Source Code 1992 March

home *** CD-ROM | disk | FTP | other *** search

/ Source Code 1992 March / Source_Code_CD-ROM_Walnut_Creek_March_1992.iso / usenet / altsrcs / 2 / 2288 / valid.c < prev

Wrap

C/C++ Source or Header | 1990-12-28 | 3.1 KB | 133 lines

/* * Copyright 1989, 1990, John F. Haugh II * All rights reserved. * * Use, duplication, and disclosure prohibited without * the express written permission of the author. */ #include <stdio.h> #include <pwd.h> #ifndef BSD #include <string.h> #include <memory.h> #else #include <strings.h> #define strchr index #define strrchr rindex #endif #include "config.h" #ifndef lint static char _sccsid[] = "@(#)valid.c 2.4 19:24:27 7/29/90"; #endif /* * valid - compare encrypted passwords * * Valid() compares the DES encrypted password from the password file * against the password which the user has entered after it has been * encrypted using the same salt as the original. */ int valid (password, entry) char *password; struct passwd *entry; { char *encrypt; char *salt; char *crypt (); char *shell; #ifdef DOUBLESIZE int firsthalf; int longpass; #endif #ifdef NOUSE if (entry->pw_shell && strcmp (NOUSE, entry->pw_shell) == 0) return (0); #if defined(SU) && defined (NOLOGIN) if (entry->pw_shell && strcmp (NOLOGIN, entry->pw_shell) == 0) { if (! (shell = getenv ("SHELL"))) return 0; } #endif #if !defined(SU) && defined (NOLOGIN) if (entry->pw_shell && strcmp (NOLOGIN, entry->pw_shell) == 0) return 0; #endif #endif /* * Start with blank or empty password entries. Always encrypt * a password if no such user exists. Only if the ID exists and * the password is really empty do you return quickly. This * routine is meant to waste CPU time. */ if (entry->pw_name && (entry->pw_passwd == (char *) 0 || strlen (entry->pw_passwd) == 0)) { if (strlen (password) == 0) return (1); /* user entered nothing */ else return (0); /* user entered something! */ } #ifdef DOUBLESIZE longpass = entry->pw_passwd && strlen (entry->pw_passwd) > 13; #endif /* * If there is no entry then we need a salt to use. */ if (entry->pw_passwd == (char *) 0 || entry->pw_passwd[0] == '\0') salt = "xx"; else salt = entry->pw_passwd; /* * Now, perform the encryption using the salt from before on * the users input. Since we always encrypt the string, it * should be very difficult to determine if the user exists by * looking at execution time. */ encrypt = crypt (password, salt); #ifdef DOUBLESIZE firsthalf = entry->pw_passwd && strncmp (encrypt + 2, entry->pw_passwd + 2, 11) == 0; if (strlen (password) > 8) encrypt = crypt (password + 8, salt); else { (void) crypt (password, salt); /* waste time ... */ encrypt = ""; } #endif /* * One last time we must deal with there being no password file * entry for the user. We use the pw_passwd == NULL idiom to * cause non-existent users to not be validated. Even still, * we are safe because if the string were == "", any encrypted * string is not going to match - the output of crypt() begins * with the salt, which is "xx", not "". */ #ifndef DOUBLESIZE if (entry->pw_passwd && strcmp (encrypt, entry->pw_passwd) == 0) return (1); else return (0); #else if (! longpass) return (firsthalf); if (entry->pw_passwd && firsthalf && strncmp (encrypt + 2, entry->pw_passwd + 13) == 0) return (1); else return (0); #endif }