httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@locus.apache.org
Subject cvs commit: apache-1.3/src/support dbmmanage
Date Mon, 25 Sep 2000 19:03:12 GMT
wrowe       00/09/25 12:03:12

  Modified:    .        STATUS
               src      CHANGES
               src/support dbmmanage
  Log:
    Cleaner feature tests and new -d -m -s -p options for crypt, MD5, SHA1
    and plaintext password cyphers.  Not certain what the $^O tag for
    NETWARE really is, so this may need to be fixed.
  
  Revision  Changes    Path
  1.842     +5 -9      apache-1.3/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/apache-1.3/STATUS,v
  retrieving revision 1.841
  retrieving revision 1.842
  diff -u -r1.841 -r1.842
  --- STATUS	2000/09/22 20:35:27	1.841
  +++ STATUS	2000/09/25 19:03:09	1.842
  @@ -1,5 +1,5 @@
     1.3 STATUS:
  -  Last modified at [$Date: 2000/09/22 20:35:27 $]
  +  Last modified at [$Date: 2000/09/25 19:03:09 $]
   
   Release:
   
  @@ -280,11 +280,9 @@
   	-0: Greg (volunteers; will add to 2.0 series rather than 1.3)
           +1: Martin
   
  -    * Many people have asked for a DBM to be distributed with Apache to
  -      isolate it from platform inconsistencies. SDBM (used by mod_ssl,
  -      mod_dav, Perl, and others) should fit the bill and is public domain.
  -	-0: Greg (volunteers; will add to 2.0 series rather than 1.3)
  -        +1: Martin
  +    * SDBM is now distributed in src/lib, as distributed with mod_dav, but
  +      is only incorporated into the Win32 build.  Extra cleanup and build 
  +      mechanics are still needed for other platforms.
   
       * Maybe a http_paths.h file? See
   	<Pine.BSF.3.95q.971209222046.25627D-100000@valis.worldgate.com>
  @@ -440,9 +438,7 @@
       * modules that need to be made to work on win32
           - mod_example isn't multithreadreded
   	- mod_unique_id (needs mt changes)
  -	- mod_auth_db.c  (do we want to even try this?  We should have some
  -          db of some sort... what else can we pick from under win32?)
  -	- mod_auth_dbm.c
  +	- mod_auth_db.c  (although mod_auth_dbm is already working.)
   	- mod_log_agent.c
   	- mod_log_referer.c
   	- mod_mime_magic.c (needs access to mod_mime API stage...)
  
  
  
  1.1579    +4 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1578
  retrieving revision 1.1579
  diff -u -r1.1578 -r1.1579
  --- CHANGES	2000/09/22 20:40:57	1.1578
  +++ CHANGES	2000/09/25 19:03:10	1.1579
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3.13
   
  +  *) Expand dbmmanage to allow -d -m -s -p options for Crypt, MD5,
  +     SHA1 and plaintext password encodings.  Make feature tests a
  +     bit more flexible.  [William Rowe]
  +
     *) Fix a security problem that affects some configurations of
        mod_rewrite. If the result of a RewriteRule is a filename that
        contains expansion specifiers, especially regexp backreferences
  
  
  
  1.17      +128 -26   apache-1.3/src/support/dbmmanage
  
  Index: dbmmanage
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/support/dbmmanage,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- dbmmanage	2000/09/20 20:08:08	1.16
  +++ dbmmanage	2000/09/25 19:03:11	1.17
  @@ -66,11 +66,9 @@
   use strict;
   use Fcntl;
   use AnyDBM_File ();
  +use Crypt::PasswdMD5 qw(apache_md5_crypt); # http://www.cpan.org/modules/by-module/Crypt/
  +use Digest::SHA1 qw(sha1_base64);          # http://www.cpan.org/modules/by-module/MD5/
   
