $action = $is_update ? "updated" : "added";
- print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n";
+ print "User $key $action with password hashed to $DB{$key} using $hash_method\n";
}
sub dbmc::adduser {
my $value = getpass "New password:";
die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value;
- $crypted_pwd = cryptpw $value;
+ $hashed_pwd = hashpw $value;
dbmc->add;
}
@@ -289,23 +289,23 @@ sub dbmc::check {
my $chkpass = (split /:/, $DB{$key}, 3)[0];
my $testpass = getpass();
if (substr($chkpass, 0, 6) eq '$apr1$') {
- need_md5_crypt;
- $crypt_method = "md5";
+ need_md5_hash;
+ $hash_method = "md5";
} elsif (substr($chkpass, 0, 5) eq '{SHA}') {
- need_sha1_crypt;
- $crypt_method = "sha1";
+ need_sha1_hash;
+ $hash_method = "sha1";
} elsif (length($chkpass) == 13 && $chkpass ne $testpass) {
- $crypt_method = "crypt";
+ $hash_method = "crypt";
} else {
- $crypt_method = "plain";
+ $hash_method = "plain";
}
- print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass
- ? " password ok\n" : " password mismatch\n");
+ print $hash_method . (hashpw($testpass, $chkpass) eq $chkpass
+ ? " password ok\n" : " password mismatch\n");
}
sub dbmc::import {
while(defined($_ = <STDIN>) and chomp) {
- ($key,$crypted_pwd,$groups,$comment) = split /:/, $_, 4;
+ ($key,$hashed_pwd,$groups,$comment) = split /:/, $_, 4;
dbmc->add;
}
}
diff --git a/support/htcacheclean.c b/support/htcacheclean.c
index b4eabbf..57c5c5b 100644
--- a/support/htcacheclean.c
+++ b/support/htcacheclean.c
@@ -558,8 +558,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round)
}
}
}
-
- break;
}
}
}
diff --git a/support/htdbm.c b/support/htdbm.c
index 40a3d23..c2f8f3f 100644
--- a/support/htdbm.c
+++ b/support/htdbm.c
@@ -290,13 +290,13 @@ static void htdbm_usage(void)
" -n Don't update database; display results on stdout.\n"
" -b Use the password from the command line rather than prompting for it.\n"
" -i Read password from stdin without verification (for script usage).\n"
- " -m Force MD5 encryption of the password (default).\n"
- " -B Force BCRYPT encryption of the password (very secure).\n"
+ " -m Force MD5 hashing of the password (default).\n"
+ " -B Force BCRYPT hashing of the password (very secure).\n"
" -C Set the computing time used for the bcrypt algorithm\n"
" (higher is more secure but slower, default: %d, valid: 4 to 31).\n"
- " -d Force CRYPT encryption of the password (8 chars max, insecure).\n"
- " -s Force SHA encryption of the password (insecure).\n"
- " -p Do not encrypt the password (plaintext, insecure).\n"
+ " -d Force CRYPT hashing of the password (8 chars max, insecure).\n"
+ " -s Force SHA hashing of the password (insecure).\n"
+ " -p Do not hash the password (plaintext, insecure).\n"
" -T DBM Type (SDBM|GDBM|DB|default).\n"
" -l Display usernames from database on stdout.\n"
" -v Verify the username/password.\n"
diff --git a/support/htpasswd.c b/support/htpasswd.c
index 7dd5af9..c576532 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -98,28 +98,32 @@ static int mkrecord(struct passwd_ctx *ctx, char *user)
static void usage(void)
{
apr_file_printf(errfile, "Usage:" NL
- "\thtpasswd [-cimBdpsDv] [-C cost] passwordfile username" NL
- "\thtpasswd -b[cmBdpsDv] [-C cost] passwordfile username password" NL
+ "\thtpasswd [-cimB25dpsDv] [-C cost] [-r rounds] passwordfile username" NL
+ "\thtpasswd -b[cmB25dpsDv] [-C cost] [-r rounds] passwordfile username password" NL
NL
- "\thtpasswd -n[imBdps] [-C cost] username" NL
- "\thtpasswd -nb[mBdps] [-C cost] username password" NL
+ "\thtpasswd -n[imB25dps] [-C cost] [-r rounds] username" NL
+ "\thtpasswd -nb[mB25dps] [-C cost] [-r rounds] username password" NL
" -c Create a new file." NL
" -n Don't update file; display results on stdout." NL
" -b Use the password from the command line rather than prompting "
"for it." NL
" -i Read password from stdin without verification (for script usage)." NL
- " -m Force MD5 encryption of the password (default)." NL
- " -B Force bcrypt encryption of the password (very secure)." NL
+ " -m Force MD5 hashing of the password (default)." NL
+ " -2 Force SHA-256 hashing of the password (secure)." NL
+ " -5 Force SHA-512 hashing of the password (secure)." NL
+ " -B Force bcrypt hashing of the password (very secure)." NL
" -C Set the computing time used for the bcrypt algorithm" NL
" (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
