diff options
| author | Steve Langasek <steve.langasek@canonical.com> | 2022-08-16 22:06:15 -0700 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2022-08-16 22:11:24 -0700 |
| commit | 7561896529a7af05201dc31e959a05897ef99e19 (patch) | |
| tree | 14514b088f45d4fecd3b7a6ede5e0a99f6c10f6a /modules/pam_userdb/pam_userdb.c | |
| parent | d071f8c9829cbd60e2a98ab5e6b1ddfdffb9b549 (diff) | |
| parent | 99d0d1c5c4f07332daa86e73981267a761bc966e (diff) | |
| download | pam-7561896529a7af05201dc31e959a05897ef99e19.tar.gz pam-7561896529a7af05201dc31e959a05897ef99e19.tar.bz2 pam-7561896529a7af05201dc31e959a05897ef99e19.zip | |
Merge new upstream version 1.5.2.
Diffstat (limited to 'modules/pam_userdb/pam_userdb.c')
| -rw-r--r-- | modules/pam_userdb/pam_userdb.c | 62 |
1 files changed, 36 insertions, 26 deletions
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index a46cd276..f467ea4c 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -17,9 +17,7 @@ #include <sys/stat.h> #include <fcntl.h> #include <errno.h> -#ifdef HAVE_LIBXCRYPT -#include <xcrypt.h> -#elif defined(HAVE_CRYPT_H) +#ifdef HAVE_CRYPT_H #include <crypt.h> #endif @@ -133,7 +131,7 @@ _pam_parse (pam_handle_t *pamh, int argc, const char **argv, /* - * Looks up an user name in a database and checks the password + * Looks up a user name in a database and checks the password * * return values: * 1 = User not found @@ -194,7 +192,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, } if (data.dptr != NULL) { - int compare = 0; + int compare = -2; if (ctrl & PAM_KEY_ONLY_ARG) { @@ -209,36 +207,48 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, char *cryptpw = NULL; if (data.dsize < 13) { - compare = -2; + /* hash is too short */ + pam_syslog(pamh, LOG_INFO, "password hash in database is too short"); } else if (ctrl & PAM_ICASE_ARG) { - compare = -2; + pam_syslog(pamh, LOG_INFO, + "case-insensitive comparison only works with plaintext passwords"); } else { + /* libdb is not guaranteed to produce null terminated strings */ + char *pwhash = strndup(data.dptr, data.dsize); + + if (pwhash == NULL) { + pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr"); + } else { #ifdef HAVE_CRYPT_R - struct crypt_data *cdata = NULL; - cdata = malloc(sizeof(*cdata)); - if (cdata != NULL) { - cdata->initialized = 0; - cryptpw = crypt_r(pass, data.dptr, cdata); - } + struct crypt_data *cdata = NULL; + cdata = malloc(sizeof(*cdata)); + if (cdata == NULL) { + pam_syslog(pamh, LOG_CRIT, "malloc failed: struct crypt_data"); + } else { + cdata->initialized = 0; + cryptpw = crypt_r(pass, pwhash, cdata); + } #else - cryptpw = crypt (pass, data.dptr); + cryptpw = crypt (pass, pwhash); #endif - if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { - compare = memcmp(data.dptr, cryptpw, data.dsize); - } else { - compare = -2; - if (ctrl & PAM_DEBUG_ARG) { - if (cryptpw) - pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); - else - pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { + compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + if (ctrl & PAM_DEBUG_ARG) { + if (cryptpw) { + pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); + pam_syslog(pamh, LOG_INFO, "computed hash: %s", cryptpw); + } else { + pam_syslog(pamh, LOG_ERR, "crypt() returned NULL"); + } + } } - } #ifdef HAVE_CRYPT_R - free(cdata); + free(cdata); #endif + } + free(pwhash); } - } else { /* Unknown password encryption method - |