mirror of
https://github.com/sheumann/hush.git
synced 2025-01-11 08:29:54 +00:00
httpd: fix MD5-encrypted-in-httpd.conf password logic
function old new delta check_user_passwd 467 492 +25 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
428bd2d433
commit
35def51c97
@ -199,14 +199,22 @@ config FEATURE_HTTPD_BASIC_AUTH
|
|||||||
help
|
help
|
||||||
Utilizes password settings from /etc/httpd.conf for basic
|
Utilizes password settings from /etc/httpd.conf for basic
|
||||||
authentication on a per url basis.
|
authentication on a per url basis.
|
||||||
|
Example for httpd.conf file:
|
||||||
|
/adm:toor:PaSsWd
|
||||||
|
|
||||||
config FEATURE_HTTPD_AUTH_MD5
|
config FEATURE_HTTPD_AUTH_MD5
|
||||||
bool "Support MD5 crypted passwords for http Authentication"
|
bool "Support MD5 crypted passwords for http Authentication"
|
||||||
default y
|
default y
|
||||||
depends on FEATURE_HTTPD_BASIC_AUTH
|
depends on FEATURE_HTTPD_BASIC_AUTH
|
||||||
help
|
help
|
||||||
Enables basic per URL authentication from /etc/httpd.conf
|
Enables encrypted passwords, and wildcard user/passwords
|
||||||
using md5 passwords.
|
in httpd.conf file.
|
||||||
|
User '*' means 'any system user name is ok',
|
||||||
|
password of '*' means 'use system password for this user'
|
||||||
|
Examples:
|
||||||
|
/adm:toor:$1$P/eKnWXS$aI1aPGxT.dJD5SzqAKWrF0
|
||||||
|
/adm:root:*
|
||||||
|
/wiki:*:*
|
||||||
|
|
||||||
config FEATURE_HTTPD_CGI
|
config FEATURE_HTTPD_CGI
|
||||||
bool "Support Common Gateway Interface (CGI)"
|
bool "Support Common Gateway Interface (CGI)"
|
||||||
@ -223,8 +231,8 @@ config FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR
|
|||||||
help
|
help
|
||||||
This option enables support for running scripts through an
|
This option enables support for running scripts through an
|
||||||
interpreter. Turn this on if you want PHP scripts to work
|
interpreter. Turn this on if you want PHP scripts to work
|
||||||
properly. You need to supply an additional line in your httpd
|
properly. You need to supply an additional line in your
|
||||||
config file:
|
httpd.conf file:
|
||||||
*.php:/path/to/your/php
|
*.php:/path/to/your/php
|
||||||
|
|
||||||
config FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV
|
config FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV
|
||||||
|
@ -1776,6 +1776,16 @@ static int check_user_passwd(const char *path, char *user_and_passwd)
|
|||||||
colon_after_user = strchr(user_and_passwd, ':');
|
colon_after_user = strchr(user_and_passwd, ':');
|
||||||
if (!colon_after_user)
|
if (!colon_after_user)
|
||||||
goto bad_input;
|
goto bad_input;
|
||||||
|
|
||||||
|
/* compare "user:" */
|
||||||
|
if (cur->after_colon[0] != '*'
|
||||||
|
&& strncmp(cur->after_colon, user_and_passwd,
|
||||||
|
colon_after_user - user_and_passwd + 1) != 0
|
||||||
|
) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
/* this cfg entry is '*' or matches username from peer */
|
||||||
|
|
||||||
passwd = strchr(cur->after_colon, ':');
|
passwd = strchr(cur->after_colon, ':');
|
||||||
if (!passwd)
|
if (!passwd)
|
||||||
goto bad_input;
|
goto bad_input;
|
||||||
@ -1786,13 +1796,6 @@ static int check_user_passwd(const char *path, char *user_and_passwd)
|
|||||||
struct pam_conv conv_info = { &pam_talker, (void *) &userinfo };
|
struct pam_conv conv_info = { &pam_talker, (void *) &userinfo };
|
||||||
pam_handle_t *pamh;
|
pam_handle_t *pamh;
|
||||||
|
|
||||||
/* compare "user:" */
|
|
||||||
if (cur->after_colon[0] != '*'
|
|
||||||
&& strncmp(cur->after_colon, user_and_passwd, colon_after_user - user_and_passwd + 1) != 0
|
|
||||||
) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
/* this cfg entry is '*' or matches username from peer */
|
|
||||||
*colon_after_user = '\0';
|
*colon_after_user = '\0';
|
||||||
userinfo.name = user_and_passwd;
|
userinfo.name = user_and_passwd;
|
||||||
userinfo.pw = colon_after_user + 1;
|
userinfo.pw = colon_after_user + 1;
|
||||||
@ -1828,31 +1831,32 @@ static int check_user_passwd(const char *path, char *user_and_passwd)
|
|||||||
passwd = result->sp_pwdp;
|
passwd = result->sp_pwdp;
|
||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
|
/* In this case, passwd is ALWAYS encrypted:
|
||||||
|
* it came from /etc/passwd or /etc/shadow!
|
||||||
|
*/
|
||||||
|
goto check_encrypted;
|
||||||
# endif /* ENABLE_PAM */
|
# endif /* ENABLE_PAM */
|
||||||
}
|
}
|
||||||
|
/* Else: passwd is from httpd.conf, it is either plaintext or encrypted */
|
||||||
|
|
||||||
/* compare "user:" */
|
if (passwd[0] == '$' && isdigit(passwd[1])) {
|
||||||
if (cur->after_colon[0] != '*'
|
char *encrypted;
|
||||||
&& strncmp(cur->after_colon, user_and_passwd, colon_after_user - user_and_passwd + 1) != 0
|
check_encrypted:
|
||||||
) {
|
/* encrypt pwd from peer and check match with local one */
|
||||||
continue;
|
encrypted = pw_encrypt(
|
||||||
}
|
/* pwd (from peer): */ colon_after_user + 1,
|
||||||
/* this cfg entry is '*' or matches username from peer */
|
|
||||||
|
|
||||||
/* encrypt pwd from peer and check match with local one */
|
|
||||||
{
|
|
||||||
char *encrypted = pw_encrypt(
|
|
||||||
/* pwd: */ colon_after_user + 1,
|
|
||||||
/* salt: */ passwd,
|
/* salt: */ passwd,
|
||||||
/* cleanup: */ 0
|
/* cleanup: */ 0
|
||||||
);
|
);
|
||||||
r = strcmp(encrypted, passwd);
|
r = strcmp(encrypted, passwd);
|
||||||
free(encrypted);
|
free(encrypted);
|
||||||
goto end_check_passwd;
|
} else {
|
||||||
|
/* local passwd is from httpd.conf and it's plaintext */
|
||||||
|
r = strcmp(colon_after_user + 1, passwd);
|
||||||
}
|
}
|
||||||
bad_input: ;
|
goto end_check_passwd;
|
||||||
}
|
}
|
||||||
|
bad_input:
|
||||||
/* Comparing plaintext "user:pass" in one go */
|
/* Comparing plaintext "user:pass" in one go */
|
||||||
r = strcmp(cur->after_colon, user_and_passwd);
|
r = strcmp(cur->after_colon, user_and_passwd);
|
||||||
end_check_passwd:
|
end_check_passwd:
|
||||||
|
Loading…
x
Reference in New Issue
Block a user