diff options
Diffstat (limited to 'support')
-rw-r--r-- | support/ab.c | 52 | ||||
-rw-r--r-- | support/dbmmanage.in | 88 | ||||
-rw-r--r-- | support/htcacheclean.c | 2 | ||||
-rw-r--r-- | support/htdbm.c | 10 | ||||
-rw-r--r-- | support/htpasswd.c | 26 | ||||
-rw-r--r-- | support/passwd_common.c | 57 | ||||
-rw-r--r-- | support/passwd_common.h | 8 |
7 files changed, 165 insertions, 78 deletions
diff --git a/support/ab.c b/support/ab.c index 3aa2660..1e9dc71 100644 --- a/support/ab.c +++ b/support/ab.c @@ -166,13 +166,18 @@ #if defined(HAVE_OPENSSL) -#include <openssl/rsa.h> +#include <openssl/evp.h> #include <openssl/crypto.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/err.h> #include <openssl/ssl.h> #include <openssl/rand.h> +#include <openssl/opensslv.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include <openssl/core_names.h> +#endif + #define USE_SSL #define SK_NUM(x) sk_X509_num(x) @@ -555,22 +560,33 @@ static void set_conn_state(struct connection *c, connect_state_e new_state) * */ #ifdef USE_SSL -static long ssl_print_cb(BIO *bio,int cmd,const char *argp,int argi,long argl,long ret) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +static long ssl_print_cb(BIO *bio, int cmd, const char *argp, + size_t len, int argi, long argl, int ret, + size_t *processed) +#else +static long ssl_print_cb(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret) +#endif { BIO *out; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + (void)len; + (void)processed; +#endif out=(BIO *)BIO_get_callback_arg(bio); if (out == NULL) return(ret); if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", - bio, argp, argi, ret, ret); + bio, argp, argi, (long)ret, (long)ret); BIO_dump(out,(char *)argp,(int)ret); return(ret); } else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", - bio, argp, argi, ret, ret); + bio, argp, argi, (long)ret, (long)ret); BIO_dump(out,(char *)argp,(int)ret); } return ret; @@ -765,17 +781,29 @@ static void ssl_proceed_handshake(struct connection *c) break; #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + size_t len; + char cname[80]; + if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME, + cname, sizeof(cname), &len)) { + cname[0] = '?'; + len = 1; + } + cname[len] = '\0'; +#else const char *cname = NULL; EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); EC_KEY_free(ec); cname = EC_curve_nid2nist(nid); - if (!cname) + if (!cname) { cname = OBJ_nid2sn(nid); - + if (!cname) + cname = "?"; + } +#endif apr_snprintf(ssl_tmp_key, 128, "ECDH %s %d bits", - cname, - EVP_PKEY_bits(key)); + cname, EVP_PKEY_bits(key)); break; } #endif @@ -1428,7 +1456,11 @@ static void start_connect(struct connection * c) SSL_set_bio(c->ssl, bio, bio); SSL_set_connect_state(c->ssl); if (verbosity >= 4) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + BIO_set_callback_ex(bio, ssl_print_cb); +#else BIO_set_callback(bio, ssl_print_cb); +#endif BIO_set_callback_arg(bio, (void *)bio_err); } #ifdef HAVE_TLSEXT @@ -2095,14 +2127,14 @@ static void test(void) static void copyright(void) { if (!use_html) { - printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1903618 $>"); + printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1913912 $>"); printf("Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n"); printf("Licensed to The Apache Software Foundation, http://www.apache.org/\n"); printf("\n"); } else { printf("<p>\n"); - printf(" This is ApacheBench, Version %s <i><%s></i><br>\n", AP_AB_BASEREVISION, "$Revision: 1903618 $"); + printf(" This is ApacheBench, Version %s <i><%s></i><br>\n", AP_AB_BASEREVISION, "$Revision: 1913912 $"); printf(" Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n"); printf(" Licensed to The Apache Software Foundation, http://www.apache.org/<br>\n"); printf("</p>\n<p>\n"); diff --git a/support/dbmmanage.in b/support/dbmmanage.in index 2dd8c86..881d230 100644 --- a/support/dbmmanage.in +++ b/support/dbmmanage.in @@ -32,9 +32,9 @@ sub usage { die <<SYNTAX; Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]] - where enc is -d for crypt encryption (default except on Win32, Netware) - -m for MD5 encryption (default on Win32, Netware) - -s for SHA1 encryption + where enc is -d for crypt hashing (default except on Win32, Netware) + -m for MD5 hashing (default on Win32, Netware) + -s for SHA1 hashing -p for plaintext command is one of: $cmds @@ -48,7 +48,7 @@ Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]] SYNTAX } -sub need_sha1_crypt { +sub need_sha1_hash { if (!eval ('require "Digest/SHA1.pm";')) { print STDERR <<SHAERR; dbmmanage SHA1 passwords require the interface or the module Digest::SHA1 @@ -56,21 +56,21 @@ available from CPAN: http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.12.tar.gz -Please install Digest::SHA1 and try again, or use a different crypt option: +Please install Digest::SHA1 and try again, or use a different hashing option: SHAERR usage(); } } -sub need_md5_crypt { +sub need_md5_hash { if (!eval ('require "Crypt/PasswdMD5.pm";')) { print STDERR <<MD5ERR; dbmmanage MD5 passwords require the module Crypt::PasswdMD5 available from CPAN http://www.cpan.org/modules/by-module/Crypt/Crypt-PasswdMD5-1.1.tar.gz -Please install Crypt::PasswdMD5 and try again, or use a different crypt option: +Please install Crypt::PasswdMD5 and try again, or use a different hashing option: MD5ERR usage(); @@ -93,10 +93,10 @@ my $newstyle_salt = $^O =~ /(?:$newstyle_salt_platforms)/; my $crypt_not_supported_platforms = join '|', qw{MSWin32 NetWare}; #others? my $crypt_not_supported = $^O =~ /(?:$crypt_not_supported_platforms)/; -my $crypt_method = "crypt"; +my $hash_method = "crypt"; if ($crypt_not_supported) { - $crypt_method = "md5"; + $hash_method = "md5"; } # Some platforms won't jump through our favorite hoops @@ -105,7 +105,7 @@ my $not_unix_platforms = join '|', qw{MSWin32 NetWare}; #others? my $not_unix = $^O =~ /(?:$not_unix_platforms)/; if ($crypt_not_supported) { - $crypt_method = "md5"; + $hash_method = "md5"; } if (@ARGV[0] eq "-d") { @@ -114,12 +114,12 @@ if (@ARGV[0] eq "-d") { print STDERR "Warning: Apache/$^O does not support crypt()ed passwords!\n\n"; } - $crypt_method = "crypt"; + $hash_method = "crypt"; } if (@ARGV[0] eq "-m") { shift @ARGV; - $crypt_method = "md5"; + $hash_method = "md5"; } if (@ARGV[0] eq "-p") { @@ -128,20 +128,20 @@ if (@ARGV[0] eq "-p") { print STDERR "Warning: Apache/$^O does not support plaintext passwords!\n\n"; } - $crypt_method = "plain"; + $hash_method = "plain"; } if (@ARGV[0] eq "-s") { shift @ARGV; - need_sha1_crypt(); - $crypt_method = "sha1"; + need_sha1_hash(); + $hash_method = "sha1"; } -if ($crypt_method eq "md5") { - need_md5_crypt(); +if ($hash_method eq "md5") { + need_md5_hash(); } -my($file,$command,$key,$crypted_pwd,$groups,$comment) = @ARGV; +my($file,$command,$key,$hashed_pwd,$groups,$comment) = @ARGV; usage() unless $file and $command and defined &{$dbmc::{$command}}; @@ -188,7 +188,7 @@ sub saltpw_crypt { randchar(2); } -sub cryptpw_crypt { +sub hashpw_crypt { my ($pw, $salt) = @_; $salt = saltpw_crypt unless $salt; crypt $pw, $salt; @@ -199,24 +199,24 @@ sub saltpw_md5 { randchar(8); } -sub cryptpw_md5 { +sub hashpw_md5 { my($pw, $salt) = @_; $salt = saltpw_md5 unless $salt; Crypt::PasswdMD5::apache_md5_crypt($pw, $salt); } -sub cryptpw_sha1 { +sub hashpw_sha1 { my($pw, $salt) = @_; '{SHA}' . Digest::SHA1::sha1_base64($pw) . "="; } -sub cryptpw { - if ($crypt_method eq "md5") { - return cryptpw_md5(@_); - } elsif ($crypt_method eq "sha1") { - return cryptpw_sha1(@_); - } elsif ($crypt_method eq "crypt") { - return cryptpw_crypt(@_); +sub hashpw { + if ($hash_method eq "md5") { + return hashpw_md5(@_); + } elsif ($hash_method eq "sha1") { + return hashpw_sha1(@_); + } elsif ($hash_method eq "crypt") { + return hashpw_crypt(@_); } @_[0]; # otherwise return plaintext } @@ -243,10 +243,10 @@ sub getpass { sub dbmc::update { die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key}; - $crypted_pwd = (split /:/, $DB{$key}, 3)[0] if $crypted_pwd eq '.'; + $hashed_pwd = (split /:/, $DB{$key}, 3)[0] if $hashed_pwd eq '.'; $groups = (split /:/, $DB{$key}, 3)[1] if !$groups || $groups eq '.'; $comment = (split /:/, $DB{$key}, 3)[2] if !$comment || $comment eq '.'; - if (!$crypted_pwd || $crypted_pwd eq '-') { + if (!$hashed_pwd || $hashed_pwd eq '-') { dbmc->adduser; } else { @@ -255,23 +255,23 @@ sub dbmc::update { } sub dbmc::add { - die "Can't use empty password!\n" unless $crypted_pwd; + die "Can't use empty password!\n" unless $hashed_pwd; unless($is_update) { die "Sorry, user `$key' already exists!\n" if $DB{$key}; } $groups = '' if $groups eq '-'; $comment = '' if $comment eq '-'; $groups .= ":" . $comment if $comment; - $crypted_pwd .= ":" . $groups if $groups; - $DB{$key} = $crypted_pwd; + $hashed_pwd .= ":" . $groups if $groups; + $DB{$key} = $hashed_pwd; my $action = $is_update ? "updated" : "added"; - print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n"; + print "User $key $action with password hashed to $DB{$key} using $hash_method\n"; } sub dbmc::adduser { my $value = getpass "New password:"; die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value; - $crypted_pwd = cryptpw $value; + $hashed_pwd = hashpw $value; dbmc->add; } @@ -289,23 +289,23 @@ sub dbmc::check { my $chkpass = (split /:/, $DB{$key}, 3)[0]; my $testpass = getpass(); if (substr($chkpass, 0, 6) eq '$apr1$') { - need_md5_crypt; - $crypt_method = "md5"; + need_md5_hash; + $hash_method = "md5"; } elsif (substr($chkpass, 0, 5) eq '{SHA}') { - need_sha1_crypt; - $crypt_method = "sha1"; + need_sha1_hash; + $hash_method = "sha1"; } elsif (length($chkpass) == 13 && $chkpass ne $testpass) { - $crypt_method = "crypt"; + $hash_method = "crypt"; } else { - $crypt_method = "plain"; + $hash_method = "plain"; } - print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass - ? " password ok\n" : " password mismatch\n"); + print $hash_method . (hashpw($testpass, $chkpass) eq $chkpass + ? " password ok\n" : " password mismatch\n"); } sub dbmc::import { while(defined($_ = <STDIN>) and chomp) { - ($key,$crypted_pwd,$groups,$comment) = split /:/, $_, 4; + ($key,$hashed_pwd,$groups,$comment) = split /:/, $_, 4; dbmc->add; } } diff --git a/support/htcacheclean.c b/support/htcacheclean.c index b4eabbf..57c5c5b 100644 --- a/support/htcacheclean.c +++ b/support/htcacheclean.c @@ -558,8 +558,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round) } } } - - break; } } } diff --git a/support/htdbm.c b/support/htdbm.c index 40a3d23..c2f8f3f 100644 --- a/support/htdbm.c +++ b/support/htdbm.c @@ -290,13 +290,13 @@ static void htdbm_usage(void) " -n Don't update database; display results on stdout.