mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-12 21:52:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added support for {SHA} passwords (ticket #50).

Browse Source 
Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables.  Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.

The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.

Patch by Louis Opter, with minor changes.
This commit is contained in:
Maxim Dounin 2013-02-07 12:09:56 +00:00
parent 6cb9bbe71c
commit a2b987e79f
1 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/core/ngx_crypt.c
View File

@ -24,6 +24,8 @@ static ngx_int_t ngx_crypt_plain(ngx_pool_t *pool, u_char *key, u_char *salt,
static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt,
u_char **encrypted); u_char **encrypted);
static ngx_int_t ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt,
u_char **encrypted);
#endif #endif
@ -43,6 +45,9 @@ ngx_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
#if (NGX_HAVE_SHA1) #if (NGX_HAVE_SHA1)
} else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) { } else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) {
return ngx_crypt_ssha(pool, key, salt, encrypted); return ngx_crypt_ssha(pool, key, salt, encrypted);
} else if (ngx_strncmp(salt, "{SHA}", sizeof("{SHA}") - 1) == 0) {
return ngx_crypt_sha(pool, key, salt, encrypted);
#endif #endif
} }
@ -241,6 +246,38 @@ ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
return NGX_OK; return NGX_OK;
} }
static ngx_int_t
ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
{
size_t len;
ngx_str_t encoded, decoded;
ngx_sha1_t sha1;
u_char digest[20];
/* "{SHA}" base64(SHA1(key)) */
decoded.len = sizeof(digest);
decoded.data = digest;
ngx_sha1_init(&sha1);
ngx_sha1_update(&sha1, key, ngx_strlen(key));
ngx_sha1_final(digest, &sha1);
len = sizeof("{SHA}") - 1 + ngx_base64_encoded_length(decoded.len) + 1;
*encrypted = ngx_pnalloc(pool, len);
if (*encrypted == NULL) {
return NGX_ERROR;
}
encoded.data = ngx_cpymem(*encrypted, "{SHA}", sizeof("{SHA}") - 1);
ngx_encode_base64(&encoded, &decoded);
encoded.data[encoded.len] = '\0';
return NGX_OK;
}
#endif /* NGX_HAVE_SHA1 */ #endif /* NGX_HAVE_SHA1 */
#endif /* NGX_CRYPT */ #endif /* NGX_CRYPT */