From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 19 Feb 2015 02:50:51 +0000 (-0800)
Subject: basic_nis_auth: fail authentication on crypt() failures
X-Git-Tag: merge-candidate-3-v1~261
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ea677a6251194950bf0d82901fc87e1be5e6a38;p=thirdparty%2Fsquid.git

basic_nis_auth: fail authentication on crypt() failures

... instead of crashing the helper.

"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
---

diff --git a/helpers/basic_auth/NIS/basic_nis_auth.cc b/helpers/basic_auth/NIS/basic_nis_auth.cc
index 658c52ee3d..968a99535e 100644
--- a/helpers/basic_auth/NIS/basic_nis_auth.cc
+++ b/helpers/basic_auth/NIS/basic_nis_auth.cc
@@ -73,20 +73,22 @@ main(int argc, char **argv)
         if (!nispasswd) {
             /* User does not exist */
             printf("ERR No such user\n");
+            continue;
+        }
+
 #if HAVE_CRYPT
-        } else if (strcmp(nispasswd, (char *) crypt(passwd, nispasswd)) == 0) {
+        char *crypted = NULL;
+        if ((crypted = crypt(passwd, nispasswd)) && strcmp(nispasswd, crypted) == 0) {
             /* All ok !, thanks... */
             printf("OK\n");
         } else {
             /* Password incorrect */
             printf("ERR Wrong password\n");
-#else
         }
-        else {
-            /* Password incorrect */
-            printf("BH message=\"Missing crypto capability\"\n");
+#else
+        /* Password incorrect */
+        printf("BH message=\"Missing crypto capability\"\n");
 #endif
-        }
     }
     exit(0);
 }