diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2007-01-23 10:19:32 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2007-01-23 10:19:32 +0000 |
| commit | 7cbfa335c57d068d59508c844f3957165cccfb9b (patch) | |
| tree | 0044bf9724c0d4214ec385c258bfb8ee2e492a0c /modules | |
| parent | 6cd17d661ccddf250640032a8eaa5c79633c2600 (diff) | |
| download | pam-7cbfa335c57d068d59508c844f3957165cccfb9b.tar.gz pam-7cbfa335c57d068d59508c844f3957165cccfb9b.tar.bz2 pam-7cbfa335c57d068d59508c844f3957165cccfb9b.zip | |
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2007-01-23 Thorsten Kukuk <kukuk@suse.de>
* release 0.99.7.1
* configure.in: Set version number to 0.99.7.1
2007-01-23 Thorsten Kukuk <kukuk@thukuk.de>
Tomas Mraz <t2m@centrum.cz>
* modules/pam_unix/support.c (_unix_verify_password): Always
compare full encrypted passwords.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_unix/support.c | 23 |
1 files changed, 7 insertions, 16 deletions
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 86b3a731..954f2c73 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -693,38 +693,29 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name retval = PAM_AUTH_ERR; } else { if (!strncmp(salt, "$1$", 3)) { - salt_len = 0; pp = Goodcrypt_md5(p, salt); if (strcmp(pp, salt) != 0) { _pam_delete(pp); pp = Brokencrypt_md5(p, salt); } - } else if (*salt == '$') { + } else if (*salt != '$' && salt_len >= 13) { + pp = bigcrypt(p, salt); + if (strlen(pp) > salt_len) { + pp[salt_len] = '\0'; + } + } else { /* * Ok, we don't know the crypt algorithm, but maybe * libcrypt nows about it? We should try it. */ - salt_len = 0; pp = x_strdup (crypt(p, salt)); - } else { - pp = bigcrypt(p, salt); } p = NULL; /* no longer needed here */ /* the moment of truth -- do we agree with the password? */ D(("comparing state of pp[%s] and salt[%s]", pp, salt)); - /* - * Note, we are comparing the bigcrypt of the password with - * the contents of the password field. If the latter was - * encrypted with regular crypt (and not bigcrypt) it will - * have been truncated for storage relative to the output - * of bigcrypt here. As such we need to compare only the - * stored string with the subset of bigcrypt's result. - * Bug 521314: The strncmp comparison is for legacy support. - */ - if ((!salt_len && strcmp(pp, salt) == 0) || - (salt_len && strncmp(pp, salt, salt_len) == 0)) { + if (strcmp(pp, salt) == 0) { retval = PAM_SUCCESS; } else { retval = PAM_AUTH_ERR; |