From 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Mon, 13 Dec 1999 13:27:58 +0000
Subject: first pass at updating head branch to be to be the same as the
 SAMBA_2_0 branch (This used to be commit
 453a822a76780063dff23526c35408866d0c0154)

---
 source3/auth/pass_check.c | 183 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 129 insertions(+), 54 deletions(-)

(limited to 'source3/auth')

diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 7effbfef8d..11ce0d754e 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -32,7 +32,7 @@ static char this_salt[100]="";
 static char this_crypted[100]="";
 
 
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
 /*******************************************************************
 check on PAM authentication
 ********************************************************************/
@@ -136,6 +136,10 @@ static BOOL pam_auth(char *user,char *password)
 
 
 #ifdef WITH_AFS
+
+#include <afs/stds.h>
+#include <afs/kautils.h>
+
 /*******************************************************************
 check on AFS authentication
 ********************************************************************/
@@ -158,6 +162,7 @@ static BOOL afs_auth(char *user,char *password)
 				       &reason) == 0) {
 		return(True);
 	}
+	DEBUG(1,("AFS authentication for \"%s\" failed (%s)\n", user, reason));
 	return(False);
 }
 #endif
@@ -165,6 +170,9 @@ static BOOL afs_auth(char *user,char *password)
 
 #ifdef WITH_DFS
 
+#include <dce/dce_error.h>
+#include <dce/sec_login.h>
+
 /*****************************************************************
  This new version of the DFS_AUTH code was donated by Karsten Muuss
  <muuss@or.uni-bonn.de>. It fixes the following problems with the
@@ -195,6 +203,7 @@ static BOOL dfs_auth(char *user,char *password)
 	sec_passwd_rec_t passwd_rec;
 	sec_login_auth_src_t auth_src = sec_login_auth_src_network;
 	unsigned char dce_errstr[dce_c_error_string_len];
+	gid_t egid;
 
 	if (dcelogin_atmost_once) return(False);
 
@@ -322,14 +331,16 @@ static BOOL dfs_auth(char *user,char *password)
 	 * back to being root on error though. JRA.
 	 */
 	
-	if (setregid(-1, pw->pw_gid) != 0) {
+	egid = getegid();
+
+	if (set_effective_gid(pw->pw_gid) != 0) {
 		DEBUG(0,("Can't set egid to %d (%s)\n", 
 			 pw->pw_gid, strerror(errno)));
 		return False;
 	}
 
-	if (setreuid(-1, pw->pw_uid) != 0) {
-		setgid(0);
+	if (set_effective_uid(pw->pw_uid) != 0) {
+		set_effective_gid(egid);
 		DEBUG(0,("Can't set euid to %d (%s)\n", 
 			 pw->pw_uid, strerror(errno)));
 		return False;
@@ -340,24 +351,17 @@ static BOOL dfs_auth(char *user,char *password)
 				     &my_dce_sec_context,
 				     &err) == 0) {
 		dce_error_inq_text(err, dce_errstr, &err2);
-		/* Go back to root, JRA. */
-		setuid(0);
-		setgid(0);
 		DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
 			 user,dce_errstr));
-		return(False);
+		goto err;
 	}
 
 	sec_login_get_pwent(my_dce_sec_context, 
 			    (sec_login_passwd_t*)&pw, &err);
 	if (err != error_status_ok ) {
 		dce_error_inq_text(err, dce_errstr, &err2);
-		/* Go back to root, JRA. */
-		setuid(0);
-		setgid(0);
 		DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-		
-		return(False);
+		goto err;
 	}
 
 	passwd_rec.version_number = sec_passwd_c_version_none;
@@ -370,24 +374,16 @@ static BOOL dfs_auth(char *user,char *password)
 				    &auth_src, &err);
 	if (err != error_status_ok ) { 
 		dce_error_inq_text(err, dce_errstr, &err2);
-		/* Go back to root, JRA. */
-		setuid(0);
-		setgid(0);
 		DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n",
 			 user,dce_errstr));
-		
-		return(False);
+		goto err;
 	}
 
