From 550d8e8e6ccef95a119bc265101792b0475a7aa0 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 15:42:57 +0200 Subject: Adding upstream version 2.4.59. Signed-off-by: Daniel Baumann --- support/ab.c | 52 +++++++++++++++++++++++------ support/dbmmanage.in | 88 ++++++++++++++++++++++++------------------------- support/htcacheclean.c | 2 -- support/htdbm.c | 10 +++--- support/htpasswd.c | 26 ++++++++------- support/passwd_common.c | 57 +++++++++++++++++++++++++++++--- support/passwd_common.h | 8 ++++- 7 files changed, 165 insertions(+), 78 deletions(-) (limited to 'support') diff --git a/support/ab.c b/support/ab.c index 3aa2660..1e9dc71 100644 --- a/support/ab.c +++ b/support/ab.c @@ -166,13 +166,18 @@ #if defined(HAVE_OPENSSL) -#include +#include #include #include #include #include #include #include +#include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + #define USE_SSL #define SK_NUM(x) sk_X509_num(x) @@ -555,22 +560,33 @@ static void set_conn_state(struct connection *c, connect_state_e new_state) * */ #ifdef USE_SSL -static long ssl_print_cb(BIO *bio,int cmd,const char *argp,int argi,long argl,long ret) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +static long ssl_print_cb(BIO *bio, int cmd, const char *argp, + size_t len, int argi, long argl, int ret, + size_t *processed) +#else +static long ssl_print_cb(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret) +#endif { BIO *out; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + (void)len; + (void)processed; +#endif out=(BIO *)BIO_get_callback_arg(bio); if (out == NULL) return(ret); if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", - bio, argp, argi, ret, ret); + bio, argp, argi, (long)ret, (long)ret); BIO_dump(out,(char *)argp,(int)ret); return(ret); } else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", - bio, argp, argi, ret, ret); + bio, argp, argi, (long)ret, (long)ret); BIO_dump(out,(char *)argp,(int)ret); } return ret; @@ -765,17 +781,29 @@ static void ssl_proceed_handshake(struct connection *c) break; #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + size_t len; + char cname[80]; + if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME, + cname, sizeof(cname), &len)) { + cname[0] = '?'; + len = 1; + } + cname[len] = '\0'; +#else const char *cname = NULL; EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); EC_KEY_free(ec); cname = EC_curve_nid2nist(nid); - if (!cname) + if (!cname) { cname = OBJ_nid2sn(nid); - + if (!cname) + cname = "?"; + } +#endif apr_snprintf(ssl_tmp_key, 128, "ECDH %s %d bits", - cname, - EVP_PKEY_bits(key)); + cname, EVP_PKEY_bits(key)); break; } #endif @@ -1428,7 +1456,11 @@ static void start_connect(struct connection * c) SSL_set_bio(c->ssl, bio, bio); SSL_set_connect_state(c->ssl); if (verbosity >= 4) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + BIO_set_callback_ex(bio, ssl_print_cb); +#else BIO_set_callback(bio, ssl_print_cb); +#endif BIO_set_callback_arg(bio, (void *)bio_err); } #ifdef HAVE_TLSEXT @@ -2095,14 +2127,14 @@ static void test(void) static void copyright(void) { if (!use_html) { - printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1903618 $>"); + printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1913912 $>"); printf("Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n"); printf("Licensed to The Apache Software Foundation, http://www.apache.org/\n"); printf("\n"); } else { printf("

\n"); - printf(" This is ApacheBench, Version %s <%s>
\n", AP_AB_BASEREVISION, "$Revision: 1903618 $"); + printf(" This is ApacheBench, Version %s <%s>
\n", AP_AB_BASEREVISION, "$Revision: 1913912 $"); printf(" Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
\n"); printf(" Licensed to The Apache Software Foundation, http://www.apache.org/
\n"); printf("

\n

