use crypt_checkpass instead of doing things the hard way with crypt.

diff --git a/libexec/login_chpass/Makefile b/libexec/login_chpass/Makefile
index 3ffb8fe..c4dfdfa 100644 (file)
--- a/libexec/login_chpass/Makefile
+++ b/libexec/login_chpass/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.7 2014/04/22 10:21:56 reyk Exp $
+#      $OpenBSD: Makefile,v 1.8 2015/10/22 12:32:33 tedu Exp $
 
 
 PROG=  login_chpass
@@ -13,7 +13,7 @@ CFLAGS+=-Wall
 
 .if (${YP:L} == "yes")
 CFLAGS+=-DYP
-SRCS+= yp_passwd.c pwd_check.c pwd_gensalt.c
+SRCS+= yp_passwd.c pwd_check.c
 DPADD+= ${LIBRPCSVC} ${LIBUTIL}
 LDADD+= -lrpcsvc -lutil
 .endif

diff --git a/libexec/login_chpass/login_chpass.c b/libexec/login_chpass/login_chpass.c
index 3abd721..82ed74d 100644 (file)
--- a/libexec/login_chpass/login_chpass.c
+++ b/libexec/login_chpass/login_chpass.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: login_chpass.c,v 1.17 2015/10/05 17:31:17 millert Exp $       */
+/*     $OpenBSD: login_chpass.c,v 1.18 2015/10/22 12:32:33 tedu Exp $  */
 
 /*-
  * Copyright (c) 1995,1996 Berkeley Software Design, Inc. All rights reserved.
@@ -199,15 +199,10 @@ yp_chpass(char *username)
                }
        }
        if (pw == NULL) {
-               char *p, salt[_PASSWORD_LEN + 1];
-               login_cap_t *lc;
-
-               /* no such user, get appropriate salt to thwart timing attack */
+               char *p;
+               /* no such user, but fake to thwart timing attack */
                if ((p = getpass("Old password:")) != NULL) {
-                       if ((lc = login_getclass(NULL)) == NULL ||
-                           pwd_gensalt(salt, sizeof(salt), lc, 'y') == 0)
-                               strlcpy(salt, "xx", sizeof(salt));
-                       crypt(p, salt);
+                       crypt_checkpass(p, NULL);
                        explicit_bzero(p, strlen(p));
                }
                warnx("YP passwd database unchanged.");

diff --git a/libexec/login_lchpass/Makefile b/libexec/login_lchpass/Makefile
index 9151f0c..2004a18 100644 (file)
--- a/libexec/login_lchpass/Makefile
+++ b/libexec/login_lchpass/Makefile
@@ -1,9 +1,9 @@
-#      $OpenBSD: Makefile,v 1.3 2001/06/19 16:38:21 millert Exp $
+#      $OpenBSD: Makefile,v 1.4 2015/10/22 12:32:33 tedu Exp $
 
 #      BSDI    $From: Makefile,v 1.2 1997/08/08 18:58:22 prb Exp $
 
 PROG=  login_lchpass
-SRCS=  login_lchpass.c local_passwd.c pwd_check.c pwd_gensalt.c
+SRCS=  login_lchpass.c local_passwd.c pwd_check.c
 MAN=   login_lchpass.8
 .PATH: ${.CURDIR}/../../usr.bin/passwd
 

diff --git a/libexec/login_lchpass/login_lchpass.c b/libexec/login_lchpass/login_lchpass.c
index 0882f70..d4cb4c4 100644 (file)
--- a/libexec/login_lchpass/login_lchpass.c
+++ b/libexec/login_lchpass/login_lchpass.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: login_lchpass.c,v 1.15 2015/10/05 17:31:17 millert Exp $      */
+/*     $OpenBSD: login_lchpass.c,v 1.16 2015/10/22 12:32:33 tedu Exp $ */
 
 /*-
  * Copyright (c) 1995,1996 Berkeley Software Design, Inc. All rights reserved.
@@ -63,7 +63,7 @@ main(int argc, char *argv[])
        login_cap_t *lc;
        struct iovec iov[2];
        struct passwd *pwd;
-       char *username = NULL, *salt, *p, saltbuf[_PASSWORD_LEN + 1];
+       char *username = NULL, *hash = NULL, *p;
        struct rlimit rl;
        int c;
 
@@ -119,15 +119,7 @@ main(int argc, char *argv[])
        }
 
        if (pwd)
-               salt = pwd->pw_passwd;
-       else {
-               /* no such user, get appropriate salt */
-               if ((lc = login_getclass(NULL)) == NULL ||
-                   pwd_gensalt(saltbuf, sizeof(saltbuf), lc, 'l') == 0)
-                       salt = "xx";
-               else
-                       salt = saltbuf;
-       }
+               hash = pwd->pw_passwd;
 
        (void)setpriority(PRIO_PROCESS, 0, -4);
 
@@ -135,10 +127,11 @@ main(int argc, char *argv[])
        if ((p = getpass("Old Password:")) == NULL)
                exit(1);
 
-       salt = crypt(p, salt);
-       explicit_bzero(p, strlen(p));
-       if (!pwd || strcmp(salt, pwd->pw_passwd) != 0)
+       if (crypt_checkpass(p, hash) != 0) {
+               explicit_bzero(p, strlen(p));
                exit(1);
+       }
+       explicit_bzero(p, strlen(p));
 
        /*
         * We rely on local_passwd() to block signals during the