diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2013-02-07 12:09:56 +0000 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2013-02-07 12:09:56 +0000 |
| commit | a2b987e79f099e34ddc5206b2b7c85f7405e5b74 (patch) | |
| tree | 13519c1e8a3ecc09ced475e01e13c388afdbd5eb /src | |
| parent | 6cb9bbe71cf0f3f4e31a5d768042ad3e5eb24199 (diff) | |
| download | nginx-a2b987e79f099e34ddc5206b2b7c85f7405e5b74.tar.gz nginx-a2b987e79f099e34ddc5206b2b7c85f7405e5b74.zip | |
Added support for {SHA} passwords (ticket #50).
Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables. Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.
The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.
Patch by Louis Opter, with minor changes.
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/ngx_crypt.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/src/core/ngx_crypt.c b/src/core/ngx_crypt.c index b2e25b901..629d160e8 100644 --- a/src/core/ngx_crypt.c +++ b/src/core/ngx_crypt.c @@ -24,6 +24,8 @@ static ngx_int_t ngx_crypt_plain(ngx_pool_t *pool, u_char *key, u_char *salt, static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted); +static ngx_int_t ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, + u_char **encrypted); #endif @@ -43,6 +45,9 @@ ngx_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) #if (NGX_HAVE_SHA1) } else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) { return ngx_crypt_ssha(pool, key, salt, encrypted); + + } else if (ngx_strncmp(salt, "{SHA}", sizeof("{SHA}") - 1) == 0) { + return ngx_crypt_sha(pool, key, salt, encrypted); #endif } @@ -241,6 +246,38 @@ ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) return NGX_OK; } + +static ngx_int_t +ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) +{ + size_t len; + ngx_str_t encoded, decoded; + ngx_sha1_t sha1; + u_char digest[20]; + + /* "{SHA}" base64(SHA1(key)) */ + + decoded.len = sizeof(digest); + decoded.data = digest; + + ngx_sha1_init(&sha1); + ngx_sha1_update(&sha1, key, ngx_strlen(key)); + ngx_sha1_final(digest, &sha1); + + len = sizeof("{SHA}") - 1 + ngx_base64_encoded_length(decoded.len) + 1; + + *encrypted = ngx_pnalloc(pool, len); + if (*encrypted == NULL) { + return NGX_ERROR; + } + + encoded.data = ngx_cpymem(*encrypted, "{SHA}", sizeof("{SHA}") - 1); + ngx_encode_base64(&encoded, &decoded); + encoded.data[encoded.len] = '\0'; + + return NGX_OK; +} + #endif /* NGX_HAVE_SHA1 */ #endif /* NGX_CRYPT */ |