Mercurial > hg > nginx
comparison src/core/ngx_crypt.c @ 5034:e4441ebe05d5
Added support for {SHA} passwords (ticket #50).
Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables. Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.
The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.
Patch by Louis Opter, with minor changes.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 07 Feb 2013 12:09:56 +0000 |
parents | 63dff7943fc7 |
children | 2d947c2e3ea1 |
comparison
equal
deleted
inserted
replaced
5033:174981066745 | 5034:e4441ebe05d5 |
---|---|
22 | 22 |
23 #if (NGX_HAVE_SHA1) | 23 #if (NGX_HAVE_SHA1) |
24 | 24 |
25 static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, | 25 static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, |
26 u_char **encrypted); | 26 u_char **encrypted); |
27 static ngx_int_t ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, | |
28 u_char **encrypted); | |
27 | 29 |
28 #endif | 30 #endif |
29 | 31 |
30 | 32 |
31 static u_char *ngx_crypt_to64(u_char *p, uint32_t v, size_t n); | 33 static u_char *ngx_crypt_to64(u_char *p, uint32_t v, size_t n); |
41 return ngx_crypt_plain(pool, key, salt, encrypted); | 43 return ngx_crypt_plain(pool, key, salt, encrypted); |
42 | 44 |
43 #if (NGX_HAVE_SHA1) | 45 #if (NGX_HAVE_SHA1) |
44 } else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) { | 46 } else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) { |
45 return ngx_crypt_ssha(pool, key, salt, encrypted); | 47 return ngx_crypt_ssha(pool, key, salt, encrypted); |
48 | |
49 } else if (ngx_strncmp(salt, "{SHA}", sizeof("{SHA}") - 1) == 0) { | |
50 return ngx_crypt_sha(pool, key, salt, encrypted); | |
46 #endif | 51 #endif |
47 } | 52 } |
48 | 53 |
49 /* fallback to libc crypt() */ | 54 /* fallback to libc crypt() */ |
50 | 55 |
239 encoded.data[encoded.len] = '\0'; | 244 encoded.data[encoded.len] = '\0'; |
240 | 245 |
241 return NGX_OK; | 246 return NGX_OK; |
242 } | 247 } |
243 | 248 |
249 | |
250 static ngx_int_t | |
251 ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) | |
252 { | |
253 size_t len; | |
254 ngx_str_t encoded, decoded; | |
255 ngx_sha1_t sha1; | |
256 u_char digest[20]; | |
257 | |
258 /* "{SHA}" base64(SHA1(key)) */ | |
259 | |
260 decoded.len = sizeof(digest); | |
261 decoded.data = digest; | |
262 | |
263 ngx_sha1_init(&sha1); | |
264 ngx_sha1_update(&sha1, key, ngx_strlen(key)); | |
265 ngx_sha1_final(digest, &sha1); | |
266 | |
267 len = sizeof("{SHA}") - 1 + ngx_base64_encoded_length(decoded.len) + 1; | |
268 | |
269 *encrypted = ngx_pnalloc(pool, len); | |
270 if (*encrypted == NULL) { | |
271 return NGX_ERROR; | |
272 } | |
273 | |
274 encoded.data = ngx_cpymem(*encrypted, "{SHA}", sizeof("{SHA}") - 1); | |
275 ngx_encode_base64(&encoded, &decoded); | |
276 encoded.data[encoded.len] = '\0'; | |
277 | |
278 return NGX_OK; | |
279 } | |
280 | |
244 #endif /* NGX_HAVE_SHA1 */ | 281 #endif /* NGX_HAVE_SHA1 */ |
245 | 282 |
246 #endif /* NGX_CRYPT */ | 283 #endif /* NGX_CRYPT */ |