2 files changed, 39 insertions, 27 deletions
diff --git a/networking/Config.src b/networking/Config.src
index 8aeba0ef9..fb7dca7d4 100644
--- a/networking/Config.src
+++ b/networking/Config.src
@@ -199,14 +199,22 @@ config FEATURE_HTTPD_BASIC_AUTH
        help
          Utilizes password settings from /etc/httpd.conf for basic
          authentication on a per url basis.
+          Example for httpd.conf file:
+          /adm:toor:PaSsWd
 config FEATURE_HTTPD_AUTH_MD5
        bool "Support MD5 crypted passwords for http Authentication"
        default y
        depends on FEATURE_HTTPD_BASIC_AUTH
        help
-          Enables basic per URL authentication from /etc/httpd.conf
+          Enables encrypted passwords, and wildcard user/passwords
-          using md5 passwords.
+          in httpd.conf file.
+          User '*' means 'any system user name is ok',
+          password of '*' means 'use system password for this user'
+          Examples:
+          /adm:toor:$1$P/eKnWXS$aI1aPGxT.dJD5SzqAKWrF0
+          /adm:root:*
+          /wiki:*:*
 config FEATURE_HTTPD_CGI
        bool "Support Common Gateway Interface (CGI)"
@@ -223,8 +231,8 @@ config FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR
        help
          This option enables support for running scripts through an
          interpreter. Turn this on if you want PHP scripts to work
-          properly. You need to supply an additional line in your httpd
+          properly. You need to supply an additional line in your
-          config file:
+          httpd.conf file:
          *.php:/path/to/your/php
 config FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV
diff --git a/networking/httpd.c b/networking/httpd.c
index 3f4e6aab7..0e4c697f8 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1776,6 +1776,16 @@ static int check_user_passwd(const char *path, char *user_and_passwd)
                        colon_after_user = strchr(user_and_passwd, ':');
                        if (!colon_after_user)
                                goto bad_input;
+                        /* compare "user:" */
+                        if (cur->after_colon[0] != '*'
+                         && strncmp(cur->after_colon, user_and_passwd,
+                                        colon_after_user - user_and_passwd + 1) != 0
+                        ) {
+                                continue;
+                        }
+                        /* this cfg entry is '*' or matches username from peer */
                        passwd = strchr(cur->after_colon, ':');
                        if (!passwd)
                                goto bad_input;
@@ -1786,13 +1796,6 @@ static int check_user_passwd(const char *path, char *user_and_passwd)
                                struct pam_conv conv_info = { &pam_talker, (void *) &userinfo };
                                pam_handle_t *pamh;
-                                /* compare "user:" */
-                                if (cur->after_colon[0] != '*'
-                                 && strncmp(cur->after_colon, user_and_passwd, colon_after_user - user_and_passwd + 1) != 0
-                                ) {
-                                        continue;
-                                }
-                                /* this cfg entry is '*' or matches username from peer */
                                *colon_after_user = '\0';
                                userinfo.name = user_and_passwd;
                                userinfo.pw = colon_after_user + 1;
@@ -1828,31 +1831,32 @@ static int check_user_passwd(const char *path, char *user_and_passwd)
                                                passwd = result->sp_pwdp;
                                }
 #  endif
+                                /* In this case, passwd is ALWAYS encrypted:
+                                 * it came from /etc/passwd or /etc/shadow!
