Add support for SHA-2 crypt() algorithm in htpasswd.

* configure.in: Detect SHA-2 support in crypt(). * support/passwd_common.h: Define ALG_CRYPT_SHA256, ALG_CRYPT_SHA512, include ap_config_auto.h. * support/htpasswd.c (check_args): Allow -2, -5, -r arguments for SHA-256, SHA-256 and rounds options respectively. * support/passwd_common.c (parse_common_options): Parse -2, -5, -r args. (mkhash): Generate crypt hash for SHA256/SHA512 algorithms. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1861793 13f79535-47bb-0310-9956-ffa450edef68
author: Joe Orton <jorton@apache.org> 2019-06-21 16:20:29 +0000
committer: Joe Orton <jorton@apache.org> 2019-06-21 16:20:29 +0000
commit: 57748d60a5e58598b8f66feaa7760ebed9a02dbf (patch)
tree: 712d8a3456a19cdd4b0f20bf62f65912e83517a4 /support
parent: 07e3fbd647bc9ed047eca8bf8fc22eae47d97daa (diff)
download: httpd-57748d60a5e58598b8f66feaa7760ebed9a02dbf.tar.gz
3 files changed, 57 insertions, 6 deletions
diff --git a/support/htpasswd.c b/support/htpasswd.c
index 73b291d72c..f399a9b423 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -178,7 +178,7 @@ static void check_args(int argc, const char *const argv[],
     if (rv != APR_SUCCESS)
         exit(ERR_SYNTAX);
 
-    while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) {
+    while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) {
         switch (opt) {
         case 'c':
             *mask |= APHTP_NEWFILE;
diff --git a/support/passwd_common.c b/support/passwd_common.c
index 664e509b95..d45657cc26 100644
--- a/support/passwd_common.c
+++ b/support/passwd_common.c
@@ -185,10 +185,15 @@ int mkhash(struct passwd_ctx *ctx)
 #if CRYPT_ALGO_SUPPORTED
     char *cbuf;
 #endif
+#ifdef HAVE_CRYPT_SHA2
+    const char *setting;
+    char method;
+#endif
 
-    if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) {
+    if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT
+        && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) {
         apr_file_printf(errfile,
-                        "Warning: Ignoring -C argument for this algorithm." NL);
+                        "Warning: Ignoring -C/-r argument for this algorithm." NL);
     }
 
     if (ctx->passwd == NULL) {
@@ -246,6 +251,34 @@ int mkhash(struct passwd_ctx *ctx)
         break;
 #endif /* CRYPT_ALGO_SUPPORTED */
 
+#ifdef HAVE_CRYPT_SHA2
+    case ALG_CRYPT_SHA256:
+    case ALG_CRYPT_SHA512:
+        ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool);
+        if (ret != 0)
+            break;
+
+        method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6';
+
+        if (ctx->cost) 
+            setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s",
+                                   method, ctx->cost, salt);
+        else
+            setting = apr_psprintf(ctx->pool, "$%c$%s",
+                                   method, salt);
+
+        cbuf = crypt(pw, setting);
+        if (cbuf == NULL) {
+            rv = APR_FROM_OS_ERROR(errno);
+            ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv);
+            ret = ERR_PWMISMATCH;
+            break;
+        }
+
+        apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1);
+        break;
+#endif /* HAVE_CRYPT_SHA2 */
+
 #if BCRYPT_ALGO_SUPPORTED
     case ALG_BCRYPT:
         rv = apr_generate_random_bytes((unsigned char*)salt, 16);
@@ -294,6 +327,19 @@ int parse_common_options(struct passwd_ctx *ctx, char opt,
     case 's':
         ctx->alg = ALG_APSHA;
         break;
+#ifdef HAVE_CRYPT_SHA2
+    case '2':
+        ctx->alg = ALG_CRYPT_SHA256;
+        break;
+    case '5':
+        ctx->alg = ALG_CRYPT_SHA512;
+        break;
+#else
+    case '2':
+    case '5':
+        ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform.";
+        return ERR_ALG_NOT_SUPP;
+#endif
     case 'p':
         ctx->alg = ALG_PLAIN;
 #if !PLAIN_ALGO_SUPPORTED
@@ -324,11 +370,12 @@ int parse_common_options(struct passwd_ctx *ctx, char opt,
         return ERR_ALG_NOT_SUPP;
 #endif
         break;
-    case 'C': {
+    case 'C':
+    case 'r': {
             char *endptr;
             long num = strtol(opt_arg, &endptr, 10);
             if (*endptr != '\0' || num <= 0) {
-                ctx->errstr = "argument to -C must be a positive integer";
+                ctx->errstr = "argument to -C/-r must be a positive integer";
                 return ERR_SYNTAX;
             }
             ctx->cost = num;
diff --git a/support/passwd_common.h b/support/passwd_common.h
index 660081e908..f1b3cd7ec6 100644
--- a/support/passwd_common.h
+++ b/support/passwd_common.h
@@ -28,6 +28,8 @@
 #include "apu_version.h"
 #endif
 
+#include "ap_config_auto.h"
+
 #define MAX_STRING_LEN 256
 
 #define ALG_PLAIN 0
@@ -35,6 +37,8 @@
 #define ALG_APMD5 2
 #define ALG_APSHA 3
 #define ALG_BCRYPT 4
+#define ALG_CRYPT_SHA256 5
+#define ALG_CRYPT_SHA512 6
 
 #define BCRYPT_DEFAULT_COST 5
 
@@ -84,7 +88,7 @@ struct passwd_ctx {
     apr_size_t      out_len;
     char            *passwd;
     int             alg;
-    int             cost;
+    int             cost; /* cost for bcrypt, rounds for SHA-2 */
     enum {
         PW_PROMPT = 0,
         PW_ARG,
author	Joe Orton <jorton@apache.org>	2019-06-21 16:20:29 +0000
committer	Joe Orton <jorton@apache.org>	2019-06-21 16:20:29 +0000
commit	57748d60a5e58598b8f66feaa7760ebed9a02dbf (patch)
tree	712d8a3456a19cdd4b0f20bf62f65912e83517a4 /support
parent	07e3fbd647bc9ed047eca8bf8fc22eae47d97daa (diff)
download	httpd-57748d60a5e58598b8f66feaa7760ebed9a02dbf.tar.gz