\n"); diff --git a/support/dbmmanage.in b/support/dbmmanage.in index 2dd8c86..881d230 100644 --- a/support/dbmmanage.in +++ b/support/dbmmanage.in @@ -32,9 +32,9 @@ sub usage { die <adduser; } else { @@ -255,23 +255,23 @@ sub dbmc::update { } sub dbmc::add { - die "Can't use empty password!\n" unless $crypted_pwd; + die "Can't use empty password!\n" unless $hashed_pwd; unless($is_update) { die "Sorry, user `$key' already exists!\n" if $DB{$key}; } $groups = '' if $groups eq '-'; $comment = '' if $comment eq '-'; $groups .= ":" . $comment if $comment; - $crypted_pwd .= ":" . $groups if $groups; - $DB{$key} = $crypted_pwd; + $hashed_pwd .= ":" . $groups if $groups; + $DB{$key} = $hashed_pwd; my $action = $is_update ? "updated" : "added"; - print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n"; + print "User $key $action with password hashed to $DB{$key} using $hash_method\n"; } sub dbmc::adduser { my $value = getpass "New password:"; die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value; - $crypted_pwd = cryptpw $value; + $hashed_pwd = hashpw $value; dbmc->add; } @@ -289,23 +289,23 @@ sub dbmc::check { my $chkpass = (split /:/, $DB{$key}, 3)[0]; my $testpass = getpass(); if (substr($chkpass, 0, 6) eq '$apr1$') { - need_md5_crypt; - $crypt_method = "md5"; + need_md5_hash; + $hash_method = "md5"; } elsif (substr($chkpass, 0, 5) eq '{SHA}') { - need_sha1_crypt; - $crypt_method = "sha1"; + need_sha1_hash; + $hash_method = "sha1"; } elsif (length($chkpass) == 13 && $chkpass ne $testpass) { - $crypt_method = "crypt"; + $hash_method = "crypt"; } else { - $crypt_method = "plain"; + $hash_method = "plain"; } - print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass - ? " password ok\n" : " password mismatch\n"); + print $hash_method . (hashpw($testpass, $chkpass) eq $chkpass + ? " password ok\n" : " password mismatch\n"); } sub dbmc::import { while(defined($_ = ) and chomp) { - ($key,$crypted_pwd,$groups,$comment) = split /:/, $_, 4; + ($key,$hashed_pwd,$groups,$comment) = split /:/, $_, 4; dbmc->add; } } diff --git a/support/htcacheclean.c b/support/htcacheclean.c index b4eabbf..57c5c5b 100644 --- a/support/htcacheclean.c +++ b/support/htcacheclean.c @@ -558,8 +558,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round) } } } - - break; } } } diff --git a/support/htdbm.c b/support/htdbm.c index 40a3d23..c2f8f3f 100644 --- a/support/htdbm.c +++ b/support/htdbm.c @@ -290,13 +290,13 @@ static void htdbm_usage(void) " -n Don't update database; display results on stdout.\n" " -b Use the password from the command line rather than prompting for it.\n" " -i Read password from stdin without verification (for script usage).\n" - " -m Force MD5 encryption of the password (default).\n" - " -B Force BCRYPT encryption of the password (very secure).\n" + " -m Force MD5 hashing of the password (default).\n" + " -B Force BCRYPT hashing of the password (very secure).\n" " -C Set the computing time used for the bcrypt algorithm\n" " (higher is more secure but slower, default: %d, valid: 4 to 31).\n" - " -d Force CRYPT encryption of the password (8 chars max, insecure).\n" - " -s Force SHA encryption of the password (insecure).\n" - " -p Do not encrypt the password (plaintext, insecure).\n" + " -d Force CRYPT hashing of the password (8 chars max, insecure).\n" + " -s Force SHA hashing of the password (insecure).\n" + " -p Do not hash the password (plaintext, insecure).\n" " -T DBM Type (SDBM|GDBM|DB|default).\n" " -l Display usernames from database on stdout.\n" " -v Verify the username/password.\n" diff --git a/support/htpasswd.c b/support/htpasswd.c index 7dd5af9..c576532 100644 --- a/support/htpasswd.c +++ b/support/htpasswd.c @@ -98,28 +98,32 @@ static int mkrecord(struct passwd_ctx *ctx, char *user) static void usage(void) { apr_file_printf(errfile, "Usage:" NL - "\thtpasswd [-cimBdpsDv] [-C cost] passwordfile username" NL - "\thtpasswd -b[cmBdpsDv] [-C cost] passwordfile username password" NL + "\thtpasswd [-cimB25dpsDv] [-C cost] [-r rounds] passwordfile username" NL + "\thtpasswd -b[cmB25dpsDv] [-C cost] [-r rounds] passwordfile username password" NL NL - "\thtpasswd -n[imBdps] [-C cost] username" NL - "\thtpasswd -nb[mBdps] [-C cost] username password" NL + "\thtpasswd -n[imB25dps] [-C cost] [-r rounds] username" NL + "\thtpasswd -nb[mB25dps] [-C cost] [-r rounds] username password" NL " -c Create a new file." NL " -n Don't update file; display results on stdout." NL " -b Use the password from the command line rather than prompting " "for it." NL " -i Read password from stdin without verification (for script usage)." NL - " -m Force MD5 encryption of the password (default)." NL - " -B Force bcrypt encryption of the password (very secure)." NL + " -m Force MD5 hashing of the password (default)." NL + " -2 Force SHA-256 hashing of the password (secure)." NL + " -5 Force SHA-512 hashing of the password (secure)." NL + " -B Force bcrypt hashing of the password (very secure)." NL " -C Set the computing time used for the bcrypt algorithm" NL " (higher is more secure but slower, default: %d, valid: 4 to 17)." NL - " -d Force CRYPT encryption of the password (8 chars max, insecure)." NL - " -s Force SHA encryption of the password (insecure)." NL - " -p Do not encrypt the password (plaintext, insecure)." NL + " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL + " (higher is more secure but slower, default: 5000)." NL + " -d Force CRYPT hashing of the password (8 chars max, insecure)." NL + " -s Force SHA-1 hashing of the password (insecure)." NL + " -p Do not hash the password (plaintext, insecure)." NL " -D Delete the specified user." NL " -v Verify password for the specified user." NL "On other systems than Windows and NetWare the '-p' flag will " "probably not work." NL - "The SHA algorithm does not use a salt and is less secure than the " + "The SHA-1 algorithm does not use a salt and is less secure than the " "MD5 algorithm." NL, BCRYPT_DEFAULT_COST ); @@ -178,7 +182,7 @@ static void check_args(int argc, const char *const argv[], if (rv != APR_SUCCESS) exit(ERR_SYNTAX); - while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) { + while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) { switch (opt) { case 'c': *mask |= APHTP_NEWFILE; diff --git a/support/passwd_common.c b/support/passwd_common.c index 664e509..62e4843 100644 --- a/support/passwd_common.c +++ b/support/passwd_common.c @@ -179,16 +179,21 @@ err_too_long: int mkhash(struct passwd_ctx *ctx) { char *pw; - char salt[16]; + char salt[17]; apr_status_t rv; int ret = 0; #if CRYPT_ALGO_SUPPORTED char *cbuf; #endif +#ifdef HAVE_CRYPT_SHA2 + const char *setting; + char method; +#endif - if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) { + if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT + && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) { apr_file_printf(errfile, - "Warning: Ignoring -C argument for this algorithm." NL); + "Warning: Ignoring -C/-r argument for this algorithm." NL); } if (ctx->passwd == NULL) { @@ -246,6 +251,34 @@ int mkhash(struct passwd_ctx *ctx) break; #endif /* CRYPT_ALGO_SUPPORTED */ +#ifdef HAVE_CRYPT_SHA2 + case ALG_CRYPT_SHA256: + case ALG_CRYPT_SHA512: + ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool); + if (ret != 0) + break; + + method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6'; + + if (ctx->cost) + setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s", + method, ctx->cost, salt); + else + setting = apr_psprintf(ctx->pool, "$%c$%s", + method, salt); + + cbuf = crypt(pw, setting); + if (cbuf == NULL) { + rv = APR_FROM_OS_ERROR(errno); + ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv); + ret = ERR_PWMISMATCH; + break; + } + + apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1); + break; +#endif /* HAVE_CRYPT_SHA2 */ + #if BCRYPT_ALGO_SUPPORTED case ALG_BCRYPT: rv = apr_generate_random_bytes((unsigned char*)salt, 16); @@ -294,6 +327,19 @@ int parse_common_options(struct passwd_ctx *ctx, char opt, case 's': ctx->alg = ALG_APSHA; break; +#ifdef HAVE_CRYPT_SHA2 + case '2': + ctx->alg = ALG_CRYPT_SHA256; + break; + case '5': + ctx->alg = ALG_CRYPT_SHA512; + break; +#else + case '2': + case '5': + ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform."; + return ERR_ALG_NOT_SUPP; +#endif case 'p': ctx->alg = ALG_PLAIN; #if !PLAIN_ALGO_SUPPORTED @@ -324,11 +370,12 @@ int parse_common_options(struct passwd_ctx *ctx, char opt, return ERR_ALG_NOT_SUPP; #endif break; - case 'C': { + case 'C': + case 'r': { char *endptr; long num = strtol(opt_arg, &endptr, 10); if (*endptr != '\0' || num <= 0) { - ctx->errstr = "argument to -C must be a positive integer"; + ctx->errstr = "argument to -C/-r must be a positive integer"; return ERR_SYNTAX; } ctx->cost = num; diff --git a/support/passwd_common.h b/support/passwd_common.h index 660081e..874c5e7 100644 --- a/support/passwd_common.h +++ b/support/passwd_common.h @@ -28,6 +28,10 @@ #include "apu_version.h" #endif +#if !defined(WIN32) && !defined(NETWARE) +#include "ap_config_auto.h" +#endif + #define MAX_STRING_LEN 256 #define ALG_PLAIN 0 @@ -35,6 +39,8 @@ #define ALG_APMD5 2 #define ALG_APSHA 3 #define ALG_BCRYPT 4 +#define ALG_CRYPT_SHA256 5 +#define ALG_CRYPT_SHA512 6 #define BCRYPT_DEFAULT_COST 5 @@ -84,7 +90,7 @@ struct passwd_ctx { apr_size_t out_len; char *passwd; int alg; - int cost; + int cost; /* cost for bcrypt, rounds for SHA-2 */ enum { PW_PROMPT = 0, PW_ARG, -- cgit v1.2.3