 	sec_login_certify_identity(my_dce_sec_context, &err);
 	if (err != error_status_ok) { 
 		dce_error_inq_text(err, dce_errstr, &err2);
-		/* Go back to root, JRA. */
-		setuid(0);
-		setgid(0);
 		DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr));
-		
-		return(False);
+		goto err;
 	}
 
 	if (auth_src != sec_login_auth_src_network) { 
@@ -401,10 +397,7 @@ static BOOL dfs_auth(char *user,char *password)
 			 user,dce_errstr));
 		
 		sec_login_purge_context(&my_dce_sec_context, &err);
-		/* Go back to root, JRA. */
-		setuid(0);
-		setgid(0);
-		return(False);
+		goto err;
 	}
 	
 	sec_login_get_pwent(my_dce_sec_context, 
@@ -412,11 +405,7 @@ static BOOL dfs_auth(char *user,char *password)
 	if (err != error_status_ok) {
 		dce_error_inq_text(err, dce_errstr, &err2);
 		DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-
-		/* Go back to root, JRA. */
-		setuid(0);
-		setgid(0);
-		return(False);
+		goto err;
 	}
 	
 	DEBUG(0,("DCE login succeeded for principal %s on pid %d\n",
@@ -434,21 +423,24 @@ static BOOL dfs_auth(char *user,char *password)
 	sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
 	if (err != error_status_ok) {
 		dce_error_inq_text(err, dce_errstr, &err2);
-		/* Go back to root, JRA. */
-		setuid(0);
-		setgid(0);
 		DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr));
-		
-		return(False);
+		goto err;
 	}
 	
-	setuid(0);
-	setgid(0);
+	set_effective_uid(0);
+	set_effective_gid(0);
 	
 	DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time))));
 	
 	dcelogin_atmost_once = 1;
 	return (True);
+
+err:
+
+	/* Go back to root, JRA. */
+	set_effective_uid(0);
+	set_effective_gid(egid);
+	return(False);
 }
 
 void dfs_unlogin(void)
@@ -467,6 +459,9 @@ void dfs_unlogin(void)
 #endif
 
 #ifdef KRB5_AUTH
+
+#include <krb5.h>
+
 /*******************************************************************
 check on Kerberos authentication
 ********************************************************************/
@@ -614,6 +609,7 @@ static char *osf1_bigcrypt(char *password,char *salt1)
 	
 	StrnCpy(salt,salt1,2);
 	StrnCpy(result,salt1,2);
+	result[2]='\0';
 
 	for (i=0; i<parts;i++) {
 		p1 = crypt(p2,salt);
@@ -680,7 +676,7 @@ core of password checking routine
 static BOOL password_check(char *password)
 {
 
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
 	/* This falls through if the password check fails
 	   - if HAVE_CRYPT is not defined this causes an error msg
 	   saying Warning - no crypt available
@@ -691,23 +687,23 @@ static BOOL password_check(char *password)
 	   Hence we make a direct return to avoid a second chance!!!
 	*/
 	return (pam_auth(this_user,password));
-#endif
+#endif /* WITH_PAM */
 	
 #ifdef WITH_AFS
 	if (afs_auth(this_user,password)) return(True);
-#endif
+#endif /* WITH_AFS */
 	
 #ifdef WITH_DFS
 	if (dfs_auth(this_user,password)) return(True);
-#endif 
+#endif /* WITH_DFS */
 
 #ifdef KRB5_AUTH
 	if (krb5_auth(this_user,password)) return(True);
-#endif
+#endif /* KRB5_AUTH */
 
 #ifdef KRB4_AUTH
 	if (krb4_auth(this_user,password)) return(True);
-#endif
+#endif /* KRB4_AUTH */
 
 #ifdef OSF1_ENH_SEC
 	{
@@ -718,26 +714,42 @@ static BOOL password_check(char *password)
 	  }
 	  return ret;
 	}
-#endif
+#endif /* OSF1_ENH_SEC */
 
 #ifdef ULTRIX_AUTH
 	return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0);
-#endif
+#endif /* ULTRIX_AUTH */
 
