From b643cd09fe7732491eaababb64dfc1fca67d33c1 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 18 Feb 2015 18:48:23 -0800
Subject: [PATCH] basic_getpwnam_auth: fail authentication on crypt() failures

... instead of crashing the helper.

"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
---
 helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc b/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc
index cc879cf389..aa8e5fee85 100644
--- a/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc
+++ b/helpers/basic_auth/getpwnam/basic_getpwnam_auth.cc
@@ -59,7 +59,8 @@ passwd_auth(char *user, char *passwd)
     if (pwd == NULL) {
         return 0;       /* User does not exist */
     } else {
-        if (strcmp(pwd->pw_passwd, (char *) crypt(passwd, pwd->pw_passwd))) {
+        char *crypted = crypt(passwd, pwd->pw_passwd);
+        if (!crypted || strcmp(pwd->pw_passwd, crypted)) {
             return 2;       /* Wrong password */
         } else {
             return 1;       /* Authentication Sucessful */
@@ -76,7 +77,8 @@ shadow_auth(char *user, char *passwd)
     if (pwd == NULL) {
         return passwd_auth(user, passwd);   /* Fall back to passwd_auth */
     } else {
-        if (strcmp(pwd->sp_pwdp, crypt(passwd, pwd->sp_pwdp))) {
+        char *crypted = crypt(passwd, pwd->sp_pwdp);
+        if (!crypted || strcmp(pwd->sp_pwdp, crypted)) {
             return 2;       /* Wrong password */
         } else {
             return 1;       /* Authentication Sucessful */
-- 
2.47.2