Mercurial > hg > nginx
comparison src/core/ngx_crypt.c @ 5034:e4441ebe05d5
Added support for {SHA} passwords (ticket #50).
Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables. Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.
The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.
Patch by Louis Opter, with minor changes.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 07 Feb 2013 12:09:56 +0000 |
| parents | 63dff7943fc7 |
| children | 2d947c2e3ea1 |
comparison
equal
deleted
inserted
replaced
| 5033:174981066745 | 5034:e4441ebe05d5 |
|---|---|
| 22 | 22 |
| 23 #if (NGX_HAVE_SHA1) | 23 #if (NGX_HAVE_SHA1) |
| 24 | 24 |
| 25 static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, | 25 static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, |
| 26 u_char **encrypted); | 26 u_char **encrypted); |
| 27 static ngx_int_t ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, | |
| 28 u_char **encrypted); | |
| 27 | 29 |
| 28 #endif | 30 #endif |
| 29 | 31 |
| 30 | 32 |
| 31 static u_char *ngx_crypt_to64(u_char *p, uint32_t v, size_t n); | 33 static u_char *ngx_crypt_to64(u_char *p, uint32_t v, size_t n); |
| 41 return ngx_crypt_plain(pool, key, salt, encrypted); | 43 return ngx_crypt_plain(pool, key, salt, encrypted); |
| 42 | 44 |
| 43 #if (NGX_HAVE_SHA1) | 45 #if (NGX_HAVE_SHA1) |
| 44 } else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) { | 46 } else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) { |
| 45 return ngx_crypt_ssha(pool, key, salt, encrypted); | 47 return ngx_crypt_ssha(pool, key, salt, encrypted); |
| 48 | |
| 49 } else if (ngx_strncmp(salt, "{SHA}", sizeof("{SHA}") - 1) == 0) { | |
| 50 return ngx_crypt_sha(pool, key, salt, encrypted); | |
| 46 #endif | 51 #endif |
| 47 } | 52 } |
| 48 | 53 |
| 49 /* fallback to libc crypt() */ | 54 /* fallback to libc crypt() */ |
| 50 | 55 |
| 239 encoded.data[encoded.len] = '\0'; | 244 encoded.data[encoded.len] = '\0'; |
| 240 | 245 |
| 241 return NGX_OK; | 246 return NGX_OK; |
| 242 } | 247 } |
| 243 | 248 |
| 249 | |
| 250 static ngx_int_t | |
| 251 ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) | |
| 252 { | |
| 253 size_t len; | |
| 254 ngx_str_t encoded, decoded; | |
| 255 ngx_sha1_t sha1; | |
| 256 u_char digest[20]; | |
| 257 | |
| 258 /* "{SHA}" base64(SHA1(key)) */ | |
| 259 | |
| 260 decoded.len = sizeof(digest); | |
| 261 decoded.data = digest; | |
| 262 | |
| 263 ngx_sha1_init(&sha1); | |
| 264 ngx_sha1_update(&sha1, key, ngx_strlen(key)); | |
| 265 ngx_sha1_final(digest, &sha1); | |
| 266 | |
| 267 len = sizeof("{SHA}") - 1 + ngx_base64_encoded_length(decoded.len) + 1; | |
| 268 | |
| 269 *encrypted = ngx_pnalloc(pool, len); | |
| 270 if (*encrypted == NULL) { | |
| 271 return NGX_ERROR; | |
| 272 } | |
| 273 | |
| 274 encoded.data = ngx_cpymem(*encrypted, "{SHA}", sizeof("{SHA}") - 1); | |
| 275 ngx_encode_base64(&encoded, &decoded); | |
| 276 encoded.data[encoded.len] = '\0'; | |
| 277 | |
| 278 return NGX_OK; | |
| 279 } | |
| 280 | |
| 244 #endif /* NGX_HAVE_SHA1 */ | 281 #endif /* NGX_HAVE_SHA1 */ |
| 245 | 282 |
| 246 #endif /* NGX_CRYPT */ | 283 #endif /* NGX_CRYPT */ |