basic_nis_auth: fail authentication on crypt() failures

... instead of crashing the helper.

"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"

diff --git a/helpers/basic_auth/NIS/basic_nis_auth.cc b/helpers/basic_auth/NIS/basic_nis_auth.cc
index 658c52ee3dd52c65ba989c1db9eee4cef7ba7651..968a99535e2afe15a803ad929c61d36863547377 100644 (file)
--- a/helpers/basic_auth/NIS/basic_nis_auth.cc
+++ b/helpers/basic_auth/NIS/basic_nis_auth.cc
@@ -73,20 +73,22 @@ main(int argc, char **argv)
         if (!nispasswd) {
             /* User does not exist */
             printf("ERR No such user\n");
+            continue;
+        }
+
 #if HAVE_CRYPT
-        } else if (strcmp(nispasswd, (char *) crypt(passwd, nispasswd)) == 0) {
+        char *crypted = NULL;
+        if ((crypted = crypt(passwd, nispasswd)) && strcmp(nispasswd, crypted) == 0) {
             /* All ok !, thanks... */
             printf("OK\n");
         } else {
             /* Password incorrect */
             printf("ERR Wrong password\n");
-#else
         }
-        else {
-            /* Password incorrect */
-            printf("BH message=\"Missing crypto capability\"\n");
+#else
+        /* Password incorrect */
+        printf("BH message=\"Missing crypto capability\"\n");
 #endif
-        }
     }
     exit(0);
 }