diff options
Diffstat (limited to 'source/a/shadow/shadow.glibc217-crypt.diff')
-rw-r--r-- | source/a/shadow/shadow.glibc217-crypt.diff | 258 |
1 files changed, 0 insertions, 258 deletions
diff --git a/source/a/shadow/shadow.glibc217-crypt.diff b/source/a/shadow/shadow.glibc217-crypt.diff deleted file mode 100644 index e26ca10b..00000000 --- a/source/a/shadow/shadow.glibc217-crypt.diff +++ /dev/null @@ -1,258 +0,0 @@ -From a616a72160c17fa193ad6ad95eb2c869633f4fe9 Mon Sep 17 00:00:00 2001 -From: mancha <mancha1@hush.com> -Date: Fri, 4 Oct 2013 11:25:43 -Subject: [PATCH] Improve handling of NULL returns from crypt(). - -Signed-off-by: mancha <mancha1@hush.com> ---- - ChangeLog | 15 +++++++++++++++ - lib/encrypt.c | 7 +++---- - lib/pwauth.c | 7 ++++++- - libmisc/valid.c | 1 + - src/chgpasswd.c | 4 ++++ - src/chpasswd.c | 4 ++++ - src/gpasswd.c | 4 ++++ - src/newgrp.c | 3 ++- - src/newusers.c | 26 +++++++++++++++++++++----- - src/passwd.c | 15 +++++++++++++++ - 10 files changed, 75 insertions(+), 11 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index aab00ae..1416a38 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,18 @@ -+2013-05-06 mancha <mancha1@hush.com> -+ -+ * lib/encrypt.c: crypt() in glibc/eglibc 2.17 now fails if passed -+ a salt that violates specs. On Linux, crypt() also fails with -+ DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns -+ we send them back to the caller for appropriate handling. -+ * lib/pwauth.c: Handle NULL return from crypt(). -+ * libmisc/valid.c: Likewise. -+ * src/chgpasswd.c: Likewise. -+ * src/chpasswd.c: Likewise. -+ * src/gpasswd.c: Likewise. -+ * src/newgrp.c: Likewise. -+ * src/newusers.c: Likewise. -+ * src/passwd.c: Likewise. -+ - 2012-05-25 Nicolas François <nicolas.francois@centraliens.net> - - * NEWS: Set release date. -diff --git a/lib/encrypt.c b/lib/encrypt.c -index 7daa8da..49cb691 100644 ---- a/lib/encrypt.c -+++ b/lib/encrypt.c -@@ -49,11 +49,10 @@ - if (!cp) { - /* - * Single Unix Spec: crypt() may return a null pointer, -- * and set errno to indicate an error. The caller doesn't -- * expect us to return NULL, so... -+ * and set errno to indicate an error. In this case return -+ * the NULL so the caller can handle appropriately. - */ -- perror ("crypt"); -- exit (EXIT_FAILURE); -+ return cp; - } - - /* The GNU crypt does not return NULL if the algorithm is not -diff --git a/lib/pwauth.c b/lib/pwauth.c -index 4b26daa..086a72e 100644 ---- a/lib/pwauth.c -+++ b/lib/pwauth.c -@@ -73,6 +73,7 @@ int pw_auth (const char *cipher, - char prompt[1024]; - char *clear = NULL; - const char *cp; -+ const char *encrypted; - int retval; - - #ifdef SKEY -@@ -177,7 +178,11 @@ int pw_auth (const char *cipher, - * the results there as well. - */ - -- retval = strcmp (pw_encrypt (input, cipher), cipher); -+ encrypted = pw_encrypt (input, cipher); -+ if (encrypted!=NULL) -+ retval = strcmp (encrypted, cipher); -+ else -+ retval = -1; - - #ifdef SKEY - /* -diff --git a/libmisc/valid.c b/libmisc/valid.c -index aa0390a..4b85d67 100644 ---- a/libmisc/valid.c -+++ b/libmisc/valid.c -@@ -95,6 +95,7 @@ bool valid (const char *password, const struct passwd *ent) - */ - - if ( (NULL != ent->pw_name) -+ && (NULL != encrypted) - && (strcmp (encrypted, ent->pw_passwd) == 0)) { - return true; - } else { -diff --git a/src/chgpasswd.c b/src/chgpasswd.c -index 0f41d0b..6c42a09 100644 ---- a/src/chgpasswd.c -+++ b/src/chgpasswd.c -@@ -469,6 +469,10 @@ int main (int argc, char **argv) - #endif - cp = pw_encrypt (newpwd, - crypt_make_salt (crypt_method, arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - } - - /* -diff --git a/src/chpasswd.c b/src/chpasswd.c -index 928e2d7..4968b0d 100644 ---- a/src/chpasswd.c -+++ b/src/chpasswd.c -@@ -492,6 +492,10 @@ int main (int argc, char **argv) - #endif - cp = pw_encrypt (newpwd, - crypt_make_salt(crypt_method, arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - } - - /* -diff --git a/src/gpasswd.c b/src/gpasswd.c -index df8d714..0043610 100644 ---- a/src/gpasswd.c -+++ b/src/gpasswd.c -@@ -939,6 +939,10 @@ static void change_passwd (struct group *gr) - } - - cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); -+ if (cp==NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - memzero (pass, sizeof pass); - #ifdef SHADOWGRP - if (is_shadowgrp) { -diff --git a/src/newgrp.c b/src/newgrp.c -index 9330c72..6b87761 100644 ---- a/src/newgrp.c -+++ b/src/newgrp.c -@@ -184,7 +184,8 @@ static void check_perms (const struct group *grp, - cpasswd = pw_encrypt (cp, grp->gr_passwd); - strzero (cp); - -- if (grp->gr_passwd[0] == '\0' || -+ if (cpasswd == NULL || -+ grp->gr_passwd[0] == '\0' || - strcmp (cpasswd, grp->gr_passwd) != 0) { - #ifdef WITH_AUDIT - snprintf (audit_buf, sizeof(audit_buf), -diff --git a/src/newusers.c b/src/newusers.c -index 994898e..5f83a6a 100644 ---- a/src/newusers.c -+++ b/src/newusers.c -@@ -387,6 +387,7 @@ static int add_user (const char *name, uid_t uid, gid_t gid) - static void update_passwd (struct passwd *pwd, const char *password) - { - void *crypt_arg = NULL; -+ char *cp; - if (crypt_method != NULL) { - #ifdef USE_SHA_CRYPT - if (sflg) { -@@ -398,9 +399,13 @@ static void update_passwd (struct passwd *pwd, const char *password) - if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) { - pwd->pw_passwd = (char *)password; - } else { -- pwd->pw_passwd = pw_encrypt (password, -- crypt_make_salt (crypt_method, -- crypt_arg)); -+ cp=pw_encrypt (password, crypt_make_salt (crypt_method, -+ crypt_arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ pwd->pw_passwd = cp; - } - } - #endif /* !USE_PAM */ -@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pwd, const char *password) - { - const struct spwd *sp; - struct spwd spent; -+ char *cp; - - #ifndef USE_PAM - void *crypt_arg = NULL; -@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pwd, const char *password) - } else { - const char *salt = crypt_make_salt (crypt_method, - crypt_arg); -- spent.sp_pwdp = pw_encrypt (password, salt); -+ cp = pw_encrypt (password, salt); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ spent.sp_pwdp = cp; - } - spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE; - if (0 == spent.sp_lstchg) { -@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pwd, const char *password) - spent.sp_pwdp = (char *)password; - } else { - const char *salt = crypt_make_salt (crypt_method, crypt_arg); -- spent.sp_pwdp = pw_encrypt (password, salt); -+ cp = pw_encrypt (password, salt); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ spent.sp_pwdp = cp; - } - #else - /* -diff --git a/src/passwd.c b/src/passwd.c -index ac90aa3..ae26666 100644 ---- a/src/passwd.c -+++ b/src/passwd.c -@@ -242,6 +242,17 @@ static int new_password (const struct pa - } - - cipher = pw_encrypt (clear, crypt_passwd); -+ if (cipher == NULL) { -+ strzero (clear); -+ (void) fprintf (stderr, -+ _("Failed to crypt password for %s.\n"), -+ pw->pw_name); -+ SYSLOG ((LOG_INFO, -+ "failed to crypt password for %s", -+ pw->pw_name)); -+ return -1; -+ } -+ - if (strcmp (cipher, crypt_passwd) != 0) { - strzero (clear); - strzero (cipher); -@@ -349,6 +360,10 @@ static int new_password (const struct pa - * Encrypt the password, then wipe the cleartext password. - */ - cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - memzero (pass, sizeof pass); - - #ifdef HAVE_LIBCRACK_HIST --- -1.7.11.4 - |