upstream: randomise the password used in fakepw

author djm@openbsd.org <djm@openbsd.org>

Wed, 23 Feb 2022 11:17:10 +0000 (11:17 +0000)

committer Damien Miller <djm@mindrot.org>

Wed, 23 Feb 2022 11:21:35 +0000 (22:21 +1100)
author djm@openbsd.org <djm@openbsd.org>
Wed, 23 Feb 2022 11:17:10 +0000 (11:17 +0000)
committer Damien Miller <djm@mindrot.org>
Wed, 23 Feb 2022 11:21:35 +0000 (22:21 +1100)
diff --git a/auth.c b/auth.c

index 00b168b4e27a06dee72ca1e24a41b386922a62aa..560e8ecacde4cd6e79f48eb0c717e8f48525f767 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.153 2021/07/05 00:50:25 dtucker Exp $ */
+/* $OpenBSD: auth.c,v 1.154 2022/02/23 11:17:10 djm Exp $ */
  /*
   * Copyright (c) 2000 Markus Friedl.  All rights reserved.
   *
@@ -709,12 +709,21 @@ auth_debug_reset(void)
  struct passwd *
  fakepw(void)
  {
+       static int done = 0;
         static struct passwd fake;
+       const char hashchars[] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+           "abcdefghijklmnopqrstuvwxyz0123456789"; /* from bcrypt.c */
+       char *cp;
+
+       if (done)
+               return (&fake);
  
         memset(&fake, 0, sizeof(fake));
         fake.pw_name = "NOUSER";
-       fake.pw_passwd =
-           "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
+       fake.pw_passwd = xstrdup("$2a$10$"
+           "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
+       for (cp = fake.pw_passwd + 7; *cp != '\0'; cp++)
+               *cp = hashchars[arc4random_uniform(sizeof(hashchars) - 1)];
  #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
         fake.pw_gecos = "NOUSER";
  #endif
@@ -725,6 +734,7 @@ fakepw(void)
  #endif
         fake.pw_dir = "/nonexist";
         fake.pw_shell = "/nonexist";
+       done = 1;
  
         return (&fake);
  }
author	djm@openbsd.org <djm@openbsd.org>
	Wed, 23 Feb 2022 11:17:10 +0000 (11:17 +0000)
committer	Damien Miller <djm@mindrot.org>
	Wed, 23 Feb 2022 11:21:35 +0000 (22:21 +1100)