歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> Linux資訊 >> 更多Linux

mod_auth_mysql的SHA512支持/Subversion共享用戶庫

  mod_auth_mysql是一個apache的模塊,用於保護某個目錄或者一些資源.此模塊可以使用保存在mysql數據庫裡的用戶和密碼以及組設置來校驗用戶的權限. 原文是針對mod_auth_mysql 2.8.1所做的補丁,由於3.0.0版本做了很多改動,所以只好改了一些地方,才順利能用. 如果不打補丁,mod_auth_mysql 的安裝其實非常簡單: 1.從http://modauthmysql.sourceforge.net下載相應版本 2.使用apache自帶的apxs進行編譯 正常情況下: apxs -c -lmysqlclient -lm -lz mod_auth_mysql.c 如果找不到mysql的頭文件,試試(注意路徑改為自己的正確路徑) apxs -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c 3.把模塊安裝到apache目錄下 Apache 1.x: apxs -i mod_auth_mysql.so Apache 2.x: apxs -i mod_auth_mysql.la 4.修改httpd.conf配置文件,加上一行 LoadModule mysql_auth_module modules/mod_auth_mysql.so 5.按照需要配置 這個就要按照自己的情況配置了 6.重啟apache mod_auth_mysql默認支持的密碼加密方式包括: * none: 不加密 * crypt: crypt() 方式加密 * scrambled: MySQL PASSWord 加密 * md5: MD5 加密 * aes: Advanced Encryption Standard (AES) 加密 * sha1: Secure Hash Algorihm (SHA1) 加密 假設我們有subversion,一個論壇,或者其他一些需要利用apache認證的資源,那麼我們就可以統一利用論壇的用戶來做認證,這樣可以統一用戶管理,用戶修改信息也非常方便,否則修改密碼就是一個大問題,還得提供額外的程序來進行修改密碼,幾個系統的用戶統一問題也很頭疼. 我的初衷就是讓subversion使用別的系統的用戶,整合用戶. 只要原有的用戶密碼方式是以上幾種,就很方便的整合,當然你也可以自己開發一些加密方式. :) Atlassian公司的Jira和Confluence都是非常優秀的WEB軟件,它們采用的加密方式都是SHA512,而mod_auth_mysql是不支持的,為了利用他們的用戶,所以需要打補丁.也就是原文裡面的目的. 針對3.0.0版本的SHA512補丁如下: --- mod_auth_mysql-3.0.0\ori_mod_auth_mysql.c Thu Jun 23 00:17:46 2005 +++ mod_auth_mysql-3.0.0\mod_auth_mysql.c Sun Dec 11 19:51:42 2005 @@ -271,6 +270,269 @@ #include <my_aes.h> #endif + +#ifdef _SHA512 +/* + * SHA-512 code by Jean-LUC Cooke <[email protected]> + * + * Copyright (c) Jean-Luc Cooke <[email protected]> + * Copyright (c) Andrew McDonald <[email protected]> + * Copyright (c) 2003 Kyle McMartin <[email protected]> + */ + +#define SHA512_DIGEST_SIZE 64 + +#define H0 0x6a09e667f3bcc908ULL


+#define H1 0xbb67ae8584caa73bULL +#define H2 0x3c6ef372fe94f82bULL +#define H3 0xa54ff53a5f1d36f1ULL +#define H4 0x510e527fade682d1ULL +#define H5 0x9b05688c2b3e6c1fULL +#define H6 0x1f83d9abfb41bd6bULL +#define H7 0x5be0cd19137e2179ULL + +#define e0(x) (ROR(x,28) ^ ROR(x,34) ^ ROR(x,39)) +#define e1(x) (ROR(x,14) ^ ROR(x,18) ^ ROR(x,41)) +#define s0(x) (ROR(x, 1) ^ ROR(x, 8) ^ (x >> 7)) +#define s1(x) (ROR(x,19) ^ ROR(x,61) ^ (x >> 6)) + +typedef struct sha512_ctx { + uint64_t state[8]; + uint32_t count[4]; + uint8_t buf[128]; +} sha512_ctx; + +static inline uint64_t CH(uint64_t x, uint64_t y, uint64_t z) { + return ((x & y) ^ (~x & z)); +} + +static inline uint64_t MAJ(uint64_t x, uint64_t y, uint64_t z) { + return ((x & y) ^ (x & z) ^ (y & z)); +} + +static inline uint64_t ROR(uint64_t x, uint64_t y) { + return (x >> y) (x << (64 - y)); +} + +static inline void LOA(int I, uint64_t *W, const uint8_t *input) { + uint64_t t1 = input[(8*I) ] & 0xff; + t1 <<= 8; + t1 = input[(8*I)+1] & 0xff; + t1 <<= 8; + t1 = input[(8*I)+2] & 0xff; + t1 <<= 8; + t1 = input[(8*I)+3] & 0xff; + t1 <<= 8; + t1 = input[(8*I)+4] & 0xff; + t1 <<= 8; + t1 = input[(8*I)+5] & 0xff; + t1 <<= 8; + t1 = input[(8*I)+6] & 0xff; + t1 <<= 8; + t1 = input[(8*I)+7] & 0xff; + W[I] = t1; +} + +static inline void MIX(int I, uint64_t *W) { + W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16]; +} + +static const uint64_t sha512_K[80] = { + 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, + 0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, + 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL, + 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, + 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, + 0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, + 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL, + 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, + 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, + 0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, + 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL, + 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, + 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,

