SOURCES: lighttpd-apr1.patch (NEW) - from http://trac.lighttpd.net...

glen glen at pld-linux.org
Sun Sep 24 22:03:46 CEST 2006 

Author: glen                         Date: Sun Sep 24 20:03:46 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- from http://trac.lighttpd.net/trac/ticket/444 for lighttpd 1.5

---- Files affected:
SOURCES:
   lighttpd-apr1.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/lighttpd-apr1.patch
diff -u /dev/null SOURCES/lighttpd-apr1.patch:1.1
--- /dev/null	Sun Sep 24 22:03:46 2006
+++ SOURCES/lighttpd-apr1.patch	Sun Sep 24 22:03:41 2006
@@ -0,0 +1,221 @@
+--- lighttpd-1.4.12/src/http_auth.c	2006-07-22 15:45:29.000000000 +0300
++++ lighttpd-1.4.12.apr1/src/http_auth.c	2006-07-25 21:10:35.215248417 +0300
+@@ -39,6 +39,17 @@
+ # include "md5.h"
+ #endif
+ 
++/*
++ * The apr_md5_encode() routine uses much code obtained from the FreeBSD 3.0
++ * MD5 crypt() function, which is licenced as follows:
++ * ----------------------------------------------------------------------------
++ * "THE BEER-WARE LICENSE" (Revision 42):
++ * <phk at login.dknet.dk> wrote this file.  As long as you retain this notice you
++ * can do whatever you want with this stuff. If we meet some day, and you think
++ * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
++ * ----------------------------------------------------------------------------
++ */
++
+ handler_t auth_ldap_init(server *srv, mod_auth_plugin_config *s);
+ 
+ static const char base64_pad = '=';
+@@ -405,6 +416,177 @@
+ 	return -1;
+ }
+ 
++#define APR_MD5_DIGESTSIZE 16
++#define APR1_ID "$apr1$"
++
++/*
++ * The following MD5 password encryption code was largely borrowed from
++ * the FreeBSD 3.0 /usr/src/lib/libcrypt/crypt.c file, which is
++ * licenced as stated at the top of this file.
++ */
++
++static void to64(char *s, unsigned long v, int n)
++{
++    static unsigned char itoa64[] =         /* 0 ... 63 => ASCII - 64 */
++        "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
++
++    while (--n >= 0) {
++        *s++ = itoa64[v&0x3f];
++        v >>= 6;
++    }
++}
++
++static void apr_md5_encode(const char *pw, const char *salt, char *result, size_t nbytes) {
++    /*
++     * Minimum size is 8 bytes for salt, plus 1 for the trailing NUL,
++     * plus 4 for the '$' separators, plus the password hash itself.
++     * Let's leave a goodly amount of leeway.
++     */
++
++    char passwd[120], *p;
++    const char *sp, *ep;
++    unsigned char final[APR_MD5_DIGESTSIZE];
++    ssize_t sl, pl, i;
++    MD5_CTX ctx, ctx1;
++    unsigned long l;
++
++    /* 
++     * Refine the salt first.  It's possible we were given an already-hashed
++     * string as the salt argument, so extract the actual salt value from it
++     * if so.  Otherwise just use the string up to the first '$' as the salt.
++     */
++    sp = salt;
++
++    /*
++     * If it starts with the magic string, then skip that.
++     */
++    if (!strncmp(sp, APR1_ID, strlen(APR1_ID))) {
++        sp += strlen(APR1_ID);
++    }
++
++    /*
++     * It stops at the first '$' or 8 chars, whichever comes first
++     */
++    for (ep = sp; (*ep != '\0') && (*ep != '$') && (ep < (sp + 8)); ep++) {
++        continue;
++    }
++
++    /*
++     * Get the length of the true salt
++     */
++    sl = ep - sp;
++
++    /*
++     * 'Time to make the doughnuts..'
++     */
++    MD5_Init(&ctx);
++    
++    /*
++     * The password first, since that is what is most unknown
++     */
++    MD5_Update(&ctx, pw, strlen(pw));
++
++    /*
++     * Then our magic string
++     */
