#1276 encrypt the password to access web client interface using SHA-2

libtransmission/crypto.c

@@ -19,6 +19,7 @@
 #include <stdarg.h>
 
 #include <openssl/bn.h>
+#include <openssl/des.h>
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/rc4.h>
@@ -349,3 +350,26 @@ tr_cryptoRandBuf( unsigned char *buf,
         logErrorFromSSL( );
 }
 
+/***
+****
+***/
+
+char*
+tr_crypt( const void * plaintext )
+{
+    static const char * salter = "0123456789"
+                                 "abcdefghijklmnopqrstuvwxyz"
+                                 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                                 "./";
+    static const size_t salter_len = 64;
+
+    int i;
+    char salt[12];
+
+    memcpy( salt, "$1$", 3 );
+    for( i=0; i<8; ++i )
+        salt[3+i] = salter[ tr_cryptoRandInt( salter_len ) ];
+    salt[11] = '\0';
+
+    return tr_strdup( DES_crypt( plaintext, salt ) );
+}

libtransmission/crypto.h

@@ -95,4 +95,7 @@ int            tr_cryptoWeakRandInt( int n );
 void           tr_cryptoRandBuf( unsigned char *buf,
                                  size_t         len );
 
+char*          tr_crypt( const void * plaintext );
+
+
 #endif

libtransmission/rpc-server.c

@@ -29,6 +29,7 @@
 
 #include "transmission.h"
 #include "bencode.h"
+#include "crypto.h"
 #include "list.h"
 #include "platform.h"
 #include "rpcimpl.h"
@@ -313,7 +314,7 @@ serve_file( struct evhttp_request * req,
 
         if( errno )
         {
-            send_simple_response( req, HTTP_NOTFOUND, NULL );
+            send_simple_response( req, HTTP_NOTFOUND, filename );
         }
         else
         {
@@ -464,6 +465,7 @@ handle_request( struct evhttp_request * req,
             {
                 user = p;
                 *pass++ = '\0';
+                pass = tr_crypt( pass );
             }
         }
 
@@ -506,9 +508,10 @@ handle_request( struct evhttp_request * req,
         }
         else
         {
-            send_simple_response( req, HTTP_NOTFOUND, NULL );
+            send_simple_response( req, HTTP_NOTFOUND, req->uri );
         }
 
+        tr_free( pass );
         tr_free( user );
     }
 }
@@ -668,7 +671,7 @@ tr_rpcSetPassword( tr_rpc_server * server,
                    const char *    password )
 {
     tr_free( server->password );
-    server->password = tr_strdup( password );
+    server->password = tr_crypt( password );
     dbgmsg( "setting our Password to [%s]", server->password );
 }
 

libtransmission/session.c

@@ -297,7 +297,6 @@ tr_sessionGetSettings( tr_session * s, struct tr_benc * d )
     tr_bencDictAddInt( d, TR_PREFS_KEY_RATIO_ENABLED,            s->isRatioLimited );
     tr_bencDictAddInt( d, TR_PREFS_KEY_RPC_AUTH_REQUIRED,        tr_sessionIsRPCPasswordEnabled( s ) );
     tr_bencDictAddInt( d, TR_PREFS_KEY_RPC_ENABLED,              tr_sessionIsRPCEnabled( s ) );
-    tr_bencDictAddStr( d, TR_PREFS_KEY_RPC_PASSWORD,             freeme[n++] = tr_sessionGetRPCPassword( s ) );
     tr_bencDictAddInt( d, TR_PREFS_KEY_RPC_PORT,                 tr_sessionGetRPCPort( s ) );
     tr_bencDictAddStr( d, TR_PREFS_KEY_RPC_USERNAME,             freeme[n++] = tr_sessionGetRPCUsername( s ) );
     tr_bencDictAddStr( d, TR_PREFS_KEY_RPC_WHITELIST,            freeme[n++] = tr_sessionGetRPCWhitelist( s ) );
@@ -1454,14 +1453,6 @@ tr_sessionSetRPCPassword( tr_session * session,
     tr_rpcSetPassword( session->rpcServer, password );
 }
 
-char*
-tr_sessionGetRPCPassword( const tr_session * session )
-{
-    assert( tr_isSession( session ) );
-
-    return tr_rpcGetPassword( session->rpcServer );
-}
-
 void
 tr_sessionSetRPCUsername( tr_session * session,
                           const char * username )

libtransmission/transmission.h

@@ -370,12 +370,6 @@ void  tr_sessionSetRPCPassword( tr_session * session,
 void  tr_sessionSetRPCUsername( tr_session * session,
                                 const char * username );
 
-/** @brief get the password used to restrict RPC requests.
-    @return the password string. tr_free() when done.
-    @see tr_sessionInit()
-    @see tr_sessionSetRPCPassword() */
-char* tr_sessionGetRPCPassword( const tr_session * session );
-
 char* tr_sessionGetRPCUsername( const tr_session * session  );
 
 void  tr_sessionSetRPCPasswordEnabled( tr_session * session,