- " -d Force CRYPT encryption of the password (8 chars max, insecure)." NL
- " -s Force SHA encryption of the password (insecure)." NL
- " -p Do not encrypt the password (plaintext, insecure)." NL
+ " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL
+ " (higher is more secure but slower, default: 5000)." NL
+ " -d Force CRYPT hashing of the password (8 chars max, insecure)." NL
+ " -s Force SHA-1 hashing of the password (insecure)." NL
+ " -p Do not hash the password (plaintext, insecure)." NL
" -D Delete the specified user." NL
" -v Verify password for the specified user." NL
"On other systems than Windows and NetWare the '-p' flag will "
"probably not work." NL
- "The SHA algorithm does not use a salt and is less secure than the "
+ "The SHA-1 algorithm does not use a salt and is less secure than the "
"MD5 algorithm." NL,
BCRYPT_DEFAULT_COST
);
@@ -178,7 +182,7 @@ static void check_args(int argc, const char *const argv[],
if (rv != APR_SUCCESS)
exit(ERR_SYNTAX);
- while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) {
+ while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) {
switch (opt) {
case 'c':
*mask |= APHTP_NEWFILE;
diff --git a/support/passwd_common.c b/support/passwd_common.c
index 664e509..62e4843 100644
--- a/support/passwd_common.c
+++ b/support/passwd_common.c
@@ -179,16 +179,21 @@ err_too_long:
int mkhash(struct passwd_ctx *ctx)
{
char *pw;
- char salt[16];
+ char salt[17];
apr_status_t rv;
int ret = 0;
#if CRYPT_ALGO_SUPPORTED
char *cbuf;
#endif
+#ifdef HAVE_CRYPT_SHA2
+ const char *setting;
+ char method;
+#endif
- if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) {
+ if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT
+ && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) {
apr_file_printf(errfile,
- "Warning: Ignoring -C argument for this algorithm." NL);
+ "Warning: Ignoring -C/-r argument for this algorithm." NL);
}
if (ctx->passwd == NULL) {
@@ -246,6 +251,34 @@ int mkhash(struct passwd_ctx *ctx)
break;
#endif /* CRYPT_ALGO_SUPPORTED */
+#ifdef HAVE_CRYPT_SHA2
+ case ALG_CRYPT_SHA256:
+ case ALG_CRYPT_SHA512:
+ ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool);
+ if (ret != 0)
+ break;
+
+ method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6';
+
+ if (ctx->cost)
+ setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s",
+ method, ctx->cost, salt);
+ else
+ setting = apr_psprintf(ctx->pool, "$%c$%s",
+ method, salt);
+
+ cbuf = crypt(pw, setting);
+ if (cbuf == NULL) {
+ rv = APR_FROM_OS_ERROR(errno);
+ ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv);
+ ret = ERR_PWMISMATCH;
+ break;
+ }
+
+ apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1);
+ break;
+#endif /* HAVE_CRYPT_SHA2 */
+
#if BCRYPT_ALGO_SUPPORTED
case ALG_BCRYPT:
rv = apr_generate_random_bytes((unsigned char*)salt, 16);
@@ -294,6 +327,19 @@ int parse_common_options(struct passwd_ctx *ctx, char opt,
case 's':
ctx->alg = ALG_APSHA;
break;
+#ifdef HAVE_CRYPT_SHA2
+ case '2':
+ ctx->alg = ALG_CRYPT_SHA256;
+ break;
+ case '5':
+ ctx->alg = ALG_CRYPT_SHA512;
+ break;
+#else
+ case '2':
+ case '5':
+ ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform.";
+ return ERR_ALG_NOT_SUPP;
+#endif
case 'p':
ctx->alg = ALG_PLAIN;
#if !PLAIN_ALGO_SUPPORTED
@@ -324,11 +370,12 @@ int parse_common_options(struct passwd_ctx *ctx, char opt,
return ERR_ALG_NOT_SUPP;
#endif
break;
- case 'C': {
+ case 'C':
+ case 'r': {
char *endptr;
long num = strtol(opt_arg, &endptr, 10);
if (*endptr != '\0' || num <= 0) {
- ctx->errstr = "argument to -C must be a positive integer";
+ ctx->errstr = "argument to -C/-r must be a positive integer";
return ERR_SYNTAX;
}
ctx->cost = num;
diff --git a/support/passwd_common.h b/support/passwd_common.h
index 660081e..874c5e7 100644
--- a/support/passwd_common.h
+++ b/support/passwd_common.h
@@ -28,6 +28,10 @@
#include "apu_version.h"
#endif
+#if !defined(WIN32) && !defined(NETWARE)
+#include "ap_config_auto.h"
+#endif
+
#define MAX_STRING_LEN 256
#define ALG_PLAIN 0
@@ -35,6 +39,8 @@
#define ALG_APMD5 2
#define ALG_APSHA 3
#define ALG_BCRYPT 4
+#define ALG_CRYPT_SHA256 5
+#define ALG_CRYPT_SHA512 6
#define BCRYPT_DEFAULT_COST 5
@@ -84,7 +90,7 @@ struct passwd_ctx {
apr_size_t out_len;
char *passwd;
int alg;
- int cost;
+ int cost; /* cost for bcrypt, rounds for SHA-2 */
enum {
PW_PROMPT = 0,
PW_ARG,