From: tedu Date: Thu, 22 Oct 2015 12:32:33 +0000 (+0000) Subject: use crypt_checkpass instead of doing things the hard way with crypt. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d51e3c9b27b7c2f9f75f3333bc5fbea0056db7ad;p=openbsd use crypt_checkpass instead of doing things the hard way with crypt. --- diff --git a/libexec/login_chpass/Makefile b/libexec/login_chpass/Makefile index 3ffb8fe0699..c4dfdfa11a3 100644 --- a/libexec/login_chpass/Makefile +++ b/libexec/login_chpass/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2014/04/22 10:21:56 reyk Exp $ +# $OpenBSD: Makefile,v 1.8 2015/10/22 12:32:33 tedu Exp $ PROG= login_chpass @@ -13,7 +13,7 @@ CFLAGS+=-Wall .if (${YP:L} == "yes") CFLAGS+=-DYP -SRCS+= yp_passwd.c pwd_check.c pwd_gensalt.c +SRCS+= yp_passwd.c pwd_check.c DPADD+= ${LIBRPCSVC} ${LIBUTIL} LDADD+= -lrpcsvc -lutil .endif diff --git a/libexec/login_chpass/login_chpass.c b/libexec/login_chpass/login_chpass.c index 3abd7210182..82ed74dc01c 100644 --- a/libexec/login_chpass/login_chpass.c +++ b/libexec/login_chpass/login_chpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_chpass.c,v 1.17 2015/10/05 17:31:17 millert Exp $ */ +/* $OpenBSD: login_chpass.c,v 1.18 2015/10/22 12:32:33 tedu Exp $ */ /*- * Copyright (c) 1995,1996 Berkeley Software Design, Inc. All rights reserved. @@ -199,15 +199,10 @@ yp_chpass(char *username) } } if (pw == NULL) { - char *p, salt[_PASSWORD_LEN + 1]; - login_cap_t *lc; - - /* no such user, get appropriate salt to thwart timing attack */ + char *p; + /* no such user, but fake to thwart timing attack */ if ((p = getpass("Old password:")) != NULL) { - if ((lc = login_getclass(NULL)) == NULL || - pwd_gensalt(salt, sizeof(salt), lc, 'y') == 0) - strlcpy(salt, "xx", sizeof(salt)); - crypt(p, salt); + crypt_checkpass(p, NULL); explicit_bzero(p, strlen(p)); } warnx("YP passwd database unchanged."); diff --git a/libexec/login_lchpass/Makefile b/libexec/login_lchpass/Makefile index 9151f0ca2e1..2004a183543 100644 --- a/libexec/login_lchpass/Makefile +++ b/libexec/login_lchpass/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.3 2001/06/19 16:38:21 millert Exp $ +# $OpenBSD: Makefile,v 1.4 2015/10/22 12:32:33 tedu Exp $ # BSDI $From: Makefile,v 1.2 1997/08/08 18:58:22 prb Exp $ PROG= login_lchpass -SRCS= login_lchpass.c local_passwd.c pwd_check.c pwd_gensalt.c +SRCS= login_lchpass.c local_passwd.c pwd_check.c MAN= login_lchpass.8 .PATH: ${.CURDIR}/../../usr.bin/passwd diff --git a/libexec/login_lchpass/login_lchpass.c b/libexec/login_lchpass/login_lchpass.c index 0882f7038d7..d4cb4c4f70b 100644 --- a/libexec/login_lchpass/login_lchpass.c +++ b/libexec/login_lchpass/login_lchpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_lchpass.c,v 1.15 2015/10/05 17:31:17 millert Exp $ */ +/* $OpenBSD: login_lchpass.c,v 1.16 2015/10/22 12:32:33 tedu Exp $ */ /*- * Copyright (c) 1995,1996 Berkeley Software Design, Inc. All rights reserved. @@ -63,7 +63,7 @@ main(int argc, char *argv[]) login_cap_t *lc; struct iovec iov[2]; struct passwd *pwd; - char *username = NULL, *salt, *p, saltbuf[_PASSWORD_LEN + 1]; + char *username = NULL, *hash = NULL, *p; struct rlimit rl; int c; @@ -119,15 +119,7 @@ main(int argc, char *argv[]) } if (pwd) - salt = pwd->pw_passwd; - else { - /* no such user, get appropriate salt */ - if ((lc = login_getclass(NULL)) == NULL || - pwd_gensalt(saltbuf, sizeof(saltbuf), lc, 'l') == 0) - salt = "xx"; - else - salt = saltbuf; - } + hash = pwd->pw_passwd; (void)setpriority(PRIO_PROCESS, 0, -4); @@ -135,10 +127,11 @@ main(int argc, char *argv[]) if ((p = getpass("Old Password:")) == NULL) exit(1); - salt = crypt(p, salt); - explicit_bzero(p, strlen(p)); - if (!pwd || strcmp(salt, pwd->pw_passwd) != 0) + if (crypt_checkpass(p, hash) != 0) { + explicit_bzero(p, strlen(p)); exit(1); + } + explicit_bzero(p, strlen(p)); /* * We rely on local_passwd() to block signals during the