From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 19 Feb 2015 02:48:23 +0000 (-0800)
Subject: basic_getpwnam_auth: fail authentication on crypt() failures
X-Git-Tag: merge-candidate-3-v1~262
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b643cd09fe7732491eaababb64dfc1fca67d33c1;p=thirdparty%2Fsquid.git

basic_getpwnam_auth: fail authentication on crypt() failures

... instead of crashing the helper.

"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
---

diff --git a/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc b/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc
index cc879cf389..aa8e5fee85 100644
--- a/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc
+++ b/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc
@@ -59,7 +59,8 @@ passwd_auth(char *user, char *passwd)
     if (pwd == NULL) {
         return 0;       /* User does not exist */
     } else {
-        if (strcmp(pwd->pw_passwd, (char *) crypt(passwd, pwd->pw_passwd))) {
+        char *crypted = crypt(passwd, pwd->pw_passwd);
+        if (!crypted || strcmp(pwd->pw_passwd, crypted)) {
             return 2;       /* Wrong password */
         } else {
             return 1;       /* Authentication Sucessful */
@@ -76,7 +77,8 @@ shadow_auth(char *user, char *passwd)
     if (pwd == NULL) {
         return passwd_auth(user, passwd);   /* Fall back to passwd_auth */
     } else {
-        if (strcmp(pwd->sp_pwdp, crypt(passwd, pwd->sp_pwdp))) {
+        char *crypted = crypt(passwd, pwd->sp_pwdp);
+        if (!crypted || strcmp(pwd->sp_pwdp, crypted)) {
             return 2;       /* Wrong password */
         } else {
             return 1;       /* Authentication Sucessful */