From: Andrew G. Morgan <morgan@kernel.org>
Date: Mon, 23 Sep 2002 17:33:22 +0000 (+0000)
Subject: Relevant BUGIDs: 521314
X-Git-Tag: Linux-PAM-0-77~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a8490a0122f3be5e5613a8cd3a57e873c31cc682;p=linux-pam

Relevant BUGIDs: 521314

Purpose of commit: bugfix

Commit summary:
---------------
This code is needed to complete this bugfix.
---

diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 98536d21..68f59a92 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -609,47 +609,48 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
 			retval = PAM_AUTHINFO_UNAVAIL;
 		}
 	} else {
-		if (!strlen(salt)) {
-			/* the stored password is NULL */
-			if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
-				D(("user has empty password - access granted"));
-				retval = PAM_SUCCESS;
-			} else {
-				D(("user has empty password - access denied"));
-				retval = PAM_AUTH_ERR;
-			}
-		} else if (!p) {
-				retval = PAM_AUTH_ERR;
+	    int salt_len = strlen(salt);
+	    if (!salt_len) {
+		/* the stored password is NULL */
+		if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
+		    D(("user has empty password - access granted"));
+		    retval = PAM_SUCCESS;
 		} else {
-			if (!strncmp(salt, "$1$", 3)) {
-				pp = Goodcrypt_md5(p, salt);
-				if (strcmp(pp, salt) != 0) {
-					_pam_delete(pp);
-					pp = Brokencrypt_md5(p, salt);
-				}
-			} else {
-				pp = bigcrypt(p, salt);
-			}
-			p = NULL;		/* no longer needed here */
+		    D(("user has empty password - access denied"));
+		    retval = PAM_AUTH_ERR;
+		}
+	    } else if (!p || (*salt == '*') || (salt_len < 13)) {
+		retval = PAM_AUTH_ERR;
+	    } else {
+		if (!strncmp(salt, "$1$", 3)) {
+		    pp = Goodcrypt_md5(p, salt);
+		    if (strcmp(pp, salt) != 0) {
+			_pam_delete(pp);
+			pp = Brokencrypt_md5(p, salt);
+		    }
+		} else {
+		    pp = bigcrypt(p, salt);
+		}
+		p = NULL;		/* no longer needed here */
 
-			/* the moment of truth -- do we agree with the password? */
-			D(("comparing state of pp[%s] and salt[%s]", pp, salt));
+		/* the moment of truth -- do we agree with the password? */
+		D(("comparing state of pp[%s] and salt[%s]", pp, salt));
 
-			/*
-			 * Note, we are comparing the bigcrypt of the password with
-			 * the contents of the password field. If the latter was
-			 * encrypted with regular crypt (and not bigcrypt) it will
-			 * have been truncated for storage relative to the output
-			 * of bigcrypt here. As such we need to compare only the
-			 * stored string with the subset of bigcrypt's result.
-			 * Bug 521314: The strncmp comparison is for legacy support.
-			 */
-			if (strncmp(pp, salt, strlen(salt)) == 0) {
-				retval = PAM_SUCCESS;
-			} else {
-				retval = PAM_AUTH_ERR;
-			}
+		/*
+		 * Note, we are comparing the bigcrypt of the password with
+		 * the contents of the password field. If the latter was
+		 * encrypted with regular crypt (and not bigcrypt) it will
+		 * have been truncated for storage relative to the output
+		 * of bigcrypt here. As such we need to compare only the
+		 * stored string with the subset of bigcrypt's result.
+		 * Bug 521314: The strncmp comparison is for legacy support.
+		 */
+		if (strncmp(pp, salt, salt_len) == 0) {
+		    retval = PAM_SUCCESS;
+		} else {
+		    retval = PAM_AUTH_ERR;
 		}
+	    }
 	}
 
 	if (retval == PAM_SUCCESS) {
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 9ba11041..dd07960c 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -94,6 +94,7 @@ static int _unix_verify_password(const char *name, const char *p, int opt)
 	char *salt = NULL;
 	char *pp = NULL;
 	int retval = UNIX_FAILED;
+	int salt_len;
 
 	/* UNIX passwords area */
 	setpwent();
@@ -133,8 +134,10 @@ static int _unix_verify_password(const char *name, const char *p, int opt)
 		return retval;
 	}
 
-	if (strlen(salt) == 0)
+	salt_len = strlen(salt);
+	if (salt_len == 0) {
 		return (opt == 0) ? UNIX_FAILED : UNIX_PASSED;
+	}
 
 	/* the moment of truth -- do we agree with the password? */
 	retval = UNIX_FAILED;
@@ -147,6 +150,8 @@ static int _unix_verify_password(const char *name, const char *p, int opt)
 			if (strcmp(pp, salt) == 0)
 				retval = UNIX_PASSED;
 		}
+	} else if ((*salt == '*') || (salt_len < 13)) {
+	    retval = UNIX_FAILED;
 	} else {
 		pp = bigcrypt(p, salt);
 		/*
@@ -158,7 +163,7 @@ static int _unix_verify_password(const char *name, const char *p, int opt)
 		 * stored string with the subset of bigcrypt's result.
 		 * Bug 521314: the strncmp comparison is for legacy support.
 		 */
-		if (strncmp(pp, salt, strlen(salt)) == 0) {
+		if (strncmp(pp, salt, salt_len) == 0) {
 			retval = UNIX_PASSED;
 		}
 	}