  -my($file,$command,$key,$crypted_pwd,$groups,$comment) = @ARGV;
  -
  -usage() unless $file and $command and defined &{$dbmc::{$command}};
  -
   # if your osname is in $newstyle_salt, then use new style salt (starts with '_' and contains
   # four bytes of iteration count and four bytes of salt).  Otherwise, just use
   # the traditional two-byte salt.
  @@ -78,14 +76,67 @@
   # I believe that 4.4BSD derived systems do (at least BSD/OS 2.0 does).
   # The new style crypt() allows up to 20 characters of the password to be
   # significant rather than only 8.
  -my $newstyle_salt = join '|', qw{bsdos}; #others?
  +#
  +my $newstyle_salt_platforms = join '|', qw{bsdos}; #others?
  +my $newstyle_salt = $^O =~ /(?:$newstyle_salt_platforms)/;
  +
  +# Some platforms just can't crypt() for Apache
  +#
  +my $crypt_not_supported_platforms = join '|', qw{MSWin32 netware}; #others?
  +my $crypt_not_supported = $^O =~ /(?:$crypt_not_supported_platforms)/;
  +
  +my $crypt_method = "crypt";
  +
  +if ($crypt_not_supported) {
  +    $crypt_method = "md5";
  +}
  +
  +# Some platforms won't jump through our favorite hoops
  +#
  +my $not_unix_platforms = join '|', qw{MSWin32 netware}; #others?
  +my $not_unix = $^O =~ /(?:$not_unix_platforms)/;
  +
  +if ($crypt_not_supported) {
  +    $crypt_method = "md5";
  +}
  +
  +if (@ARGV[0] eq "-d") {
  +    shift @ARGV;
  +    if ($crypt_not_supported) {
  +        print STDERR 
  +              "Warning: Apache/$^O does not support crypt()ed passwords!\n\n";
  +    }
  +    $crypt_method = "crypt";
  +}
  +
  +if (@ARGV[0] eq "-m") {
  +    shift @ARGV;
  +    $crypt_method = "md5";
  +}
  +
  +if (@ARGV[0] eq "-p") {
  +    shift @ARGV;
  +    if (!$crypt_not_supported) {
  +        print STDERR 
  +              "Warning: Apache/$^O does not support plaintext passwords!\n\n";
  +    }
  +    $crypt_method = "plain";
  +}
  +
  +if (@ARGV[0] eq "-s") {
  +    shift @ARGV;
  +    $crypt_method = "sha1";
  +}
  +
  +my($file,$command,$key,$crypted_pwd,$groups,$comment) = @ARGV;
  +
  +usage() unless $file and $command and defined &{$dbmc::{$command}};
   
   # remove extension if any
   my $chop = join '|', qw{db.? pag dir};
   $file =~ s/\.($chop)$//;
   
   my $is_update = $command eq "update";
  -my $Is_Win32  = $^O eq "MSWin32"; 
   my %DB = ();
   my @range = ();
   my($mode, $flags) = $command =~ 
  @@ -98,23 +149,31 @@
   sub usage {
       my $cmds = join "|", sort keys %dbmc::;
       die <<SYNTAX;
  -Usage: dbmmanage dbname command [username [pw [group[,group] [comment]]]]
  +Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]]
   
  -    where command is one of: $cmds
  +    where enc is  -d for crypt encryption (default except on Win32, Netware)
  +                  -m for MD5 encryption (default on Win32, Netware)
  +                  -s for SHA1 encryption
  +                  -p for plaintext
   
  -    pw of . for update retains the old password
  -    pw of - (or blank) for update prompts for the password
  +    command is one of: $cmds
   
  -    groups or comment of . (or blank) for update retains old values
  -    groups or comment of - for update clears the existing value
  -    groups or comment of - for add or adduser is an empty value
  +    pw of . for update command retains the old password
  +    pw of - (or blank) for update command prompts for the password
  +
  +    groups or comment of . (or blank) for update command retains old values
  +    groups or comment of - for update command clears the existing value
  +    groups or comment of - for add and adduser commands is the empty value
  +
  +    Note that crypt is not accepted by Apache/Win32 or Apache/Netware,
  +    and plaintext is accepted only by Apache/Win32 and Apache/Netware.
   SYNTAX
   }
   
   my $x;
   sub genseed {
       my $psf;
  -    if ($Is_Win32) {
  +    if ($not_unix) {
   	srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
       }
       else {
  @@ -132,18 +191,50 @@
       join '', map $range[rand $x], 1..shift||1;
   }
   
