1/* 2 * Copyright (c) 2003 Ben Lindstrom. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25#include "includes.h" 26 27#include <sys/types.h> 28#include <string.h> 29#include <unistd.h> 30#include <pwd.h> 31 32# if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE) 33# include <crypt.h> 34# endif 35 36# ifdef __hpux 37# include <hpsecurity.h> 38# include <prot.h> 39# endif 40 41# ifdef HAVE_SECUREWARE 42# include <sys/security.h> 43# include <sys/audit.h> 44# include <prot.h> 45# endif 46 47# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) 48# include <shadow.h> 49# endif 50 51# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) 52# include <sys/label.h> 53# include <sys/audit.h> 54# include <pwdadj.h> 55# endif 56 57# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) 58# include "md5crypt.h" 59# endif 60 61# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) 62# include <openssl/des.h> 63# define crypt DES_crypt 64# endif 65 66/* 67 * Pick an appropriate password encryption type and salt for the running 68 * system by searching through accounts until we find one that has a valid 69 * salt. Usually this will be root unless the root account is locked out. 70 * If we don't find one we return a traditional DES-based salt. 71 */ 72static const char * 73pick_salt(void) 74{ 75 struct passwd *pw; 76 char *passwd, *p; 77 size_t typelen; 78 static char salt[32]; 79 80 if (salt[0] != '\0') 81 return salt; 82 strlcpy(salt, "xx", sizeof(salt)); 83 setpwent(); 84 while ((pw = getpwent()) != NULL) { 85 if ((passwd = shadow_pw(pw)) == NULL) 86 continue; 87 if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) { 88 typelen = p - passwd + 1; 89 strlcpy(salt, passwd, MIN(typelen, sizeof(salt))); 90 explicit_bzero(passwd, strlen(passwd)); 91 goto out; 92 } 93 } 94 out: 95 endpwent(); 96 return salt; 97} 98 99char * 100xcrypt(const char *password, const char *salt) 101{ 102 char *crypted; 103 104 /* 105 * If we don't have a salt we are encrypting a fake password for 106 * for timing purposes. Pick an appropriate salt. 107 */ 108 if (salt == NULL) 109 salt = pick_salt(); 110 111# ifdef HAVE_MD5_PASSWORDS 112 if (is_md5_salt(salt)) 113 crypted = md5_crypt(password, salt); 114 else 115 crypted = crypt(password, salt); 116# elif defined(__hpux) && !defined(HAVE_SECUREWARE) 117 if (iscomsec()) 118 crypted = bigcrypt(password, salt); 119 else 120 crypted = crypt(password, salt); 121# elif defined(HAVE_SECUREWARE) 122 crypted = bigcrypt(password, salt); 123# else 124 crypted = crypt(password, salt); 125# endif 126 127 return crypted; 128} 129 130/* 131 * Handle shadowed password systems in a cleaner way for portable 132 * version. 133 */ 134 135char * 136shadow_pw(struct passwd *pw) 137{ 138 char *pw_password = pw->pw_passwd; 139 140# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) 141 struct spwd *spw = getspnam(pw->pw_name); 142 143 if (spw != NULL) 144 pw_password = spw->sp_pwdp; 145# endif 146 147#ifdef USE_LIBIAF 148 return(get_iaf_password(pw)); 149#endif 150 151# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) 152 struct passwd_adjunct *spw; 153 if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) 154 pw_password = spw->pwa_passwd; 155# elif defined(HAVE_SECUREWARE) 156 struct pr_passwd *spw = getprpwnam(pw->pw_name); 157 158 if (spw != NULL) 159 pw_password = spw->ufld.fd_encrypt; 160# endif 161 162 return pw_password; 163} 164