++    MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
++
++    /*
++     * Then the raw salt
++     */
++    MD5_Update(&ctx, sp, sl);
++
++    /*
++     * Then just as many characters of the MD5(pw, salt, pw)
++     */
++    MD5_Init(&ctx1);
++    MD5_Update(&ctx1, pw, strlen(pw));
++    MD5_Update(&ctx1, sp, sl);
++    MD5_Update(&ctx1, pw, strlen(pw));
++    MD5_Final(final, &ctx1);
++    for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) {
++        MD5_Update(&ctx, final, 
++                      (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl);
++    }
++
++    /*
++     * Don't leave anything around in vm they could use.
++     */
++    memset(final, 0, sizeof(final));
++
++    /*
++     * Then something really weird...
++     */
++    for (i = strlen(pw); i != 0; i >>= 1) {
++        if (i & 1) {
++            MD5_Update(&ctx, final, 1);
++        }
++        else {
++            MD5_Update(&ctx, pw, 1);
++        }
++    }
++
++    /*
++     * Now make the output string.  We know our limitations, so we
++     * can use the string routines without bounds checking.
++     */
++    strcpy(passwd, APR1_ID);
++    strncat(passwd, sp, sl);
++    strcat(passwd, "$");
++
++    MD5_Final(final, &ctx);
++
++    /*
++     * And now, just to make sure things don't run too fast..
++     * On a 60 Mhz Pentium this takes 34 msec, so you would
++     * need 30 seconds to build a 1000 entry dictionary...
++     */
++    for (i = 0; i < 1000; i++) {
++        MD5_Init(&ctx1);
++        if (i & 1) {
++            MD5_Update(&ctx1, pw, strlen(pw));
++        }
++        else {
++            MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++        }
++        if (i % 3) {
++            MD5_Update(&ctx1, sp, sl);
++        }
++
++        if (i % 7) {
++            MD5_Update(&ctx1, pw, strlen(pw));
++        }
++
++        if (i & 1) {
++            MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++        }
++        else {
++            MD5_Update(&ctx1, pw, strlen(pw));
++        }
++        MD5_Final(final,&ctx1);
++    }
++
++    p = passwd + strlen(passwd);
++
++    l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p, l, 4); p += 4;
++    l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p, l, 4); p += 4;
++    l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p, l, 4); p += 4;
++    l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p, l, 4); p += 4;
++    l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p, l, 4); p += 4;
++    l =                    final[11]                ; to64(p, l, 2); p += 2;
++    *p = '\0';
++
++    /*
++     * Don't leave anything around in vm they could use.
++     */
++    memset(final, 0, sizeof(final));
++
++	// FIXME
++#define apr_cpystrn strncpy
++    apr_cpystrn(result, passwd, nbytes - 1);
++}
++
++
+ /**
+  *
+  *
+@@ -441,6 +623,14 @@
+ 			return 0;
+ 		}
+ 	} else if (p->conf.auth_backend == AUTH_BACKEND_HTPASSWD) {
++		char sample[120];
++		if (!strncmp(password->ptr, APR1_ID, strlen(APR1_ID))) {
++			/*
++			 * The hash was created using $apr1$ custom algorithm.
++			 */
++			apr_md5_encode(pw, password->ptr, sample, sizeof(sample));
++			return (strcmp(sample, password->ptr) == 0) ? 0 : 1;
++		} else {
+ #ifdef HAVE_CRYPT
+ 		char salt[32];
+ 		char *crypted;
+@@ -494,6 +684,7 @@
+ 		} else {
+ 			fprintf(stderr, "%s.%d\n", __FILE__, __LINE__);
+ 		}
++		}
+ 
+ #endif
+ 	} else if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) {
================================================================

More information about the pld-cvs-commit mailing list