1 /* 2 * Copyright (c) 2003 Ben Lindstrom. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25 #include "includes.h" 26 27 #include <sys/types.h> 28 #include <string.h> 29 #include <unistd.h> 30 #include <pwd.h> 31 32 # if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE) 33 # include <crypt.h> 34 # endif 35 36 # ifdef __hpux 37 # include <hpsecurity.h> 38 # include <prot.h> 39 # endif 40 41 # ifdef HAVE_SECUREWARE 42 # include <sys/security.h> 43 # include <sys/audit.h> 44 # include <prot.h> 45 # endif 46 47 # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) 48 # include <shadow.h> 49 # endif 50 51 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) 52 # include <sys/label.h> 53 # include <sys/audit.h> 54 # include <pwdadj.h> 55 # endif 56 57 # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) 58 # include <openssl/des.h> 59 # define crypt DES_crypt 60 # endif 61 62 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 63 64 /* 65 * Pick an appropriate password encryption type and salt for the running 66 * system by searching through accounts until we find one that has a valid 67 * salt. Usually this will be root unless the root account is locked out. 68 * If we don't find one we return a traditional DES-based salt. 69 */ 70 static const char * 71 pick_salt(void) 72 { 73 struct passwd *pw; 74 char *passwd, *p; 75 size_t typelen; 76 static char salt[32]; 77 78 if (salt[0] != '\0') 79 return salt; 80 strlcpy(salt, "xx", sizeof(salt)); 81 setpwent(); 82 while ((pw = getpwent()) != NULL) { 83 if ((passwd = shadow_pw(pw)) == NULL) 84 continue; 85 if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) { 86 typelen = p - passwd + 1; 87 strlcpy(salt, passwd, MINIMUM(typelen, sizeof(salt))); 88 explicit_bzero(passwd, strlen(passwd)); 89 goto out; 90 } 91 } 92 out: 93 endpwent(); 94 return salt; 95 } 96 97 char * 98 xcrypt(const char *password, const char *salt) 99 { 100 char *crypted; 101 102 /* 103 * If we don't have a salt we are encrypting a fake password for 104 * for timing purposes. Pick an appropriate salt. 105 */ 106 if (salt == NULL) 107 salt = pick_salt(); 108 109 #if defined(__hpux) && !defined(HAVE_SECUREWARE) 110 if (iscomsec()) 111 crypted = bigcrypt(password, salt); 112 else 113 crypted = crypt(password, salt); 114 # elif defined(HAVE_SECUREWARE) 115 crypted = bigcrypt(password, salt); 116 # else 117 crypted = crypt(password, salt); 118 #endif 119 120 return crypted; 121 } 122 123 /* 124 * Handle shadowed password systems in a cleaner way for portable 125 * version. 126 */ 127 128 char * 129 shadow_pw(struct passwd *pw) 130 { 131 char *pw_password = pw->pw_passwd; 132 133 # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) 134 struct spwd *spw = getspnam(pw->pw_name); 135 136 if (spw != NULL) 137 pw_password = spw->sp_pwdp; 138 # endif 139 140 #ifdef USE_LIBIAF 141 return(get_iaf_password(pw)); 142 #endif 143 144 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) 145 struct passwd_adjunct *spw; 146 if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) 147 pw_password = spw->pwa_passwd; 148 # elif defined(HAVE_SECUREWARE) 149 struct pr_passwd *spw = getprpwnam(pw->pw_name); 150 151 if (spw != NULL) 152 pw_password = spw->ufld.fd_encrypt; 153 # endif 154 155 return pw_password; 156 } 157