Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 29340 invoked from network); 2 Jun 2008 21:24:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Jun 2008 21:24:45 -0000 Received: (qmail 90256 invoked by uid 500); 2 Jun 2008 21:24:48 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 90060 invoked by uid 500); 2 Jun 2008 21:24:47 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 90051 invoked by uid 99); 2 Jun 2008 21:24:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2008 14:24:47 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2008 21:23:56 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 2F9EC2388A09; Mon, 2 Jun 2008 14:24:13 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r662572 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS support/htpasswd.c Date: Mon, 02 Jun 2008 21:24:12 -0000 To: cvs@httpd.apache.org From: rpluem@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080602212413.2F9EC2388A09@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: rpluem Date: Mon Jun 2 14:24:12 2008 New Revision: 662572 URL: http://svn.apache.org/viewvc?rev=662572&view=rev Log: Merge r629159, r629164, r629218, r630139 from trunk: Improve salt string generation. Submited by: Andreas Krennmair Improve generation of the seed to rand, by using apr_generate_random_bytes, rather than the current time as a seed. Fix printing of error message. * support/htpasswd.c (seed_rand): Fix compiler warning. PR: 31440 Reviewed by: rpluem, jim, pquerna Modified: httpd/httpd/branches/2.2.x/CHANGES httpd/httpd/branches/2.2.x/STATUS httpd/httpd/branches/2.2.x/support/htpasswd.c Modified: httpd/httpd/branches/2.2.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=662572&r1=662571&r2=662572&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Jun 2 14:24:12 2008 @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.9 + *) htpasswd: Fix salt generation weakness. PR 31440 + [Andreas Krennmair , Peter Watkins , + Paul Querna] + *) core: Add the filename of the configuration file to the warning message about the useless use of AllowOverride. PR 39992. [Darryl Miles ] Modified: httpd/httpd/branches/2.2.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=662572&r1=662571&r2=662572&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/STATUS (original) +++ httpd/httpd/branches/2.2.x/STATUS Mon Jun 2 14:24:12 2008 @@ -90,17 +90,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * htpasswd: Fix salt generation weakness. PR 31440 - [Andreas Krennmair , Peter Watkins , Paul Querna] - Trunk version of patch: - http://svn.apache.org/viewvc?rev=629159&view=rev - http://svn.apache.org/viewvc?rev=629164&view=rev - http://svn.apache.org/viewvc?rev=629218&view=rev - http://svn.apache.org/viewvc?rev=630139&view=rev - Backport version for 2.2.x of patch: - Trunk version of patch works - +1: rpluem, jim, pquerna - * mod_unique_id: Convert request time to seconds before before storing it in unique_id_rec struct. PR 37064 Trunk version of patch: Modified: httpd/httpd/branches/2.2.x/support/htpasswd.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/support/htpasswd.c?rev=662572&r1=662571&r2=662572&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/support/htpasswd.c (original) +++ httpd/httpd/branches/2.2.x/support/htpasswd.c Mon Jun 2 14:24:12 2008 @@ -115,6 +115,30 @@ } } +static void generate_salt(char *s, size_t size) +{ + static unsigned char tbl[] = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + size_t i; + for (i = 0; i < size; ++i) { + int idx = (int) (64.0 * rand() / (RAND_MAX + 1.0)); + s[i] = tbl[idx]; + } +} + +static apr_status_t seed_rand(void) +{ + int seed = 0; + apr_status_t rv; + rv = apr_generate_random_bytes((unsigned char*) &seed, sizeof(seed)); + if (rv) { + apr_file_printf(errfile, "Unable to generate random bytes: %pm" NL, &rv); + return rv; + } + srand(seed); + return rv; +} + static void putline(apr_file_t *f, const char *l) { apr_file_puts(l, f); @@ -162,8 +186,10 @@ break; case ALG_APMD5: - (void) srand((int) time((time_t *) NULL)); - to64(&salt[0], rand(), 8); + if (seed_rand()) { + break; + } + generate_salt(&salt[0], 8); salt[8] = '\0'; apr_md5_encode((const char *)pw, (const char *)salt, @@ -178,7 +204,9 @@ #if !(defined(WIN32) || defined(NETWARE)) case ALG_CRYPT: default: - (void) srand((int) time((time_t *) NULL)); + if (seed_rand()) { + break; + } to64(&salt[0], rand(), 8); salt[8] = '\0';