On 2/1/24 5:54 PM, jor...@apache.org wrote:
> Author: jorton
> Date: Thu Feb 1 16:54:40 2024
> New Revision: 1915516
>
> URL: http://svn.apache.org/viewvc?rev=1915516&view=rev
> Log:
> Merge r1861793, r1862612, r1862724, r1877251, r1907672 from trunk:
>
> Add support for SHA-2 crypt() algorithm in htpasswd.
>
> * configure.in: Detect SHA-2 support in crypt().
>
> * support/passwd_common.h: Define ALG_CRYPT_SHA256, ALG_CRYPT_SHA512,
> include ap_config_auto.h.
>
> * support/htpasswd.c (check_args): Allow -2, -5, -r arguments for
> SHA-256, SHA-256 and rounds options respectively.
>
> * support/passwd_common.c
> (parse_common_options): Parse -2, -5, -r args.
> (mkhash): Generate crypt hash for SHA256/SHA512 algorithms.
>
> Update transform.
>
> * support/htpasswd.c (usage): More usage fixes for SHA-2; describe
> as "secure", leave bcrypt only algorithm described as "very secure".
>
>
> * support/passwd_common.c (mkhash): Fix salt buffer size for SHA2
> (caught by gcc 10).
>
>
> configure: Assume crypt() does not support SHA-2 when cross-compiling.
>
> Can be forced with "./configure ap_cv_crypt_sha2=yes ..." still.
>
> * configure.in:
> Give AC_RUN_IFELSE a cross-compiling action, otherwise it fails with:
> configure: error: cannot run test program while cross compiling
>
> Submitted by: jorton, ylavic
> Reviewed by: minfrin, ylavic, jorton
>
> Modified:
> httpd/httpd/branches/2.4.x/ (props changed)
> httpd/httpd/branches/2.4.x/CHANGES
> httpd/httpd/branches/2.4.x/configure.in
> httpd/httpd/branches/2.4.x/docs/man/htpasswd.1
> httpd/httpd/branches/2.4.x/support/htpasswd.c
> httpd/httpd/branches/2.4.x/support/passwd_common.c
> httpd/httpd/branches/2.4.x/support/passwd_common.h
>
> Modified: httpd/httpd/branches/2.4.x/support/htpasswd.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/support/htpasswd.c?rev=1915516&r1=1915515&r2=1915516&view=diff
> ==
> --- httpd/httpd/branches/2.4.x/support/htpasswd.c (original)
> +++ httpd/httpd/branches/2.4.x/support/htpasswd.c Thu Feb 1 16:54:40 2024
> @@ -98,18 +98,20 @@ static int mkrecord(struct passwd_ctx *c
> static void usage(void)
> {
> apr_file_printf(errfile, "Usage:" NL
> -"\thtpasswd [-cimBdpsDv] [-C cost] passwordfile username" NL
> -"\thtpasswd -b[cmBdpsDv] [-C cost] passwordfile username password" NL
> +"\thtpasswd [-cimB25dpsDv] [-C cost] [-r rounds] passwordfile
> username" NL
> +"\thtpasswd -b[cmB25dpsDv] [-C cost] [-r rounds] passwordfile
> username password" NL
> NL
> -"\thtpasswd -n[imBdps] [-C cost] username" NL
> -"\thtpasswd -nb[mBdps] [-C cost] username password" NL
> +"\thtpasswd -n[imB25dps] [-C cost] [-r rounds] username" NL
> +"\thtpasswd -nb[mB25dps] [-C cost] [-r rounds] username password" NL
> " -c Create a new file." NL
> " -n Don't update file; display results on stdout." NL
> " -b Use the password from the command line rather than prompting "
> "for it." NL
> " -i Read password from stdin without verification (for script
> usage)." NL
> " -m Force MD5 encryption of the password (default)." NL
> -" -B Force bcrypt encryption of the password (very secure)." NL
> +" -2 Force SHA-256 crypt() hash of the password (secure)." NL
> +" -5 Force SHA-512 crypt() hash of the password (secure)." NL
> +" -B Force bcrypt aencryption of the password (very secure)." NL
We have a typo above:aencryption
> " -C Set the computing time used for the bcrypt algorithm" NL
> " (higher is more secure but slower, default: %d, valid: 4 to
> 17)." NL
> " -d Force CRYPT encryption of the password (8 chars max,
> insecure)." NL
Regards
RĂ¼diger
