diff options
author | 2006-03-09 19:14:09 +0000 | |
---|---|---|
committer | 2006-03-09 19:14:09 +0000 | |
commit | 90afb38dcfdd9b9804b15b847f99d7861a984ebb (patch) | |
tree | 781cae2b7c9817490414e77070ba03ea36cff4c4 /libexec/login_reject | |
parent | Track interface uptime. (diff) | |
download | wireguard-openbsd-90afb38dcfdd9b9804b15b847f99d7861a984ebb.tar.xz wireguard-openbsd-90afb38dcfdd9b9804b15b847f99d7861a984ebb.zip |
Foil potential timing attacks by using the correct password hash
instead of "xx". In practice this means bcrypt() will be used for
non-existent users instead of DES crypt().
Adapted from a patch by Peter Philipp. OK deraadt@
Diffstat (limited to 'libexec/login_reject')
-rw-r--r-- | libexec/login_reject/Makefile | 4 | ||||
-rw-r--r-- | libexec/login_reject/login_reject.c | 13 |
2 files changed, 12 insertions, 5 deletions
diff --git a/libexec/login_reject/Makefile b/libexec/login_reject/Makefile index f877d6044ff..211059d6a2b 100644 --- a/libexec/login_reject/Makefile +++ b/libexec/login_reject/Makefile @@ -1,8 +1,10 @@ -# $OpenBSD: Makefile,v 1.1 2000/12/12 02:34:43 millert Exp $ +# $OpenBSD: Makefile,v 1.2 2006/03/09 19:14:10 millert Exp $ PROG= login_reject +SRCS= login_reject.c pwd_gensalt.c MAN= login_reject.8 CFLAGS+=-Wall +.PATH: ${.CURDIR}/../../usr.bin/passwd BINOWN= root BINGRP= auth diff --git a/libexec/login_reject/login_reject.c b/libexec/login_reject/login_reject.c index 91ee3532944..4411638856f 100644 --- a/libexec/login_reject/login_reject.c +++ b/libexec/login_reject/login_reject.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_reject.c,v 1.6 2002/09/06 18:45:07 deraadt Exp $ */ +/* $OpenBSD: login_reject.c,v 1.7 2006/03/09 19:14:10 millert Exp $ */ /*- * Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. @@ -55,9 +55,10 @@ int main(int argc, char *argv[]) { - FILE *back; - char passbuf[1]; struct rlimit rl; + login_cap_t *lc; + FILE *back; + char passbuf[1], salt[_PASSWORD_LEN + 1]; int mode = 0, c; rl.rlim_cur = 0; @@ -121,7 +122,11 @@ main(int argc, char *argv[]) } else getpass("Password:"); - crypt("password", "xx"); + if ((lc = login_getclass(NULL)) == NULL || + pwd_gensalt(salt, sizeof(salt), lc, 'l') == 0) + strlcpy(salt, "xx", sizeof(salt)); + crypt("password", salt); + fprintf(back, BI_REJECT "\n"); exit(1); } |