httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r662572 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS support/htpasswd.c
Date Mon, 02 Jun 2008 21:24:12 GMT
Author: rpluem
Date: Mon Jun  2 14:24:12 2008
New Revision: 662572

URL: http://svn.apache.org/viewvc?rev=662572&view=rev
Log:
Merge r629159, r629164, r629218, r630139 from trunk:

Improve salt string generation.

Submited by: Andreas Krennmair <ak synflood.at>

Improve generation of the seed to rand, by using apr_generate_random_bytes, 
rather than the current time as a seed.

Fix printing of error message.

* support/htpasswd.c (seed_rand): Fix compiler warning.

PR: 31440
Reviewed by: rpluem, jim, pquerna

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/support/htpasswd.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=662572&r1=662571&r2=662572&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Jun  2 14:24:12 2008
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.9
 
+  *) htpasswd: Fix salt generation weakness. PR 31440
+     [Andreas Krennmair <ak synflood.at>, Peter Watkins <peterw tux.org>,
+     Paul Querna]
+
   *) core: Add the filename of the configuration file to the warning message
      about the useless use of AllowOverride. PR 39992.
      [Darryl Miles <darryl darrylmiles.org>]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=662572&r1=662571&r2=662572&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Jun  2 14:24:12 2008
@@ -90,17 +90,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * htpasswd: Fix salt generation weakness. PR 31440
-   [Andreas Krennmair <ak synflood.at>, Peter Watkins <peterw tux.org>, Paul
Querna]
-    Trunk version of patch:
-       http://svn.apache.org/viewvc?rev=629159&view=rev
-       http://svn.apache.org/viewvc?rev=629164&view=rev
-       http://svn.apache.org/viewvc?rev=629218&view=rev
-       http://svn.apache.org/viewvc?rev=630139&view=rev
-    Backport version for 2.2.x of patch:
-       Trunk version of patch works
-    +1: rpluem, jim, pquerna
-
  * mod_unique_id: Convert request time to seconds before before storing it in
    unique_id_rec struct. PR 37064
     Trunk version of patch:

Modified: httpd/httpd/branches/2.2.x/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/support/htpasswd.c?rev=662572&r1=662571&r2=662572&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/support/htpasswd.c (original)
+++ httpd/httpd/branches/2.2.x/support/htpasswd.c Mon Jun  2 14:24:12 2008
@@ -115,6 +115,30 @@
     }
 }
 
+static void generate_salt(char *s, size_t size)
+{
+    static unsigned char tbl[] = 
+        "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+    size_t i;
+    for (i = 0; i < size; ++i) {
+        int idx = (int) (64.0 * rand() / (RAND_MAX + 1.0));
+        s[i] = tbl[idx];
+    }
+}
+
+static apr_status_t seed_rand(void)
+{
+    int seed = 0;
+    apr_status_t rv;
+    rv = apr_generate_random_bytes((unsigned char*) &seed, sizeof(seed));
+    if (rv) {
+        apr_file_printf(errfile, "Unable to generate random bytes: %pm" NL, &rv);
+        return rv;
+    }
+    srand(seed);
+    return rv;
+}
+
 static void putline(apr_file_t *f, const char *l)
 {
     apr_file_puts(l, f);
@@ -162,8 +186,10 @@
         break;
 
     case ALG_APMD5:
-        (void) srand((int) time((time_t *) NULL));
-        to64(&salt[0], rand(), 8);
+        if (seed_rand()) {
+            break;
+        }
+        generate_salt(&salt[0], 8);
         salt[8] = '\0';
 
         apr_md5_encode((const char *)pw, (const char *)salt,
@@ -178,7 +204,9 @@
 #if !(defined(WIN32) || defined(NETWARE))
     case ALG_CRYPT:
     default:
-        (void) srand((int) time((time_t *) NULL));
+        if (seed_rand()) {
+            break;
+        }
         to64(&salt[0], rand(), 8);
         salt[8] = '\0';
 



Mime
View raw message