From 30ce99d1268ea97f0603aec31346d1b859721e26 Mon Sep 17 00:00:00 2001 From: pnixon Date: Tue, 24 Jun 2003 14:22:19 +0000 Subject: [PATCH] Crypt thread patch from Oliver Graf (KEVAG Telekom GmbH / RZ-Online GmbH) --- src/include/libradius.h | 3 + src/lib/Makefile | 2 +- src/lib/crypt.c | 183 ++++++++++++++++++++++++++++++++++++++++ src/main/auth.c | 22 ++--- src/modules/rlm_pap/rlm_pap.c | 25 +----- src/modules/rlm_unix/cache.c | 12 +-- src/modules/rlm_unix/rlm_unix.c | 8 +- 7 files changed, 199 insertions(+), 56 deletions(-) create mode 100644 src/lib/crypt.c diff --git a/src/include/libradius.h b/src/include/libradius.h index 287afa8..1027c64 100644 --- a/src/include/libradius.h +++ b/src/include/libradius.h @@ -298,4 +298,7 @@ void lrad_mschap(const unsigned char *win_password, const unsigned char *challenge, unsigned char *response); +/* crypt wrapper from crypt.c */ +int lrad_crypt_check(const char *key, const char *salt); + #endif /*LIBRADIUS_H*/ diff --git a/src/lib/Makefile b/src/lib/Makefile index 72ed7f9..34f6443 100644 --- a/src/lib/Makefile +++ b/src/lib/Makefile @@ -3,7 +3,7 @@ include ../../Make.inc SRCS = dict.c print.c radius.c valuepair.c token.c misc.c \ log.c filters.c missing.c md4.c md5.c sha1.c hmac.c \ - snprintf.c isaac.c smbdes.c + snprintf.c isaac.c smbdes.c crypt.c INCLUDES = ../include/radius.h ../include/libradius.h \ ../include/missing.h ../include/autoconf.h diff --git a/src/lib/crypt.c b/src/lib/crypt.c new file mode 100644 index 0000000..afdf497 --- /dev/null +++ b/src/lib/crypt.c @@ -0,0 +1,183 @@ +/* + * a thread-safe crypt wrapper + */ + +#include "libradius.h" +#include +#include +#include + +#if HAVE_PTHREAD_H +#include +#endif + +static int lrad_crypt_init=0; +static pthread_mutex_t lrad_crypt_mutex; + +/* + * initializes authcrypt_mutex + */ + + +/* + * performs a crypt password check in an thread-safe way. + * + * returns: 0 -- check succeeded + * -1 -- failed to crypt + * 1 -- check failed + */ +int lrad_crypt_check(const char *key, const char *crypted) { + char *libc_crypted=NULL, *our_crypted=NULL; + int result=0; + +#if HAVE_PTHREAD_H + if (!lrad_crypt_init == 0) { + pthread_mutex_init(&lrad_crypt_mutex, NULL); + lrad_crypt_init=1; + } + + pthread_mutex_lock(&lrad_crypt_mutex); +#endif + + libc_crypted=crypt(key,crypted); + if (libc_crypted) + our_crypted=strdup(libc_crypted); + +#if HAVE_PTHREAD_H + pthread_mutex_unlock(&lrad_crypt_mutex); +#endif + + if (our_crypted == NULL) + return -1; + + if (strcmp(crypted, our_crypted) == 0) + result = 0; + else + result = 1; + + free(our_crypted); + + return result; +} +/* + * a thread-safe crypt wrapper + */ + +#include "libradius.h" +#include +#include +#include + +#if HAVE_PTHREAD_H +#include +#endif + +static int lrad_crypt_init=0; +static pthread_mutex_t lrad_crypt_mutex; + +/* + * initializes authcrypt_mutex + */ + + +/* + * performs a crypt password check in an thread-safe way. + * + * returns: 0 -- check succeeded + * -1 -- failed to crypt + * 1 -- check failed + */ +int lrad_crypt_check(const char *key, const char *crypted) { + char *libc_crypted=NULL, *our_crypted=NULL; + int result=0; + +#if HAVE_PTHREAD_H + if (!lrad_crypt_init == 0) { + pthread_mutex_init(&lrad_crypt_mutex, NULL); + lrad_crypt_init=1; + } + + pthread_mutex_lock(&lrad_crypt_mutex); +#endif + + libc_crypted=crypt(key,crypted); + if (libc_crypted) + our_crypted=strdup(libc_crypted); + +#if HAVE_PTHREAD_H + pthread_mutex_unlock(&lrad_crypt_mutex); +#endif + + if (our_crypted == NULL) + return -1; + + if (strcmp(crypted, our_crypted) == 0) + result = 0; + else + result = 1; + + free(our_crypted); + + return result; +} +/* + * a thread-safe crypt wrapper + */ + +#include "libradius.h" +#include +#include +#include + +#if HAVE_PTHREAD_H +#include +#endif + +static int lrad_crypt_init=0; +static pthread_mutex_t lrad_crypt_mutex; + +/* + * initializes authcrypt_mutex + */ + + +/* + * performs a crypt password check in an thread-safe way. + * + * returns: 0 -- check succeeded + * -1 -- failed to crypt + * 1 -- check failed + */ +int lrad_crypt_check(const char *key, const char *crypted) { + char *libc_crypted=NULL, *our_crypted=NULL; + int result=0; + +#if HAVE_PTHREAD_H + if (!lrad_crypt_init == 0) { + pthread_mutex_init(&lrad_crypt_mutex, NULL); + lrad_crypt_init=1; + } + + pthread_mutex_lock(&lrad_crypt_mutex); +#endif + + libc_crypted=crypt(key,crypted); + if (libc_crypted) + our_crypted=strdup(libc_crypted); + +#if HAVE_PTHREAD_H + pthread_mutex_unlock(&lrad_crypt_mutex); +#endif + + if (our_crypted == NULL) + return -1; + + if (strcmp(crypted, our_crypted) == 0) + result = 0; + else + result = 1; + + free(our_crypted); + + return result; +} diff --git a/src/main/auth.c b/src/main/auth.c index db5ca81..36c2930 100644 --- a/src/main/auth.c +++ b/src/main/auth.c @@ -31,10 +31,6 @@ static const char rcsid[] = "$Id$"; #include #include -#if HAVE_CRYPT_H -# include -#endif - #if HAVE_NETINET_IN_H # include #endif @@ -190,7 +186,6 @@ int rad_check_password(REQUEST *request) VALUE_PAIR *password_pair; VALUE_PAIR *auth_item; char string[MAX_STRING_LEN]; - const char *crypted_password; int auth_type = -1; int result; int auth_type_count = 0; @@ -276,16 +271,13 @@ int rad_check_password(REQUEST *request) return -1; } - crypted_password = crypt((char *)auth_item->strvalue, - (char *)password_pair->strvalue); - if (!crypted_password) { - rad_authlog("Login incorrect " - "(system failed to supply an encrypted password for comparison)", request, 0); - return -1; - } - if (strcmp((char *)password_pair->strvalue, - crypted_password) != 0) { - return -1; + switch (lrad_crypt_check((char *)auth_item->strvalue, + (char *)password_pair->strvalue)) { + case -1: + rad_authlog("Login incorrect " + "(system failed to supply an encrypted password for comparison)", request, 0); + case 1: + return -1; } break; case PW_AUTHTYPE_LOCAL: diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c index 5a534df..0213ab7 100644 --- a/src/modules/rlm_pap/rlm_pap.c +++ b/src/modules/rlm_pap/rlm_pap.c @@ -58,9 +58,6 @@ static const char rcsid[] = "$Id$"; typedef struct rlm_pap_t { char *scheme; /* password encryption scheme */ int sch; -#if HAVE_PTHREAD_H - pthread_mutex_t mutex; -#endif } rlm_pap_t; /* @@ -124,9 +121,6 @@ static int pap_instantiate(CONF_SECTION *conf, void **instance) inst->sch = PAP_ENC_CLEAR; else if (strcasecmp(inst->scheme,"crypt") == 0){ inst->sch = PAP_ENC_CRYPT; -#if HAVE_PTHREAD_H - pthread_mutex_init(&inst->mutex, NULL); -#endif } else if (strcasecmp(inst->scheme,"md5") == 0) inst->sch = PAP_ENC_MD5; @@ -221,25 +215,14 @@ static int pap_authenticate(void *instance, REQUEST *request) break; case PAP_ENC_CRYPT: DEBUG("rlm_pap: Using CRYPT encryption."); -#if HAVE_PTHREAD_H - pthread_mutex_lock(&inst->mutex); -#endif - if (strcmp((char *) passwd_item->strvalue, - crypt((char *) request->password->strvalue, - (char *) passwd_item->strvalue)) != 0) { -#if HAVE_PTHREAD_H - pthread_mutex_unlock(&inst->mutex); -#endif + if (lrad_crypt_check((char *) request->password->strvalue, + (char *) passwd_item->strvalue) != 0) { DEBUG("rlm_pap: Passwords don't match"); snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CRYPT password check failed"); module_fmsg_vp = pairmake("Module-Failure-Message",module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); return RLM_MODULE_REJECT; } -#if HAVE_PTHREAD_H - else - pthread_mutex_unlock(&inst->mutex); -#endif break; case PAP_ENC_MD5: DEBUG("rlm_pap: Using MD5 encryption."); @@ -301,10 +284,6 @@ static int pap_detach(void *instance) { rlm_pap_t *inst = (rlm_pap_t *) instance; -#if HAVE_PTHREAD_H - if (inst->sch == PAP_ENC_CRYPT) - pthread_mutex_destroy(&inst->mutex); -#endif PAP_INST_FREE(inst); return 0; } diff --git a/src/modules/rlm_unix/cache.c b/src/modules/rlm_unix/cache.c index f850c6b..53bde18 100644 --- a/src/modules/rlm_unix/cache.c +++ b/src/modules/rlm_unix/cache.c @@ -50,10 +50,6 @@ static const char rcsid[] = "$Id$"; # include #endif -#if HAVE_CRYPT_H -# include -#endif - #include "radiusd.h" #include "cache.h" #include "compat.h" @@ -458,7 +454,6 @@ int H_unix_pass(struct pwcache *cache, char *name, char *passwd, { struct mypasswd *pwd; char *encrypted_pass; - char *encpw; /* * Get encrypted password from password file @@ -491,11 +486,10 @@ int H_unix_pass(struct pwcache *cache, char *name, char *passwd, return 0; } - encpw = (char *)crypt(passwd, encrypted_pass); /* * Check password */ - if(strcmp(encpw, encrypted_pass) == 0) { + if(lrad_crypt_check(passwd, encrypted_pass) == 0) { /* * Add 'Class' pair here with value of full * name from passwd @@ -515,9 +509,7 @@ int H_unix_pass(struct pwcache *cache, char *name, char *passwd, /* * Check encrypted password. */ - encpw = (char *)crypt(passwd, encrypted_pass); - - if (strcmp(encpw, encrypted_pass)) + if (lrad_crypt_check(passwd, encrypted_pass)) return -1; return 0; diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c index b605e88..b96bd1d 100644 --- a/src/modules/rlm_unix/rlm_unix.c +++ b/src/modules/rlm_unix/rlm_unix.c @@ -41,10 +41,6 @@ static const char rcsid[] = "$Id$"; # include #endif -#if HAVE_CRYPT_H -# include -#endif - #ifdef OSFC2 # include # include @@ -365,7 +361,6 @@ static int unix_authenticate(void *instance, REQUEST *request) #define inst ((struct unix_instance *)instance) char *name, *passwd; struct passwd *pwd; - char *encpw; const char *encrypted_pass; int ret; #if HAVE_GETSPNAM @@ -601,8 +596,7 @@ static int unix_authenticate(void *instance, REQUEST *request) /* * Check encrypted password. */ - encpw = crypt(passwd, encrypted_pass); - if (strcmp(encpw, encrypted_pass)) { + if (lrad_crypt_check(passwd, encrypted_pass)) { radlog(L_AUTH, "rlm_unix: [%s]: invalid password", name); return RLM_MODULE_REJECT; } -- 2.1.4