+ 0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, + 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL, + 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, + 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, + 0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, + 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL, + 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, + 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, + 0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, + 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL, + 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, + 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, + 0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, + 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL, +}; + + +static void _transform(uint64_t *state, const uint8_t *input) { + uint64_t a, b, c, d, e, f, g, h, t1, t2; + uint64_t W[80]; + int i; + + /* load the input */ + for (i = 0; i < 16; i++) LOA(i, W, input); + for (i = 16; i < 80; i++) MIX(i, W); + + /* load the state into our registers */ + a=state[0]; b=state[1]; c=state[2]; d=state[3]; + e=state[4]; f=state[5]; g=state[6]; h=state[7]; + + /* now iterate */ + for (i=0; i<80; i+=8) { + t1 = h + e1(e) + CH(e,f,g) + sha512_K[i ] + W[i ]; + t2 = e0(a) + MAJ(a,b,c); d+=t1; h=t1+t2; + t1 = g + e1(d) + CH(d,e,f) + sha512_K[i+1] + W[i+1]; + t2 = e0(h) + MAJ(h,a,b); c+=t1; g=t1+t2; + t1 = f + e1(c) + CH(c,d,e) + sha512_K[i+2] + W[i+2]; + t2 = e0(g) + MAJ(g,h,a); b+=t1; f=t1+t2; + t1 = e + e1(b) + CH(b,c,d) + sha512_K[i+3] + W[i+3]; + t2 = e0(f) + MAJ(f,g,h); a+=t1; e=t1+t2; + t1 = d + e1(a) + CH(a,b,c) + sha512_K[i+4] + W[i+4]; + t2 = e0(e) + MAJ(e,f,g); h+=t1; d=t1+t2; + t1 = c + e1(h) + CH(h,a,b) + sha512_K[i+5] + W[i+5]; + t2 = e0(d) + MAJ(d,e,f); g+=t1; c=t1+t2; + t1 = b + e1(g) + CH(g,h,a) + sha512_K[i+6] + W[i+6]; + t2 = e0(c) + MAJ(c,d,e); f+=t1; b=t1+t2; + t1 = a + e1(f) + CH(f,g,h) + sha512_K[i+7] + W[i+7]; + t2 = e0(b) + MAJ(b,c,d); e+=t1; a=t1+t2; + } + + state[0] += a; state[1] += b; state[2] += c; state[3] += d; + state[4] += e; state[5] += f; state[6] += g; state[7] += h; + + /* erase our data */ + a = b = c = d = e = f = g = h = t1 = t2 = 0;

+ memset(W, 0, 80 * sizeof(uint64_t)); +} + +static void sha512_init(void *ctx) { + struct sha512_ctx *sctx = ctx; + sctx->state[0] = H0; + sctx->state[1] = H1; + sctx->state[2] = H2; + sctx->state[3] = H3; + sctx->state[4] = H4; + sctx->state[5] = H5; + sctx->state[6] = H6; + sctx->state[7] = H7; + sctx->count[0] = sctx->count[1] = sctx->count[2] = sctx->count[3] = 0; + memset(sctx->buf, 0, sizeof(sctx->buf)); +} + +static void sha512_update(void *ctx, const uint8_t *data, unsigned int len) { + struct sha512_ctx *sctx = ctx; + unsigned int i, index, part_len; + + /* Compute number of bytes mod 128 */ + index = (unsigned int)((sctx->count[0] >> 3) & 0x7F); + + /* Update number of bits */ + if ((sctx->count[0] += (len << 3)) < (len << 3)) { + if ((sctx->count[1] += 1) < 1) + if ((sctx->count[2] += 1) < 1) + sctx->count[3]++; + sctx->count[1] += (len >> 29); + } + + part_len = 128 - index; + + /* Transform as many times as possible. */ + if (len >= part_len) { + memcpy(&sctx->buf[index], data, part_len); + _transform(sctx->state, sctx->buf); + + for (i = part_len; i + 127 < len; i+=128) + _transform(sctx->state, &data[i]); + + index = 0; + } else { + i = 0; + } + + /* Buffer remaining input */ + memcpy(&sctx->buf[index], &data[i], len - i); +} + +static void sha512_final(void *ctx, uint8_t *hash) { + struct sha512_ctx *sctx = ctx; + const static uint8_t padding[128] = { 0x80, }; + + uint32_t t; + uint64_t t2; + uint8_t bits[128]; + unsigned int index, pad_len; + int i, j; + + index = pad_len = t = i = j = 0; + t2 = 0; + + /* Save number of bits */ + t = sctx->count[0]; + bits[15] = t; t>>=8; + bits[14] = t; t>>=8; + bits[13] = t; t>>=8; + bits[12] = t; + t = sctx->count[1]; + bits[11] = t; t>>=8; + bits[10] = t; t>>=8; + bits[9 ] = t; t>>=8; + bits[8 ] = t; + t = sctx->count[2]; + bits[7 ] = t; t>>=8;

+ bits[6 ] = t; t>>=8; + bits[5 ] = t; t>>=8; + bits[4 ] = t; + t = sctx->count[3]; + bits[3 ] = t; t>>=8; + bits[2 ] = t; t>>=8; + bits[1 ] = t; t>>=8; + bits[0 ] = t; + + /* Pad out to 112 mod 128. */ + index = (sctx->count[0] >> 3) & 0x7f; + pad_len = (index < 112) ? (112 - index) : ((128+112) - index); + sha512_update(sctx, padding, pad_len); + + /* Append length (before padding) */ + sha512_update(sctx, bits, 16); + + /* Store state in digest */ + for (i = j = 0; i < 8; i++, j += 8) { + t2 = sctx->state[i]; + hash[j+7] = (char)t2 & 0xff; t2>>=8; + hash[j+6] = (char)t2 & 0xff; t2>>=8; + hash[j+5] = (char)t2 & 0xff; t2>>=8; + hash[j+4] = (char)t2 & 0xff; t2>>=8; + hash[j+3] = (char)t2 & 0xff; t2>>=8; + hash[j+2] = (char)t2 & 0xff; t2>>=8; + hash[j+1] = (char)t2 & 0xff; t2>>=8; + hash[j ] = (char)t2 & 0xff; + } + + /* Zeroize sensitive information. */ + memset(sctx, 0, sizeof(struct sha512_ctx)); +} + +static int sha512_hash(uint8_t *orig, int origlen, uint8_t *hash, int hashlen) { + sha512_ctx context; + + if (hash == NULL) return -1; + if (hashlen < SHA512_DIGEST_SIZE) return -1; + + sha512_init(&context); + sha512_update(&context, orig, origlen); + sha512_final(&context, hash); + return(SHA512_DIGEST_SIZE); +} + +#endif //_SHA512 + + + #ifndef SCRAMBLED_PASSWORD_CHAR_LENGTH /* Ensure it is defined for older MySQL releases */ #define SCRAMBLED_PASSWORD_CHAR_LENGTH 32 /* Big enough for the old method of scrambling */ #endif @@ -287,6 +549,10 @@ #if _AES static short pw_aes(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt); #endif +#ifdef _SHA512 +static short pw_sha512(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt); +#endif + static short pw_sha1(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt); static short pw_plain(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt); @@ -318,6 +584,10 @@ #if _AES {"aes", SALT_REQUIRED, pw_aes}, #endif +#ifdef _SHA512 + {"sha512",NO_SALT,pw_sha512}, +#endif

+ {"sha1", NO_SALT, pw_sha1}}; typedef struct { /* User formatting patterns */ char pattern; /* Pattern to match */ @@ -836,6 +1106,35 @@ return enc_len > 0 && memcmp(real_pw, encrypted_sent_pw, enc_len) == 0; } #endif + +#ifdef _SHA512 +/* checks sha512 passwords */ +static short pw_sha512(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt) { + int res; + short enc_len = 0; + char *scrambled_sent_pw, *buffer=PCALLOC(pool, 128); + + res = sha512_hash((uint8_t *)sent_pw, strlen(sent_pw), buffer, 128); + if (res != SHA512_DIGEST_SIZE) + { + /* + LOG_ERROR(APLOG_NOERRNOAPLOG_ERR, 0, r, "auth_mysql: " + "Internal error: SHA512 invalid digest size"); + */ + return (res == SHA512_DIGEST_SIZE ); + } + else + { + enc_len = apr_base64_encode_len(SHA512_DIGEST_SIZE); + scrambled_sent_pw = PCALLOC(pool, enc_len); + enc_len = apr_base64_encode(scrambled_sent_pw, buffer, SHA512_DIGEST_SIZE); + return (enc_len > 0 && memcmp(real_pw, scrambled_sent_pw, enc_len) == 0) ; + } + +} +#endif + + /* checks SHA1 passwords */ static short pw_sha1(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt) { 注意打上補丁之後,apxs的編譯參數要加上 -D_SHA512 ,否則是沒有開啟SHA512的. 編譯安裝好後,在配置裡使用的加密方式為sha512. 下面的配置是我的subversion使用confluence用戶庫的例子(jira的例子在原文中有,參考修改即可) <Location /svn> DAV svn SVNParentPath /svn # our Access control policy AuthzSVNAccessFile /config/svnaccess # try anonymous access first, resort to real # authentication if necessary. Satisfy Any Require valid-user # how to authenticate a user AuthType Basic AuthName "Subversion repository" AuthMySQLEnable on # For TCP/IP AuthMySQLHost localhost AuthMySQLPort 3306 AuthMySQLUser confluence AuthMySQLPassword password AuthMySQLDB confluence AuthMySQLUserTable os_user AuthMySQLGroupTable os_user,os_group,os_user_group AuthMySQLGroupCondition "os_user.id=os_user_group.user_id and os_group.id=os_user_group.group_id " AuthMySQLNameField username

AuthMySqlGroupField groupname AuthMySQLPasswordField passwd AuthMySQLPwEncryption sha512 AuthMySQLAuthoritative On </Location>



AuthMySQLDB confluence AuthMySQLUserTable os_user AuthMySQLGroupTable os_user,os_group,os_user_group AuthMySQLGroupCondition "os_user.id=os_user_group.user_id and os_group.id=os_user_group.group_id " AuthMySQLNameField username AuthMySqlGroupField groupname AuthMySQLPasswordField passwd AuthMySQLPwEncryption sha512 AuthMySQLAuthoritative On </Location>



+ return (enc_len > 0 && memcmp(real_pw, scrambled_sent_pw, enc_len) == 0) ; + } + +} +#endif + + /* checks SHA1 passwords */ static short pw_sha1(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt) { 注意打上補丁之後,apxs的編譯參數要加上 -D_SHA512 ,否則是沒有開啟SHA512的. 編譯安裝好後,在配置裡使用的加密方式為sha512. 下面的配置是我的subversion使用confluence用戶庫的例子(jira的例子在原文中有,參考修改即可) <Location /svn> DAV svn SVNParentPath /svn # our Access control policy AuthzSVNAccessFile /config/svnaccess # try anonymous access first, resort to real # authentication if necessary. Satisfy Any Require valid-user # how to authenticate a user AuthType Basic AuthName "Subversion repository" AuthMySQLEnable on # For TCP/IP AuthMySQLHost localhost AuthMySQLPort 3306 AuthMySQLUser confluence AuthMySQLPassword password AuthMySQLDB confluence AuthMySQLUserTable os_user AuthMySQLGroupTable os_user,os_group,os_user_group AuthMySQLGroupCondition "os_user.id=os_user_group.user_id and os_group.id=os_user_group.group_id " AuthMySQLNameField username AuthMySqlGroupField groupname AuthMySQLPasswordField passwd AuthMySQLPwEncryption sha512 AuthMySQLAuthoritative On </Location>



Copyright © Linux教程網 All Rights Reserved