\n" " -b Use the password from the command line rather than prompting for it.\n" " -i Read password from stdin without verification (for script usage).\n" - " -m Force MD5 encryption of the password (default).\n" - " -B Force BCRYPT encryption of the password (very secure).\n" + " -m Force MD5 hashing of the password (default).\n" + " -B Force BCRYPT hashing of the password (very secure).\n" " -C Set the computing time used for the bcrypt algorithm\n" " (higher is more secure but slower, default: %d, valid: 4 to 31).\n" - " -d Force CRYPT encryption of the password (8 chars max, insecure).\n" - " -s Force SHA encryption of the password (insecure).\n" - " -p Do not encrypt the password (plaintext, insecure).\n" + " -d Force CRYPT hashing of the password (8 chars max, insecure).\n" + " -s Force SHA hashing of the password (insecure).\n" + " -p Do not hash the password (plaintext, insecure).\n" " -T DBM Type (SDBM|GDBM|DB|default).\n" " -l Display usernames from database on stdout.\n" " -v Verify the username/password.\n" diff --git a/support/htpasswd.c b/support/htpasswd.c index 7dd5af9..c576532 100644 --- a/support/htpasswd.c +++ b/support/htpasswd.c @@ -98,28 +98,32 @@ static int mkrecord(struct passwd_ctx *ctx, char *user) static void usage(void) { apr_file_printf(errfile, "Usage:" NL - "\thtpasswd [-cimBdpsDv] [-C cost] passwordfile username" NL - "\thtpasswd -b[cmBdpsDv] [-C cost] passwordfile username password" NL + "\thtpasswd [-cimB25dpsDv] [-C cost] [-r rounds] passwordfile username" NL + "\thtpasswd -b[cmB25dpsDv] [-C cost] [-r rounds] passwordfile username password" NL NL - "\thtpasswd -n[imBdps] [-C cost] username" NL - "\thtpasswd -nb[mBdps] [-C cost] username password" NL + "\thtpasswd -n[imB25dps] [-C cost] [-r rounds] username" NL + "\thtpasswd -nb[mB25dps] [-C cost] [-r rounds] username password" NL " -c Create a new file." NL " -n Don't update file; display results on stdout." NL " -b Use the password from the command line rather than prompting " "for it." NL " -i Read password from stdin without verification (for script usage)." NL - " -m Force MD5 encryption of the password (default)." NL - " -B Force bcrypt encryption of the password (very secure)." NL + " -m Force MD5 hashing of the password (default)." NL + " -2 Force SHA-256 hashing of the password (secure)." NL + " -5 Force SHA-512 hashing of the password (secure)." NL + " -B Force bcrypt hashing of the password (very secure)." NL " -C Set the computing time used for the bcrypt algorithm" NL " (higher is more secure but slower, default: %d, valid: 4 to 17)." NL - " -d Force CRYPT encryption of the password (8 chars max, insecure)." NL - " -s Force SHA encryption of the password (insecure)." NL - " -p Do not encrypt the password (plaintext, insecure)." NL + " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL + " (higher is more secure but slower, default: 5000)." NL + " -d Force CRYPT hashing of the password (8 chars max, insecure)." NL + " -s Force SHA-1 hashing of the password (insecure)." NL + " -p Do not hash the password (plaintext, insecure)." NL " -D Delete the specified user." NL " -v Verify password for the specified user." NL "On other systems than Windows and NetWare the '-p' flag will " "probably not work." NL - "The SHA algorithm does not use a salt and is less secure than the " + "The SHA-1 algorithm does not use a salt and is less secure than the " "MD5 algorithm." NL, BCRYPT_DEFAULT_COST ); @@ -178,7 +182,7 @@ static void check_args(int argc, const char *const argv[], if (rv != APR_SUCCESS) exit(ERR_SYNTAX); - while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) { + while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) { switch (opt) { case 'c': *mask |= APHTP_NEWFILE; diff --git a/support/passwd_common.c b/support/passwd_common.c index 664e509..62e4843 100644 --- a/support/passwd_common.c +++ b/support/passwd_common.c @@ -179,16 +179,21 @@ err_too_long: int mkhash(struct passwd_ctx *ctx) { char *pw; - char salt[16]; + char salt[17]; apr_status_t rv; int ret = 0; #if CRYPT_ALGO_SUPPORTED char *cbuf; #endif +#ifdef HAVE_CRYPT_SHA2 + const char *setting; + char method; +#endif - if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) { + if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT + && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) { apr_file_printf(errfile, - "Warning: Ignoring -C argument for this algorithm." NL); + "Warning: Ignoring -C/-r argument for this algorithm." NL); } if (ctx->passwd == NULL) { @@ -246,6 +251,34 @@ int mkhash(struct passwd_ctx *ctx) break; #endif /* CRYPT_ALGO_SUPPORTED */ +#ifdef HAVE_CRYPT_SHA2 + case ALG_CRYPT_SHA256: + case ALG_CRYPT_SHA512: + ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool); + if (ret != 0) + break; + + method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6'; + + if (ctx->cost) + setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s", + method, ctx->cost, salt); + else + setting = apr_psprintf(ctx->pool, "$%c$%s", + method, salt); + + cbuf = crypt(pw, setting); + if (cbuf == NULL) { + rv = APR_FROM_OS_ERROR(errno); + ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv); + ret = ERR_PWMISMATCH; + break; + } + + apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1); + break; +#endif /* HAVE_CRYPT_SHA2 */ + #if BCRYPT_ALGO_SUPPORTED case ALG_BCRYPT: rv = apr_generate_random_bytes((unsigned char*)salt, 16); @@ -294,6 +327,19 @@ int parse_common_options(struct passwd_ctx *ctx, char opt, case 's': ctx->alg = ALG_APSHA; break; +#ifdef HAVE_CRYPT_SHA2 + case '2': + ctx->alg = ALG_CRYPT_SHA256; + break; + case '5': + ctx->alg = ALG_CRYPT_SHA512; + break; +#else + case '2': + case '5': + ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform."; + return ERR_ALG_NOT_SUPP; +#endif case 'p': ctx->alg = ALG_PLAIN; #if !PLAIN_ALGO_SUPPORTED @@ -324,11 +370,12 @@ int parse_common_options(struct passwd_ctx *ctx, char opt, return ERR_ALG_NOT_SUPP; #endif break; - case 'C': { + case 'C': + case 'r': { char *endptr; long num = strtol(opt_arg, &endptr, 10); if (*endptr != '\0' || num <= 0) { - ctx->errstr = "argument to -C must be a positive integer"; + ctx->errstr = "argument to -C/-r must be a positive integer"; return ERR_SYNTAX; } ctx->cost = num; diff --git a/support/passwd_common.h b/support/passwd_common.h index 660081e..874c5e7 100644 --- a/support/passwd_common.h +++ b/support/passwd_common.h @@ -28,6 +28,10 @@ #include "apu_version.h" #endif +#if !defined(WIN32) && !defined(NETWARE) +#include "ap_config_auto.h" +#endif + #define MAX_STRING_LEN 256 #define ALG_PLAIN 0 @@ -35,6 +39,8 @@ #define ALG_APMD5 2 #define ALG_APSHA 3 #define ALG_BCRYPT 4 +#define ALG_CRYPT_SHA256 5 +#define ALG_CRYPT_SHA512 6 #define BCRYPT_DEFAULT_COST 5 @@ -84,7 +90,7 @@ struct passwd_ctx { apr_size_t out_len; char *passwd; int alg; - int cost; + int cost; /* cost for bcrypt, rounds for SHA-2 */ enum { PW_PROMPT = 0, PW_ARG, |