+                                 */
+                                goto check_encrypted;
 # endif /* ENABLE_PAM */
                        }
+                        /* Else: passwd is from httpd.conf, it is either plaintext or encrypted */
-                        /* compare "user:" */
-                        if (cur->after_colon[0] != '*'
+                        if (passwd[0] == '$' && isdigit(passwd[1])) {
-                         && strncmp(cur->after_colon, user_and_passwd, colon_after_user - user_and_passwd + 1) != 0
+                                char *encrypted;
-                        ) {
+ check_encrypted:
-                                continue;
+                                /* encrypt pwd from peer and check match with local one */
-                        }
+                                encrypted = pw_encrypt(
-                        /* this cfg entry is '*' or matches username from peer */
+                                        /* pwd (from peer): */  colon_after_user + 1,
-                        /* encrypt pwd from peer and check match with local one */
-                        {
-                                char *encrypted = pw_encrypt(
-                                        /* pwd: */  colon_after_user + 1,
                                        /* salt: */ passwd,
                                        /* cleanup: */ 0
                                );
                                r = strcmp(encrypted, passwd);
                                free(encrypted);
-                                goto end_check_passwd;
+                        } else {
+                                /* local passwd is from httpd.conf and it's plaintext */
+                                r = strcmp(colon_after_user + 1, passwd);
                        }
- bad_input: ;
+                        goto end_check_passwd;
                }
+ bad_input:
                /* Comparing plaintext "user:pass" in one go */
                r = strcmp(cur->after_colon, user_and_passwd);
 end_check_passwd:

diff --git a/networking/Config.src b/networking/Config.src index 8aeba0ef9..fb7dca7d4 100644 --- a/networking/Config.src +++ b/networking/Config.src
@@ -199,14 +199,22 @@ config FEATURE_HTTPD_BASIC_AUTH
199	help	199	help
200	Utilizes password settings from /etc/httpd.conf for basic	200	Utilizes password settings from /etc/httpd.conf for basic
201	authentication on a per url basis.	201	authentication on a per url basis.
		202	Example for httpd.conf file:
		203	/adm:toor:PaSsWd
202		204
203	config FEATURE_HTTPD_AUTH_MD5	205	config FEATURE_HTTPD_AUTH_MD5
204	bool "Support MD5 crypted passwords for http Authentication"	206	bool "Support MD5 crypted passwords for http Authentication"
205	default y	207	default y
206	depends on FEATURE_HTTPD_BASIC_AUTH	208	depends on FEATURE_HTTPD_BASIC_AUTH
207	help	209	help
208	Enables basic per URL authentication from /etc/httpd.conf	210	Enables encrypted passwords, and wildcard user/passwords
209	using md5 passwords.	211	in httpd.conf file.
		212	User '*' means 'any system user name is ok',
		213	password of '*' means 'use system password for this user'
		214	Examples:
		215	/adm:toor:$1$P/eKnWXS$aI1aPGxT.dJD5SzqAKWrF0
		216	/adm:root:*
		217	/wiki::
210		218
211	config FEATURE_HTTPD_CGI	219	config FEATURE_HTTPD_CGI
212	bool "Support Common Gateway Interface (CGI)"	220	bool "Support Common Gateway Interface (CGI)"
@@ -223,8 +231,8 @@ config FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR
223	help	231	help
224	This option enables support for running scripts through an	232	This option enables support for running scripts through an
225	interpreter. Turn this on if you want PHP scripts to work	233	interpreter. Turn this on if you want PHP scripts to work