  -sub salt {
  -    my $newstyle = $^O =~ /(?:$newstyle_salt)/;
  +sub saltpw_crypt {
       genseed() unless @range; 
  -    return $newstyle ? 
  +    return $newstyle_salt ? 
   	join '', "_", randchar, "a..", randchar(4) :
           randchar(2);
   }
   
  +sub cryptpw_crypt {
  +    my ($pw, $salt) = @_;
  +    $salt = saltpw_crypt unless $salt;
  +    crypt $pw, $salt;
  +}
  +
  +sub saltpw_md5 {
  +    genseed() unless @range; 
  +    randchar(8);
  +}
  +
  +sub cryptpw_md5 {
  +    my($pw, $salt) = @_;
  +    $salt = saltpw_md5 unless $salt;
  +    apache_md5_crypt $pw, $salt;
  +}
  +
  +sub cryptpw_sha1 {
  +    my($pw, $salt) = @_;
  +    '{SHA}' . sha1_base64($pw) . "=";
  +}
  +
  +sub cryptpw {
  +    if ($crypt_method eq "md5") {
  +        return cryptpw_md5(@_);
  +    } elsif ($crypt_method eq "sha1") {
  +        return cryptpw_sha1(@_);
  +    } elsif ($crypt_method eq "crypt") {
  +        return cryptpw_crypt(@_);
  +    }
  +    @_[0]; # otherwise return plaintext
  +}
  +
   sub getpass {
       my $prompt = shift || "Enter password:";
   
  -    unless($Is_Win32) { 
  +    unless($not_unix) { 
   	open STDIN, "/dev/tty" or warn "couldn't open /dev/tty $!\n";
   	system "stty -echo;";
       }
  @@ -154,7 +245,7 @@
   	$pwd .= $c;
       }
   
  -    system "stty echo" unless $Is_Win32;
  +    system "stty echo" unless $not_unix;
       print STDERR "\n";
       die "Can't use empty password!\n" unless length $pwd;
       return $pwd;
  @@ -162,9 +253,9 @@
   
   sub dbmc::update {
       die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
  -    $crypted_pwd = (split /:/, $DB{$key}, 4)[0] if $crypted_pwd eq '.';
  -    $groups = (split /:/, $DB{$key}, 4)[1] if !$groups || $groups eq '.';
  -    $comment = (split /:/, $DB{$key}, 4)[2] if !$comment || $comment eq '.';
  +    $crypted_pwd = (split /:/, $DB{$key}, 3)[0] if $crypted_pwd eq '.';
  +    $groups = (split /:/, $DB{$key}, 3)[1] if !$groups || $groups eq '.';
  +    $comment = (split /:/, $DB{$key}, 3)[2] if !$comment || $comment eq '.';
       if (!$crypted_pwd || $crypted_pwd eq '-') {
           dbmc->adduser;
       }
  @@ -184,13 +275,13 @@
       $crypted_pwd .= ":" . $groups if $groups;
       $DB{$key} = $crypted_pwd;
       my $action = $is_update ? "updated" : "added";
  -    print "User $key $action with password encrypted to $DB{$key}\n";
  +    print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n";
   }
   
   sub dbmc::adduser {
       my $value = getpass "New password:";
       die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value;
  -    $crypted_pwd = crypt $value, caller->salt;
  +    $crypted_pwd = cryptpw $value;
       dbmc->add;
   }
   
  @@ -205,8 +296,19 @@
   
   sub dbmc::check {
       die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
  -    my $chkpass = (split /:/, $DB{$key},4)[0];
  -    print crypt(getpass(), $chkpass) eq $chkpass ? "password ok\n" : "password mismatch\n";
  +    my $chkpass = (split /:/, $DB{$key}, 3)[0];
  +    my $testpass = getpass();
  +    if (substr($chkpass, 0, 6) eq '$apr1$') {
  +        $crypt_method = "md5";
  +    } elsif (substr($chkpass, 0, 5) eq '{SHA}') {
  +        $crypt_method = "sha1";
  +    } elsif (length($chkpass) == 13 && $chkpass ne $testpass) {
  +        $crypt_method = "crypt";
  +    } else {
  +        $crypt_method = "plain";
  +    }
  +    print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass 
  +                           ? " password ok\n" : " password mismatch\n");
   }
   
   sub dbmc::import {
  
  
  

Mime
View raw message