xcrypt.c revision 323134 
1/*
2 * Copyright (c) 2003 Ben Lindstrom.  All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25#include "includes.h"
26
27#include <sys/types.h>
28#include <string.h>
29#include <unistd.h>
30#include <pwd.h>
31
32# if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE)
33#  include <crypt.h>
34# endif
35
36# ifdef __hpux
37#  include <hpsecurity.h>
38#  include <prot.h>
39# endif
40
41# ifdef HAVE_SECUREWARE
42#  include <sys/security.h>
43#  include <sys/audit.h>
44#  include <prot.h>
45# endif
46
47# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
48#  include <shadow.h>
49# endif
50
51# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
52#  include <sys/label.h>
53#  include <sys/audit.h>
54#  include <pwdadj.h>
55# endif
56
57# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
58#  include "md5crypt.h"
59# endif
60
61# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
62#  include <openssl/des.h>
63#  define crypt DES_crypt
64# endif
65
66/*
67 * Pick an appropriate password encryption type and salt for the running
68 * system by searching through accounts until we find one that has a valid
69 * salt.  Usually this will be root unless the root account is locked out.
70 * If we don't find one we return a traditional DES-based salt.
71 */
72static const char *
73pick_salt(void)
74{
75	struct passwd *pw;
76	char *passwd, *p;
77	size_t typelen;
78	static char salt[32];
79
80	if (salt[0] != '\0')
81		return salt;
82	strlcpy(salt, "xx", sizeof(salt));
83	setpwent();
84	while ((pw = getpwent()) != NULL) {
85		passwd = shadow_pw(pw);
86		if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
87			typelen = p - passwd + 1;
88			strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
89			explicit_bzero(passwd, strlen(passwd));
90			goto out;
91		}
92	}
93 out:
94	endpwent();
95	return salt;
96}
97
98char *
99xcrypt(const char *password, const char *salt)
100{
101	char *crypted;
102
103	/*
104	 * If we don't have a salt we are encrypting a fake password for
105	 * for timing purposes.  Pick an appropriate salt.
106	 */
107	if (salt == NULL)
108		salt = pick_salt();
109
110# ifdef HAVE_MD5_PASSWORDS
111	if (is_md5_salt(salt))
112		crypted = md5_crypt(password, salt);
113	else
114		crypted = crypt(password, salt);
115# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
116	if (iscomsec())
117		crypted = bigcrypt(password, salt);
118	else
119		crypted = crypt(password, salt);
120# elif defined(HAVE_SECUREWARE)
121	crypted = bigcrypt(password, salt);
122# else
123	crypted = crypt(password, salt);
124# endif
125
126	return crypted;
127}
128
129/*
130 * Handle shadowed password systems in a cleaner way for portable
131 * version.
132 */
133
134char *
135shadow_pw(struct passwd *pw)
136{
137	char *pw_password = pw->pw_passwd;
138
139# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
140	struct spwd *spw = getspnam(pw->pw_name);
141
142	if (spw != NULL)
143		pw_password = spw->sp_pwdp;
144# endif
145
146#ifdef USE_LIBIAF
147	return(get_iaf_password(pw));
148#endif
149
150# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
151	struct passwd_adjunct *spw;
152	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
153		pw_password = spw->pwa_passwd;
154# elif defined(HAVE_SECUREWARE)
155	struct pr_passwd *spw = getprpwnam(pw->pw_name);
156
157	if (spw != NULL)
158		pw_password = spw->ufld.fd_encrypt;
159# endif
160
161	return pw_password;
162}
163