1 /*
2 * Copyright (c) 2003 Ben Lindstrom. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25 #include "includes.h"
26
27 #include <sys/types.h>
28 #include <string.h>
29 #include <unistd.h>
30 #include <pwd.h>
31
32 # if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE)
33 # include <crypt.h>
34 # endif
35
36 # ifdef __hpux
37 # include <hpsecurity.h>
38 # include <prot.h>
39 # endif
40
41 # ifdef HAVE_SECUREWARE
42 # include <sys/security.h>
43 # include <sys/audit.h>
44 # include <prot.h>
45 # endif
46
47 # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
48 # include <shadow.h>
49 # endif
50
51 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
52 # include <sys/label.h>
53 # include <sys/audit.h>
54 # include <pwdadj.h>
55 # endif
56
57 # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
58 # include <openssl/des.h>
59 # define crypt DES_crypt
60 # endif
61
62 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
63
64 /*
65 * Pick an appropriate password encryption type and salt for the running
66 * system by searching through accounts until we find one that has a valid
67 * salt. Usually this will be root unless the root account is locked out.
68 * If we don't find one we return a traditional DES-based salt.
69 */
70 static const char *
pick_salt(void)71 pick_salt(void)
72 {
73 struct passwd *pw;
74 char *passwd, *p;
75 size_t typelen;
76 static char salt[32];
77
78 if (salt[0] != '\0')
79 return salt;
80 strlcpy(salt, "xx", sizeof(salt));
81 setpwent();
82 while ((pw = getpwent()) != NULL) {
83 if ((passwd = shadow_pw(pw)) == NULL)
84 continue;
85 if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
86 typelen = p - passwd + 1;
87 strlcpy(salt, passwd, MINIMUM(typelen, sizeof(salt)));
88 explicit_bzero(passwd, strlen(passwd));
89 goto out;
90 }
91 }
92 out:
93 endpwent();
94 return salt;
95 }
96
97 char *
xcrypt(const char * password,const char * salt)98 xcrypt(const char *password, const char *salt)
99 {
100 char *crypted;
101
102 /*
103 * If we don't have a salt we are encrypting a fake password for
104 * for timing purposes. Pick an appropriate salt.
105 */
106 if (salt == NULL)
107 salt = pick_salt();
108
109 #if defined(__hpux) && !defined(HAVE_SECUREWARE)
110 if (iscomsec())
111 crypted = bigcrypt(password, salt);
112 else
113 crypted = crypt(password, salt);
114 # elif defined(HAVE_SECUREWARE)
115 crypted = bigcrypt(password, salt);
116 # else
117 crypted = crypt(password, salt);
118 #endif
119
120 return crypted;
121 }
122
123 /*
124 * Handle shadowed password systems in a cleaner way for portable
125 * version.
126 */
127
128 char *
shadow_pw(struct passwd * pw)129 shadow_pw(struct passwd *pw)
130 {
131 char *pw_password = pw->pw_passwd;
132
133 # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
134 struct spwd *spw = getspnam(pw->pw_name);
135
136 if (spw != NULL)
137 pw_password = spw->sp_pwdp;
138 # endif
139
140 #ifdef USE_LIBIAF
141 return(get_iaf_password(pw));
142 #endif
143
144 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
145 struct passwd_adjunct *spw;
146 if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
147 pw_password = spw->pwa_passwd;
148 # elif defined(HAVE_SECUREWARE)
149 struct pr_passwd *spw = getprpwnam(pw->pw_name);
150
151 if (spw != NULL)
152 pw_password = spw->ufld.fd_encrypt;
153 # endif
154
155 return pw_password;
156 }
157