 #ifdef LINUX_BIGCRYPT
 	return(linux_bigcrypt(password,this_salt,this_crypted));
-#endif
+#endif /* LINUX_BIGCRYPT */
+
+#if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS)
+
+	/*
+	 * Some systems have bigcrypt in the C library but might not
+	 * actually use it for the password hashes (HPUX 10.20) is
+	 * a noteable example. So we try bigcrypt first, followed
+	 * by crypt.
+	 */
+
+	if(strcmp(bigcrypt(password,this_salt),this_crypted) == 0)
+		return True;
+	else 
+		return (strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
+#else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
 
 #ifdef HAVE_BIGCRYPT
 	return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0);
-#endif
+#endif /* HAVE_BIGCRYPT */
 
 #ifndef HAVE_CRYPT
 	DEBUG(1,("Warning - no crypt available\n"));
 	return(False);
-#else
+#else /* HAVE_CRYPT */
 	return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
-#endif
+#endif /* HAVE_CRYPT */
+#endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
 }
 
 
@@ -753,13 +765,12 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
 {
 	pstring pass2;
 	int level = lp_passwordlevel();
-	const struct passwd *pass;
+	struct passwd *pass;
 
 	if (password) password[pwlen] = 0;
 
 #if DEBUG_PASSWORD
-	DEBUG(100,("checking user=[%s] pass=",user));
-	dump_data(100, password, strlen(password));
+	DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password));
 #endif
 
 	if (!password) {
@@ -785,12 +796,76 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
 		return(False);
 	}
 
+#ifdef HAVE_GETSPNAM
+	{
+		struct spwd *spass;
+
+		/* many shadow systems require you to be root to get
+		   the password, in most cases this should already be
+		   the case when this function is called, except
+		   perhaps for IPC password changing requests */
+
+		spass = getspnam(pass->pw_name);
+		if (spass && spass->sp_pwdp) {
+			pstrcpy(pass->pw_passwd,spass->sp_pwdp);
+		}
+	}
+#elif defined(IA_UINFO)
+	{
+		/* Need to get password with SVR4.2's ia_ functions
+		   instead of get{sp,pw}ent functions. Required by
+		   UnixWare 2.x, tested on version
+		   2.1. (tangent@cyberport.com) */
+		uinfo_t uinfo;
+		if (ia_openinfo(pass->pw_name, &uinfo) != -1) {
+			ia_get_logpwd(uinfo, &(pass->pw_passwd));
+		}
+	}
+#endif
+
+#ifdef HAVE_GETPRPWNAM
+	{
+		struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);
+		if (pr_pw && pr_pw->ufld.fd_encrypt)
+			pstrcpy(pass->pw_passwd,pr_pw->ufld.fd_encrypt);
+	}
+#endif
+
+#ifdef OSF1_ENH_SEC
+	{
+		struct pr_passwd *mypasswd;
+		DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n",
+			 user));
+		mypasswd = getprpwnam (user);
+		if (mypasswd) { 
+			fstrcpy(pass->pw_name,mypasswd->ufld.fd_name);
+			fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt);
+		} else {
+			DEBUG(5,("OSF1_ENH_SEC: No entry for user %s in protected database !\n",
+				 user));
+		}
+	}
+#endif
+
+#ifdef ULTRIX_AUTH
+	{
+		AUTHORIZATION *ap = getauthuid(pass->pw_uid);
+		if (ap) {
+			fstrcpy(pass->pw_passwd, ap->a_password);
+			endauthent();
+		}
+	}
+#endif
+
 	/* extract relevant info */
 	fstrcpy(this_user,pass->pw_name);  
 	fstrcpy(this_salt,pass->pw_passwd);
+
+#if defined(HAVE_TRUNCATED_SALT)
 	/* crypt on some platforms (HPUX in particular)
 	   won't work with more than 2 salt characters. */
 	this_salt[2] = 0;
+#endif
 	
 	fstrcpy(this_crypted,pass->pw_passwd);
 	
-- 
cgit