[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: httpd clear password
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2012-01-31 14:35:42
Message-ID: CAK1hOcP1V68H9KSax8UmJaxd79-x1SL2dS2pdLEyxmaL+H-EYw () mail ! gmail ! com
[Download RAW message or body]
On Thu, Jan 19, 2012 at 12:40 PM, Pascal Bellard
<pascal.bellard@ads-lu.com> wrote:
> Hello,
>
> httpd does not support clear password when FEATURE_HTTPD_AUTH_MD5 is set.
>
> The fix :
> --- busybox/networking/httpd.c.org Thu Jan 19 12:33:37 2012
> +++ busybox/networking/httpd.c Thu Jan 19 12:34:32 2012
> @@ -1840,7 +1840,7 @@
> /* this cfg entry is '*' or matches username from
> peer */
>
> /* encrypt pwd from peer and check match with
> local one */
> - {
> + if (passwd[0] == '$' && passwd[1] == '1' &&
> passwd[2] == '$') {
> char *encrypted = pw_encrypt(
> /* pwd: */ colon_after_user + 1,
> /* salt: */ passwd,
The point is, pw_encrypt() autodetects hash type
by looking at salt. It can do md5 and sha256/512,
else it defaults to des. In the future, it may
even take other hashes (blowfish?).
How about this: if passwd[0] is '$', then
use pw_encrypt(), else treat it as plain text?
--
vda
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic