Bug#376584: libapache2-mod-auth-mysql: SHA512 support (patch)
Hi Adrian! Adrian Bridgett wrote: Package: libapache2-mod-auth-mysql Severity: wishlist I've ported a patch which adds SHA512 support to mod-auth-mysql to the latest version in sarge. This is useful for integration into jira, confluence and other programs using sha512.# This document http://people.redhat.com/drepper/sha-crypt.html by Ulrich Drepper suggests that SHA-256 and SHA-512 are implemented in the GNU libc directly thus should be available in mod_auth_mysql using the Crypt type when run on a current GNU/Linux system. Current refers to libc 2.7 or newer. Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376584: libapache2-mod-auth-mysql: SHA512 support (patch)
On Thu, May 15, 2008 at 13:06:57 +0200 (+0200), Joey Schulze wrote: Hi Adrian! This document http://people.redhat.com/drepper/sha-crypt.html by Ulrich Drepper suggests that SHA-256 and SHA-512 are implemented in the GNU libc directly thus should be available in mod_auth_mysql using the Crypt type when run on a current GNU/Linux system. Current refers to libc 2.7 or newer. Oooh - handy - that saves the license hassle (I can't remember if I sent off the question or didn't hear a reply). We've moved onto LDAP auth (finally) now I'm afraid so I'm really unlikely to update the patch. Adrian -- Email: [EMAIL PROTECTED] -*- GPG key available on public key servers Debian GNU/Linux - the maintainable distribution -*- www.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376584: libapache2-mod-auth-mysql: SHA512 support (patch)
Adrian Bridgett wrote: On Thu, May 15, 2008 at 13:06:57 +0200 (+0200), Joey Schulze wrote: Hi Adrian! This document http://people.redhat.com/drepper/sha-crypt.html by Ulrich Drepper suggests that SHA-256 and SHA-512 are implemented in the GNU libc directly thus should be available in mod_auth_mysql using the Crypt type when run on a current GNU/Linux system. Current refers to libc 2.7 or newer. Oooh - handy - that saves the license hassle (I can't remember if I sent off the question or didn't hear a reply). We've moved onto LDAP auth (finally) now I'm afraid so I'm really unlikely to update the patch. From what Ulrich wrote that's not even required. SHA-256 and SHA-512 should work out of the box since crypt() can handle both. Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376584: libapache2-mod-auth-mysql: SHA512 support (patch)
On Tue, Jul 4, 2006 at 08:02:11 +1000 (+1000), Matthew Palmer wrote: Style note: I know this version number won't end up in the Debian package anyway, but it's better not to number your private versions with dashes because it conflicts with the Debian version numbering. I usually use 'mpalmer1' or '.1' (or '.2' in your case) instead. Good idea - I'll remember that. Oh nononono. Crypto code goes somewhere *other* than mod_auth_mysql.c -- a separate file is good. A separate package is even better (I can't believe that there's no library in Debian that provides SHA512 hashing). More importantly, though, there's no licence statement with this code. It's non-distributable. I'l go and ask the authors (it's originally from the kernel so I'll ask if they are happy for it under the Apache License). The other crypto code comes from the apr, so I'll see if I can change this into two patches - one for apr, one for mod_auth_mysql. A patch for the documentation would also be appreciated. Documentation matching the code - it'll never happen :-) Adrian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376584: libapache2-mod-auth-mysql: SHA512 support (patch)
On Tue, Jul 04, 2006 at 08:03:51AM +0100, Adrian Bridgett wrote: On Tue, Jul 4, 2006 at 08:02:11 +1000 (+1000), Matthew Palmer wrote: Oh nononono. Crypto code goes somewhere *other* than mod_auth_mysql.c -- a separate file is good. A separate package is even better (I can't believe that there's no library in Debian that provides SHA512 hashing). More importantly, though, there's no licence statement with this code. It's non-distributable. I'l go and ask the authors (it's originally from the kernel so I'll ask if they are happy for it under the Apache License). The other Wow, and that code got in, as-is, with no explicit licence notices? A patch for the documentation would also be appreciated. Documentation matching the code - it'll never happen :-) I know, a heretical idea that will only result in tears and heartache. Still, I'm a sadistic sort of person like that. grin - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376584: libapache2-mod-auth-mysql: SHA512 support (patch)
