httpd clear password

Denys Vlasenko vda.linux at googlemail.com
Wed Feb 1 01:49:48 UTC 2012 

On Tuesday 31 January 2012 16:46, Pascal Bellard wrote:
> >> The point is, pw_encrypt() autodetects hash type
> >> by looking at salt. It can do md5 and sha256/512,
> >> else it defaults to des. In the future, it may
> >> even take other hashes (blowfish?).
> >>
> >> How about this: if passwd[0] is '$', then
> >> use pw_encrypt(), else treat it as plain text?
> >
> > Looks good.
> 
> Or maybe :
> -                       {
> +                       if (passwd[0] == '$' && passwd[2] == '$') {
> 

Well, after deeper look I understood that in fact support for
'*' user/passwd is broken: it wasn't always using correct encryption
for system passwords, and conversely, was trying to use it for
non-system ones.

I think I fixed it now. I also updated help text.

Please test latest git, and review logic in check_user_passwd()
function. This is the changed part:

              if (ENABLE_FEATURE_HTTPD_AUTH_MD5) {

                        colon_after_user = strchr(user_and_passwd, ':');
                        if (!colon_after_user)
                                goto bad_input;

                        /* compare "user:" */
                        if (cur->after_colon[0] != '*'
                         && strncmp(cur->after_colon, user_and_passwd,
                                        colon_after_user - user_and_passwd + 1) != 0
                        ) {
                                continue;
                        }
                        /* this cfg entry is '*' or matches username from peer */

                        passwd = strchr(cur->after_colon, ':');
                        if (!passwd)
                                goto bad_input;
                        passwd++;
                        if (passwd[0] == '*') {
...
... get passwd from system
...
                                /* In this case, passwd is ALWAYS encrypted:
                                 * it came from /etc/passwd or /etc/shadow!
                                 */
                                goto check_encrypted;
                        }
                        /* Else: passwd is from httpd.conf, it is either plaintext or encrypted */

                        if (passwd[0] == '$' && isdigit(passwd[1])) {
                                char *encrypted;
 check_encrypted:
                                /* encrypt pwd from peer and check match with local one */
                                encrypted = pw_encrypt(
                                        /* pwd (from peer): */  colon_after_user + 1,
                                        /* salt: */ passwd,
                                        /* cleanup: */ 0
                                );
                                r = strcmp(encrypted, passwd);
                                free(encrypted);
                        } else {
                                /* local passwd is from httpd.conf and it's plaintext */
                                r = strcmp(colon_after_user + 1, passwd);
                        }
                        goto end_check_passwd;
                }
 bad_input:
                /* Comparing plaintext "user:pass" in one go */
                r = strcmp(cur->after_colon, user_and_passwd);
 end_check_passwd:
                if (r == 0) {



-- 
vda

More information about the busybox mailing list