httpd clear password
Denys Vlasenko
vda.linux at googlemail.com
Tue Jan 31 14:35:42 UTC 2012
On Thu, Jan 19, 2012 at 12:40 PM, Pascal Bellard
<pascal.bellard at ads-lu.com> wrote:
> Hello,
>
> httpd does not support clear password when FEATURE_HTTPD_AUTH_MD5 is set.
>
> The fix :
> --- busybox/networking/httpd.c.org Thu Jan 19 12:33:37 2012
> +++ busybox/networking/httpd.c Thu Jan 19 12:34:32 2012
> @@ -1840,7 +1840,7 @@
> /* this cfg entry is '*' or matches username from
> peer */
>
> /* encrypt pwd from peer and check match with
> local one */
> - {
> + if (passwd[0] == '$' && passwd[1] == '1' &&
> passwd[2] == '$') {
> char *encrypted = pw_encrypt(
> /* pwd: */ colon_after_user + 1,
> /* salt: */ passwd,
The point is, pw_encrypt() autodetects hash type
by looking at salt. It can do md5 and sha256/512,
else it defaults to des. In the future, it may
even take other hashes (blowfish?).
How about this: if passwd[0] is '$', then
use pw_encrypt(), else treat it as plain text?
--
vda
More information about the busybox
mailing list