226	properly. You need to supply an additional line in your httpd	234	properly. You need to supply an additional line in your
227	config file:	235	httpd.conf file:
228	*.php:/path/to/your/php	236	*.php:/path/to/your/php
229		237
230	config FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV	238	config FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV


diff --git a/networking/httpd.c b/networking/httpd.c index 3f4e6aab7..0e4c697f8 100644 --- a/networking/httpd.c +++ b/networking/httpd.c
@@ -1776,6 +1776,16 @@ static int check_user_passwd(const char path, char user_and_passwd)
1776	colon_after_user = strchr(user_and_passwd, ':');	1776	colon_after_user = strchr(user_and_passwd, ':');
1777	if (!colon_after_user)	1777	if (!colon_after_user)
1778	goto bad_input;	1778	goto bad_input;
		1779
		1780	/* compare "user:" */
		1781	if (cur->after_colon[0] != '*'
		1782	&& strncmp(cur->after_colon, user_and_passwd,
		1783	colon_after_user - user_and_passwd + 1) != 0
		1784	) {
		1785	continue;
		1786	}
		1787	/* this cfg entry is '' or matches username from peer /
		1788
1779	passwd = strchr(cur->after_colon, ':');	1789	passwd = strchr(cur->after_colon, ':');
1780	if (!passwd)	1790	if (!passwd)
1781	goto bad_input;	1791	goto bad_input;
@@ -1786,13 +1796,6 @@ static int check_user_passwd(const char path, char user_and_passwd)
1786	struct pam_conv conv_info = { &pam_talker, (void *) &userinfo };	1796	struct pam_conv conv_info = { &pam_talker, (void *) &userinfo };
1787	pam_handle_t *pamh;	1797	pam_handle_t *pamh;
1788		1798
1789	/* compare "user:" */
1790	if (cur->after_colon[0] != '*'
1791	&& strncmp(cur->after_colon, user_and_passwd, colon_after_user - user_and_passwd + 1) != 0
1792	) {
1793	continue;
1794	}
1795	/* this cfg entry is '' or matches username from peer /
1796	*colon_after_user = '\0';	1799	*colon_after_user = '\0';
1797	userinfo.name = user_and_passwd;	1800	userinfo.name = user_and_passwd;
1798	userinfo.pw = colon_after_user + 1;	1801	userinfo.pw = colon_after_user + 1;
@@ -1828,31 +1831,32 @@ static int check_user_passwd(const char path, char user_and_passwd)
1828	passwd = result->sp_pwdp;	1831	passwd = result->sp_pwdp;
1829	}	1832	}
1830	# endif	1833	# endif
		1834	/* In this case, passwd is ALWAYS encrypted:
		1835	* it came from /etc/passwd or /etc/shadow!
		1836	*/
		1837	goto check_encrypted;
1831	# endif /* ENABLE_PAM */	1838	# endif /* ENABLE_PAM */
1832	}	1839	}
1833		1840	/* Else: passwd is from httpd.conf, it is either plaintext or encrypted */
1834	/* compare "user:" */	1841
1835	if (cur->after_colon[0] != '*'	1842	if (passwd[0] == '$' && isdigit(passwd[1])) {
1836	&& strncmp(cur->after_colon, user_and_passwd, colon_after_user - user_and_passwd + 1) != 0	1843	char *encrypted;
1837	) {	1844	check_encrypted:
1838	continue;	1845	/* encrypt pwd from peer and check match with local one */
1839	}	1846	encrypted = pw_encrypt(
1840	/* this cfg entry is '' or matches username from peer /	1847	/* pwd (from peer): */ colon_after_user + 1,
1841
1842	/* encrypt pwd from peer and check match with local one */
1843	{
1844	char *encrypted = pw_encrypt(
1845	/* pwd: */ colon_after_user + 1,
1846	/* salt: */ passwd,	1848	/* salt: */ passwd,
1847	/* cleanup: */ 0	1849	/* cleanup: */ 0
1848	);	1850	);
1849	r = strcmp(encrypted, passwd);	1851	r = strcmp(encrypted, passwd);
1850	free(encrypted);	1852	free(encrypted);
1851	goto end_check_passwd;	1853	} else {
		1854	/* local passwd is from httpd.conf and it's plaintext */
		1855	r = strcmp(colon_after_user + 1, passwd);
1852	}	1856	}
1853	bad_input: ;	1857	goto end_check_passwd;
1854	}	1858	}
1855		1859	bad_input:
1856	/* Comparing plaintext "user:pass" in one go */	1860	/* Comparing plaintext "user:pass" in one go */
1857	r = strcmp(cur->after_colon, user_and_passwd);	1861	r = strcmp(cur->after_colon, user_and_passwd);
1858	end_check_passwd:	1862	end_check_passwd: