httpd clear password
Denys Vlasenko
vda.linux at googlemail.com
Wed Feb 1 01:49:48 UTC 2012
On Tuesday 31 January 2012 16:46, Pascal Bellard wrote:
> >> The point is, pw_encrypt() autodetects hash type
> >> by looking at salt. It can do md5 and sha256/512,
> >> else it defaults to des. In the future, it may
> >> even take other hashes (blowfish?).
> >>
> >> How about this: if passwd[0] is '$', then
> >> use pw_encrypt(), else treat it as plain text?
> >
> > Looks good.
>
> Or maybe :
> - {
> + if (passwd[0] == '$' && passwd[2] == '$') {
>
Well, after deeper look I understood that in fact support for
'*' user/passwd is broken: it wasn't always using correct encryption
for system passwords, and conversely, was trying to use it for
non-system ones.
I think I fixed it now. I also updated help text.
Please test latest git, and review logic in check_user_passwd()
function. This is the changed part:
if (ENABLE_FEATURE_HTTPD_AUTH_MD5) {
colon_after_user = strchr(user_and_passwd, ':');
if (!colon_after_user)
goto bad_input;
/* compare "user:" */
if (cur->after_colon[0] != '*'
&& strncmp(cur->after_colon, user_and_passwd,
colon_after_user - user_and_passwd + 1) != 0
) {
continue;
}
/* this cfg entry is '*' or matches username from peer */
passwd = strchr(cur->after_colon, ':');
if (!passwd)
goto bad_input;
passwd++;
if (passwd[0] == '*') {
...
... get passwd from system
...
/* In this case, passwd is ALWAYS encrypted:
* it came from /etc/passwd or /etc/shadow!
*/
goto check_encrypted;
}
/* Else: passwd is from httpd.conf, it is either plaintext or encrypted */
if (passwd[0] == '$' && isdigit(passwd[1])) {
char *encrypted;
check_encrypted:
/* encrypt pwd from peer and check match with local one */
encrypted = pw_encrypt(
/* pwd (from peer): */ colon_after_user + 1,
/* salt: */ passwd,
/* cleanup: */ 0
);
r = strcmp(encrypted, passwd);
free(encrypted);
} else {
/* local passwd is from httpd.conf and it's plaintext */
r = strcmp(colon_after_user + 1, passwd);
}
goto end_check_passwd;
}
bad_input:
/* Comparing plaintext "user:pass" in one go */
r = strcmp(cur->after_colon, user_and_passwd);
end_check_passwd:
if (r == 0) {
--
vda
More information about the busybox
mailing list