Mercurial > hg > nginx
comparison src/core/ngx_crypt.c @ 4815:63dff7943fc7
Crypt: fixed handling of corrupted SSHA entries in password file.
Found by Coverity.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 16 Aug 2012 12:05:58 +0000 |
parents | 4c36e15651f7 |
children | e4441ebe05d5 |
comparison
equal
deleted
inserted
replaced
4814:0656cfe8f7cb | 4815:63dff7943fc7 |
---|---|
192 | 192 |
193 static ngx_int_t | 193 static ngx_int_t |
194 ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) | 194 ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) |
195 { | 195 { |
196 size_t len; | 196 size_t len; |
197 ngx_int_t rc; | |
197 ngx_str_t encoded, decoded; | 198 ngx_str_t encoded, decoded; |
198 ngx_sha1_t sha1; | 199 ngx_sha1_t sha1; |
199 | 200 |
200 /* "{SSHA}" base64(SHA1(key salt) salt) */ | 201 /* "{SSHA}" base64(SHA1(key salt) salt) */ |
201 | 202 |
202 /* decode base64 salt to find out true salt */ | 203 /* decode base64 salt to find out true salt */ |
203 | 204 |
204 encoded.data = salt + sizeof("{SSHA}") - 1; | 205 encoded.data = salt + sizeof("{SSHA}") - 1; |
205 encoded.len = ngx_strlen(encoded.data); | 206 encoded.len = ngx_strlen(encoded.data); |
206 | 207 |
207 decoded.data = ngx_pnalloc(pool, ngx_base64_decoded_length(encoded.len)); | 208 len = ngx_max(ngx_base64_decoded_length(encoded.len), 20); |
209 | |
210 decoded.data = ngx_pnalloc(pool, len); | |
208 if (decoded.data == NULL) { | 211 if (decoded.data == NULL) { |
209 return NGX_ERROR; | 212 return NGX_ERROR; |
210 } | 213 } |
211 | 214 |
212 ngx_decode_base64(&decoded, &encoded); | 215 rc = ngx_decode_base64(&decoded, &encoded); |
216 | |
217 if (rc != NGX_OK || decoded.len < 20) { | |
218 decoded.len = 20; | |
219 } | |
213 | 220 |
214 /* update SHA1 from key and salt */ | 221 /* update SHA1 from key and salt */ |
215 | 222 |
216 ngx_sha1_init(&sha1); | 223 ngx_sha1_init(&sha1); |
217 ngx_sha1_update(&sha1, key, ngx_strlen(key)); | 224 ngx_sha1_update(&sha1, key, ngx_strlen(key)); |