Package: libapache2-mod-auth-mysql Severity: wishlist I've ported a patch which adds SHA512 support to mod-auth-mysql to the latest version in sarge. This is useful for integration into jira, confluence and other programs using sha512.# Original patches: http://confluence.atlassian.com/display/JIRAEXT/Integration+of+Jira+User+Management+with+Apache?showComments=true#comments Final patch attached here too. Thanks, Adrian--- libapache-mod-auth-mysql-4.3.9.orig/mod_auth_mysql.c +++ libapache-mod-auth-mysql-4.3.9/mod_auth_mysql.c @@ -21,7 +21,7 @@ * SHA1 hash support */ -#define AUTH_MYSQL_VERSION 4.3.9 +#define AUTH_MYSQL_VERSION 4.3.9-2 #include config.h @@ -50,9 +50,11 @@ #include http_request.h /* for ap_hook_(check_user_id | auth_checker)*/ #include apr_md5.h #include apr_sha1.h +#include apr_base64.h #else #include ap_md5.h #include ap_sha1.h +#include ap.h #endif #include mysql.h @@ -102,6 +104,9 @@ #define CRYPT_ENCRYPTION_FLAG 15 #endif #define SHA1SUM_ENCRYPTION_FLAG16 +#ifdef _SHA512 +#define SHA512_ENCRYPTION_FLAG 17 +#endif static int check_no_encryption(const char *passwd, char *enc_passwd) { @@ -226,6 +231,283 @@ return (!strcmp(sha1_hex_hash(passwd), enc_passwd)); } +#ifdef _SHA512 +/* + * SHA-512 code by Jean-Luc Cooke [EMAIL PROTECTED] + * + * Copyright (c) Jean-Luc Cooke [EMAIL PROTECTED] + * Copyright (c) Andrew McDonald [EMAIL PROTECTED] + * Copyright (c) 2003 Kyle McMartin [EMAIL PROTECTED] + */ + +#define SHA512_DIGESTSIZE 64 + +#define H00x6a09e667f3bcc908ULL +#define H10xbb67ae8584caa73bULL +#define H20x3c6ef372fe94f82bULL +#define H30xa54ff53a5f1d36f1ULL +#define H40x510e527fade682d1ULL +#define H50x9b05688c2b3e6c1fULL +#define H60x1f83d9abfb41bd6bULL +#define H70x5be0cd19137e2179ULL + +#define e0(x) (ROR(x,28) ^ ROR(x,34) ^ ROR(x,39)) +#define e1(x) (ROR(x,14) ^ ROR(x,18) ^ ROR(x,41)) +#define s0(x) (ROR(x, 1) ^ ROR(x, 8) ^ (x 7)) +#define s1(x) (ROR(x,19) ^ ROR(x,61) ^ (x 6)) + +typedef struct sha512_ctx { +uint64_t state[8]; +uint32_t count[4]; +uint8_t buf[128]; +} sha512_ctx; + +static inline uint64_t CH(uint64_t x, uint64_t y, uint64_t z) { +return ((x y) ^ (~x z)); +} + +static inline uint64_t MAJ(uint64_t x, uint64_t y, uint64_t z) { +return ((x y) ^ (x z) ^ (y z)); +} + +static inline uint64_t ROR(uint64_t x, uint64_t y) { +return (x y) | (x (64 - y)); +} + +static inline void LOA(int I, uint64_t *W, const uint8_t *input) { +uint64_t t1 = input[(8*I)] 0xff; +t1 = 8; +t1 |= input[(8*I)+1] 0xff; +t1 = 8; +t1 |= input[(8*I)+2] 0xff; +t1 = 8; +t1 |= input[(8*I)+3] 0xff; +t1 = 8; +t1 |= input[(8*I)+4] 0xff; +t1 = 8; +t1 |= input[(8*I)+5] 0xff; +t1 = 8; +t1 |= input[(8*I)+6] 0xff; +t1 = 8; +t1 |= input[(8*I)+7] 0xff; +W[I] = t1; +} + +static inline void MIX(int I, uint64_t *W) { +W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16]; +} + +static const uint64_t sha512_K[80] = { +0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, +0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, +0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL, +0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, +0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, +0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, +0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL, +0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, +0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, +0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, +0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL, +0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, +0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, +0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, +0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL, +0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, +0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, +0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, +0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL, +0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, +0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, +0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, +0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL, +0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, +0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
Bug#376584: libapache2-mod-auth-mysql: SHA512 support (patch)
On Mon, Jul 03, 2006 at 09:07:59PM +0100, Adrian Bridgett wrote: I've ported a patch which adds SHA512 support to mod-auth-mysql to the latest version in sarge. This is useful for integration into jira, confluence and other programs using sha512.# Thanks for making the patch. A few comments, though: -#define AUTH_MYSQL_VERSION 4.3.9 +#define AUTH_MYSQL_VERSION 4.3.9-2 Style note: I know this version number won't end up in the Debian package anyway, but it's better not to number your private versions with dashes because it conflicts with the Debian version numbering. I usually use 'mpalmer1' or '.1' (or '.2' in your case) instead. +#ifdef _SHA512 +/* + * SHA-512 code by Jean-Luc Cooke [EMAIL PROTECTED] + * + * Copyright (c) Jean-Luc Cooke [EMAIL PROTECTED] + * Copyright (c) Andrew McDonald [EMAIL PROTECTED] + * Copyright (c) 2003 Kyle McMartin [EMAIL PROTECTED] + */ Oh nononono. Crypto code goes somewhere *other* than mod_auth_mysql.c -- a separate file is good. A separate package is even better (I can't believe that there's no library in Debian that provides SHA512 hashing). More importantly, though, there's no licence statement with this code. It's non-distributable. A patch for the documentation would also be appreciated. - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]