#include <security/_pam_types.h>
#include <security/_pam_macros.h>
-#include "md5.h"
-
-extern char *crypt(const char *key, const char *salt);
-extern char *bigcrypt(const char *key, const char *salt);
+#include "passverify.h"
/* syslogging function for errors and other information */
closelog();
}
-static int _unix_shadowed(const struct passwd *pwd)
-{
- char hashpass[1024];
- if (pwd != NULL) {
- if (strcmp(pwd->pw_passwd, "x") == 0) {
- return 1;
- }
- if (strlen(pwd->pw_name) < sizeof(hashpass) - 2) {
- strcpy(hashpass, "##");
- strcpy(hashpass + 2, pwd->pw_name);
- if (strcmp(pwd->pw_passwd, hashpass) == 0) {
- return 1;
- }
- }
- }
- return 0;
-}
-
static void su_sighandler(int sig)
{
#ifndef SA_RESETHAND
struct passwd *pwd = NULL;
struct spwd *spwdent = NULL;
char *salt = NULL;
- char *pp = NULL;
int retval = PAM_AUTH_ERR;
- int salt_len;
/* UNIX passwords area */
setpwent();
}
}
if (pwd == NULL || salt == NULL) {
- _log_err(LOG_ALERT, "check pass; user unknown");
- p = NULL;
- return PAM_USER_UNKNOWN;
+ _log_err(LOG_WARNING, "check pass; user unknown");
+ retval = PAM_USER_UNKNOWN;
+ } else {
+ retval = verify_pwd_hash(p, salt, nullok);
}
- salt_len = strlen(salt);
- if (salt_len == 0) {
- return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
- }
- if (p == NULL || strlen(p) == 0) {
- return PAM_AUTHTOK_ERR;
+ if (salt) {
+ _pam_overwrite(salt);
+ _pam_drop(salt);
}
- /* the moment of truth -- do we agree with the password? */
- retval = PAM_AUTH_ERR;
- if (!strncmp(salt, "$1$", 3)) {
- pp = Goodcrypt_md5(p, salt);
- if (strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- } else {
- pp = Brokencrypt_md5(p, salt);
- if (strcmp(pp, salt) == 0)
- retval = PAM_SUCCESS;
- }
- } else if ((*salt == '*') || (salt_len < 13)) {
- retval = PAM_AUTH_ERR;
- } else {
- pp = bigcrypt(p, salt);
- /*
- * Note, we are comparing the bigcrypt of the password with
- * the contents of the password field. If the latter was
- * encrypted with regular crypt (and not bigcrypt) it will
- * have been truncated for storage relative to the output
- * of bigcrypt here. As such we need to compare only the
- * stored string with the subset of bigcrypt's result.
- * Bug 521314: the strncmp comparison is for legacy support.
- */
- if (strncmp(pp, salt, salt_len) == 0) {
- retval = PAM_SUCCESS;
- }
- }
p = NULL; /* no longer needed here */
- /* clean up */
- {
- char *tp = pp;
- if (pp != NULL) {
- while (tp && *tp)
- *tp++ = '\0';
- free(pp);
- }
- pp = tp = NULL;
- }
-
return retval;
}
projects / linux-pam / blobdiff