From: Ruediger Pluem Date: Mon, 2 Jun 2008 21:24:12 +0000 (+0000) Subject: Merge r629159, r629164, r629218, r630139 from trunk: X-Git-Tag: 2.2.9~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=176a62fd181ff33efdb04a09319ca075109558c0;p=thirdparty%2Fapache%2Fhttpd.git Merge r629159, r629164, r629218, r630139 from trunk: Improve salt string generation. Submited by: Andreas Krennmair Improve generation of the seed to rand, by using apr_generate_random_bytes, rather than the current time as a seed. Fix printing of error message. * support/htpasswd.c (seed_rand): Fix compiler warning. PR: 31440 Reviewed by: rpluem, jim, pquerna git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@662572 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index d778816d124..820a75d0d08 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.9 + *) htpasswd: Fix salt generation weakness. PR 31440 + [Andreas Krennmair , Peter Watkins , + Paul Querna] + *) core: Add the filename of the configuration file to the warning message about the useless use of AllowOverride. PR 39992. [Darryl Miles ] diff --git a/STATUS b/STATUS index 43d4563f000..a2a65eff143 100644 --- a/STATUS +++ b/STATUS @@ -90,17 +90,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * htpasswd: Fix salt generation weakness. PR 31440 - [Andreas Krennmair , Peter Watkins , Paul Querna] - Trunk version of patch: - http://svn.apache.org/viewvc?rev=629159&view=rev - http://svn.apache.org/viewvc?rev=629164&view=rev - http://svn.apache.org/viewvc?rev=629218&view=rev - http://svn.apache.org/viewvc?rev=630139&view=rev - Backport version for 2.2.x of patch: - Trunk version of patch works - +1: rpluem, jim, pquerna - * mod_unique_id: Convert request time to seconds before before storing it in unique_id_rec struct. PR 37064 Trunk version of patch: diff --git a/support/htpasswd.c b/support/htpasswd.c index 6bce702d944..2eadc78e29e 100644 --- a/support/htpasswd.c +++ b/support/htpasswd.c @@ -115,6 +115,30 @@ static void to64(char *s, unsigned long v, int n) } } +static void generate_salt(char *s, size_t size) +{ + static unsigned char tbl[] = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + size_t i; + for (i = 0; i < size; ++i) { + int idx = (int) (64.0 * rand() / (RAND_MAX + 1.0)); + s[i] = tbl[idx]; + } +} + +static apr_status_t seed_rand(void) +{ + int seed = 0; + apr_status_t rv; + rv = apr_generate_random_bytes((unsigned char*) &seed, sizeof(seed)); + if (rv) { + apr_file_printf(errfile, "Unable to generate random bytes: %pm" NL, &rv); + return rv; + } + srand(seed); + return rv; +} + static void putline(apr_file_t *f, const char *l) { apr_file_puts(l, f); @@ -162,8 +186,10 @@ static int mkrecord(char *user, char *record, apr_size_t rlen, char *passwd, break; case ALG_APMD5: - (void) srand((int) time((time_t *) NULL)); - to64(&salt[0], rand(), 8); + if (seed_rand()) { + break; + } + generate_salt(&salt[0], 8); salt[8] = '\0'; apr_md5_encode((const char *)pw, (const char *)salt, @@ -178,7 +204,9 @@ static int mkrecord(char *user, char *record, apr_size_t rlen, char *passwd, #if !(defined(WIN32) || defined(NETWARE)) case ALG_CRYPT: default: - (void) srand((int) time((time_t *) NULL)); + if (seed_rand()) { + break; + } to64(&salt[0], rand(), 8); salt[8] = '\0';