coar99/01/25 14:55:41
Modified:.STATUS
src CHANGES
src/ap ap_md5c.c
src/include ap_md5.h
src/modules/standard mod_auth.c mod_auth_db.c mod_auth_dbm.c
src/support htpasswd.1 htpasswd.c
Log:
Enhance the authentication password handling so that stored
passwords can be encrypted with either DES or MD5. htpasswd can
now generate either on systems that allow both, and MD5 on
Win32. .htpasswd files can contain both types; usernames
with passwords encrypted with MD5 and usernames with DES
passwords can appear in the same file. The authentication
modules (mod_auth, mod_auth_db, mod_auth_dbm) autosense the
correct algorithm from the stored password.
This gives us encrypted passwords on Win32 at last. This is
only the first part of the patch; some changes to allow the
Win32 side to build properly are being fixed and should be
committed to-morrow. However, Unix systems can build with
and use these immediately.
Submitted by: Ryan Bloom [EMAIL PROTECTED]
Reviewed by: Ken Coar
Revision ChangesPath
1.607 +1 -5 apache-1.3/STATUS
Index: STATUS
===
RCS file: /home/cvs/apache-1.3/STATUS,v
retrieving revision 1.606
retrieving revision 1.607
diff -u -r1.606 -r1.607
--- STATUS1999/01/20 03:38:18 1.606
+++ STATUS1999/01/25 22:55:31 1.607
@@ -1,5 +1,5 @@
1.3 STATUS:
- Last modified at [$Date: 1999/01/20 03:38:18 $]
+ Last modified at [$Date: 1999/01/25 22:55:31 $]
Release:
@@ -385,10 +385,6 @@
That _really_ sucks. Can we recommend running Apache as some
other user?
-
-* need a crypt() of some sort.
- - sources are easy; problem is export restrictions on DES
- - if we don't do DES, can do md5
* modules that need to be made to work on win32
- mod_example isn't multithreadreded
1.1223+3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1222
retrieving revision 1.1223
diff -u -r1.1222 -r1.1223
--- CHANGES 1999/01/25 18:12:36 1.1222
+++ CHANGES 1999/01/25 22:55:33 1.1223
@@ -1,5 +1,8 @@
Changes with Apache 1.3.5
+ *) Add ability to handle DES or MD5 authentication passwords.
+ [Ryan Bloom [EMAIL PROTECTED]]
+
*) Fix O(n^2) memory consumption in mod_speling. [Dean Gaudet]
*) SECURITY: Avoid some buffer overflow problems when escaping
1.18 +45 -0 apache-1.3/src/ap/ap_md5c.c
Index: ap_md5c.c
===
RCS file: /home/cvs/apache-1.3/src/ap/ap_md5c.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- ap_md5c.c 1999/01/01 19:04:53 1.17
+++ ap_md5c.c 1999/01/25 22:55:36 1.18
@@ -92,6 +92,7 @@
#include ap_config.h
#include ap_md5.h
+#include ap.h
#ifdef CHARSET_EBCDIC
#include ebcdic.h
#endif /*CHARSET_EBCDIC*/
@@ -389,4 +390,48 @@
for (i = 0, j = 0; j len; i++, j += 4)
output[i] = ((UINT4) input[j]) | (((UINT4) input[j + 1]) 8) |
(((UINT4) input[j + 2]) 16) | (((UINT4) input[j + 3]) 24);
+}
+
+API_EXPORT(char *) ap_MD5Encode(const char *password, const char * salt) {
+/* salt has size 2, md5 hash size 22, plus 1 for trailing NUL, plus 4 for
+ '$' separators between md5 distinguisher, salt, and password.*/
+
+static unsigned char ret[2+22+1+4];
+AP_MD5_CTX my_md5;
+unsigned char hash[16], *cp;
+register int i;
+static const char *alphabet =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./;
+
+/*
+ * Take the MD5 hash of the string argument.
+*/
+
+sprintf(ret, $1$%s$, salt);
+
+/* If the salt is shorter than 2, pad with random characters */
+for (cp = ret[strlen(ret)]; cp ret[2]; ++cp) {
+*cp = alphabet[rand() 0x3F];
+}
+ap_MD5Init(my_md5);
+ap_MD5Update(my_md5, salt, 2);
+ap_MD5Update(my_md5, password, strlen(password));
+ap_MD5Final(hash, my_md5);
+
+/* Take 3*8 bits (3 bytes) and store them as 4 base64 bytes (of 6 bit
each) */
+/* Copy first 15 bytes in loop (producing 20 result bytes) */
+for (i = 0, cp = ret[6]; i 15; i += 3, cp += 4) {
+long l = hash[i] | (hash[i+1] 8) | (hash[i+2] 16);
+
+cp[0] = alphabet[l0x3F];
+cp[1] = alphabet[(l6)0x3F];
+cp[2] = alphabet[(l12)0x3F];
+cp[3] = alphabet[(l18)0x3F];
+}
+cp[0] = alphabet[hash[i]0x3F]; /* Use 16th byte as 21st result byte */
+