[nginx] svn commit: r5035 - trunk/src/core

mdounin at mdounin.ru mdounin at mdounin.ru
Thu Feb 7 12:09:56 UTC 2013 

Author: mdounin
Date: 2013-02-07 12:09:56 +0000 (Thu, 07 Feb 2013)
New Revision: 5035
URL: http://trac.nginx.org/nginx/changeset/5035/nginx

Log:
Added support for {SHA} passwords (ticket #50).

Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables.  Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.

The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.

Patch by Louis Opter, with minor changes.


Modified:
   trunk/src/core/ngx_crypt.c

Modified: trunk/src/core/ngx_crypt.c
===================================================================
--- trunk/src/core/ngx_crypt.c	2013-02-07 12:09:09 UTC (rev 5034)
+++ trunk/src/core/ngx_crypt.c	2013-02-07 12:09:56 UTC (rev 5035)
@@ -24,6 +24,8 @@
 
 static ngx_int_t ngx_crypt_ssha(ngx_pool_t *pool, u_char *key, u_char *salt,
     u_char **encrypted);
+static ngx_int_t ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt,
+    u_char **encrypted);
 
 #endif
 
@@ -43,6 +45,9 @@
 #if (NGX_HAVE_SHA1)
     } else if (ngx_strncmp(salt, "{SSHA}", sizeof("{SSHA}") - 1) == 0) {
         return ngx_crypt_ssha(pool, key, salt, encrypted);
+
+    } else if (ngx_strncmp(salt, "{SHA}", sizeof("{SHA}") - 1) == 0) {
+        return ngx_crypt_sha(pool, key, salt, encrypted);
 #endif
     }
 
@@ -241,6 +246,38 @@
     return NGX_OK;
 }
 
+
+static ngx_int_t
+ngx_crypt_sha(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
+{
+    size_t      len;
+    ngx_str_t   encoded, decoded;
+    ngx_sha1_t  sha1;
+    u_char      digest[20];
+
+    /* "{SHA}" base64(SHA1(key)) */
+
+    decoded.len = sizeof(digest);
+    decoded.data = digest;
+
+    ngx_sha1_init(&sha1);
+    ngx_sha1_update(&sha1, key, ngx_strlen(key));
+    ngx_sha1_final(digest, &sha1);
+
+    len = sizeof("{SHA}") - 1 + ngx_base64_encoded_length(decoded.len) + 1;
+
+    *encrypted = ngx_pnalloc(pool, len);
+    if (*encrypted == NULL) {
+        return NGX_ERROR;
+    }
+
+    encoded.data = ngx_cpymem(*encrypted, "{SHA}", sizeof("{SHA}") - 1);
+    ngx_encode_base64(&encoded, &decoded);
+    encoded.data[encoded.len] = '\0';
+
+    return NGX_OK;
+}
+
 #endif /* NGX_HAVE_SHA1 */
 
 #endif /* NGX_CRYPT */

More information about the nginx-devel mailing list