sudo/plugins/sudoers/auth/passwd.c

/*
 * SPDX-License-Identifier: ISC
 *
 * Copyright (c) 1999-2005, 2010-2015 Todd C. Miller <Todd.Miller@sudo.ws>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 *
 * Sponsored in part by the Defense Advanced Research Projects
 * Agency (DARPA) and Air Force Research Laboratory, Air Force
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
 */

/*
 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
 */

#include <config.h>

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <pwd.h>

#include "sudoers.h"
#include "sudo_auth.h"

#define DESLEN			13
#define HAS_AGEINFO(p, l)	(l == 18 && p[DESLEN] == ',')

int
sudo_passwd_init(const struct sudoers_context *ctx, struct passwd *pw,
    sudo_auth *auth)
{
    debug_decl(sudo_passwd_init, SUDOERS_DEBUG_AUTH);

    /* Only initialize once. */
    if (auth->data != NULL)
	debug_return_int(AUTH_SUCCESS);

#ifdef HAVE_SKEYACCESS
    if (skeyaccess(pw, ctx->user.tty, NULL, NULL) == 0)
	debug_return_int(AUTH_FAILURE);
#endif
    sudo_setspent();
    auth->data = sudo_getepw(pw);
    sudo_endspent();
    debug_return_int(auth->data ? AUTH_SUCCESS : AUTH_FATAL);
}

#ifdef HAVE_CRYPT
int
sudo_passwd_verify(const struct sudoers_context *ctx, struct passwd *pw,
    const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
{
    char des_pass[9], *epass;
    char *pw_epasswd = auth->data;
    size_t pw_len;
    int matched = 0;
    debug_decl(sudo_passwd_verify, SUDOERS_DEBUG_AUTH);

    /* An empty plain-text password must match an empty encrypted password. */
    if (pass[0] == '\0')
	debug_return_int(pw_epasswd[0] ? AUTH_FAILURE : AUTH_SUCCESS);

    /*
     * Truncate to 8 chars if standard DES since not all crypt()'s do this.
     */
    pw_len = strlen(pw_epasswd);
    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
	strlcpy(des_pass, pass, sizeof(des_pass));
	pass = des_pass;
    }

    /*
     * Normal UN*X password check.
     * HP-UX may add aging info (separated by a ',') at the end so
     * only compare the first DESLEN characters in that case.
     */
    epass = (char *) crypt(pass, pw_epasswd);
    if (epass != NULL) {
	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
	    matched = !strncmp(pw_epasswd, epass, DESLEN);
	else
	    matched = !strcmp(pw_epasswd, epass);
    }

    explicit_bzero(des_pass, sizeof(des_pass));

    debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);
}
#else
int
sudo_passwd_verify(const struct sudoers_context *ctx, struct passwd *pw,
    const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
{
    char *pw_passwd = auth->data;
    int matched;
    debug_decl(sudo_passwd_verify, SUDOERS_DEBUG_AUTH);

    /* Simple string compare for systems without crypt(). */
    matched = !strcmp(pass, pw_passwd);

    debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);
}
#endif

int
sudo_passwd_cleanup(const struct sudoers_context *ctx, struct passwd *pw,
    sudo_auth *auth, bool force)
{
    debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH);

    if (auth->data != NULL) {
	/* Zero out encrypted password before freeing. */
	size_t len = strlen((char *)auth->data);
	freezero(auth->data, len);
	auth->data = NULL;
    }

    debug_return_int(AUTH_SUCCESS);
}
New authentication API and methods 1999-07-11 00:32:11 +00:00			`/*`
Add SPDX-License-Identifier to files. 2019-04-29 07:21:51 -06:00			`* SPDX-License-Identifier: ISC`
			`*`
update my email to Todd.Miller@sudo.ws 2017-12-03 17:53:40 -07:00			`* Copyright (c) 1999-2005, 2010-2015 Todd C. Miller <Todd.Miller@sudo.ws>`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`*`
More to a less restrictive, ISC-style license. 2004-02-13 21:36:49 +00:00			`* Permission to use, copy, modify, and distribute this software for any`
			`* purpose with or without fee is hereby granted, provided that the above`
			`* copyright notice and this permission notice appear in all copies.`
add 4th term to license similar to term 5 in the apache license 1999-07-31 16:19:50 +00:00			`*`
More to a less restrictive, ISC-style license. 2004-02-13 21:36:49 +00:00			`* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES`
			`* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF`
			`* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR`
			`* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES`
			`* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN`
			`* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF`
			`* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.`
add DARPA credit on affected files 2003-04-16 00:42:10 +00:00			`*`
			`* Sponsored in part by the Defense Advanced Research Projects`
			`* Agency (DARPA) and Air Force Research Laboratory, Air Force`
			`* Materiel Command, USAF, under agreement number F39502-99-1-0512.`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`*/`

Convert PVS-Studio comment to ANSI C. 2018-10-26 08:39:09 -06:00			`/*`
			`* This is an open source non-commercial project. Dear PVS-Studio, please check it.`
			`* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com`
			`*/`
Add comments in .c files so PVS-Studio will check them. 2018-10-21 08:46:05 -06:00
Use: #include <config.h> Not: #include "config.h" That way we get the correct config.h when build dir != src dir 2004-11-19 18:39:14 +00:00			`#include <config.h>`
New authentication API and methods 1999-07-11 00:32:11 +00:00
o Reorder some headers and use STDC_HEADERS define properly o Update copyright year 2001-12-14 19:52:54 +00:00			`#include <sys/types.h>`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`#include <stdio.h>`
We require ANSI C so stop using the obsolete STDC_HEADERS. 2015-06-19 14:29:27 -06:00			`#include <stdlib.h>`
Include string.h unconditionally and only use strings.h for strn?casecmp() In the pre-POSIX days BSD had strings.h, not string.h. Now strings.h is only used for non-ANSI string functions. 2020-05-18 07:59:24 -06:00			`#include <string.h>`
There's no need to conditionalize the #include <unistd.h>, we require a POSIX system. 2015-07-02 09:08:28 -06:00			`#include <unistd.h>`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`#include <pwd.h>`

Initial bits of sudoers plugin; still needs work. 2010-03-14 19:58:47 -04:00			`#include "sudoers.h"`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`#include "sudo_auth.h"`

Better fix for handling HP-UX aging info. 2000-03-23 00:27:41 +00:00			`#define DESLEN 13`
			`#define HAS_AGEINFO(p, l) (l == 18 && p[DESLEN] == ',')`

Add support for skeyaccess(3) if it is present in libskey. 2001-12-14 06:15:08 +00:00			`int`
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. 2023-08-21 09:21:49 -06:00			`sudo_passwd_init(const struct sudoers_context ctx, struct passwd pw,`
			`sudo_auth *auth)`
Add support for skeyaccess(3) if it is present in libskey. 2001-12-14 06:15:08 +00:00			`{`
debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00			`debug_decl(sudo_passwd_init, SUDOERS_DEBUG_AUTH);`
Add debug_decl/debug_return (almost) everywhere. Remove old sudo_debug() and convert users to sudo_debug_printf(). 2011-10-22 14:40:21 -04:00
Avoid reinitializing other auth methods. 2021-09-21 20:05:35 -06:00			`/* Only initialize once. */`
			`if (auth->data != NULL)`
			`debug_return_int(AUTH_SUCCESS);`

Add support for skeyaccess(3) if it is present in libskey. 2001-12-14 06:15:08 +00:00			`#ifdef HAVE_SKEYACCESS`
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. 2023-08-21 09:21:49 -06:00			`if (skeyaccess(pw, ctx->user.tty, NULL, NULL) == 0)`
Add debug_decl/debug_return (almost) everywhere. Remove old sudo_debug() and convert users to sudo_debug_printf(). 2011-10-22 14:40:21 -04:00			`debug_return_int(AUTH_FAILURE);`
Add support for skeyaccess(3) if it is present in libskey. 2001-12-14 06:15:08 +00:00			`#endif`
No need to look up shadow password unless we are doing password-style authentication. This moves the shadow password lookup to the auth functions that need it. 2010-08-06 13:55:33 -04:00			`sudo_setspent();`
			`auth->data = sudo_getepw(pw);`
			`sudo_endspent();`
Use non-exiting allocatings in the sudoers plugin. 2015-06-17 06:49:59 -06:00			`debug_return_int(auth->data ? AUTH_SUCCESS : AUTH_FATAL);`
Add support for skeyaccess(3) if it is present in libskey. 2001-12-14 06:15:08 +00:00			`}`

Use a simple string compare on systems without crypt(3). This is only used on systems without PAM, BSD authentication or AIX authentication. Bug #940. 2020-09-18 08:18:07 -06:00			`#ifdef HAVE_CRYPT`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`int`
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. 2023-08-21 09:21:49 -06:00			`sudo_passwd_verify(const struct sudoers_context ctx, struct passwd pw,`
			`const char pass, sudo_auth auth, struct sudo_conv_callback *callback)`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`{`
Fix CVE-2022-43995, potential heap overflow for passwords < 8 characters. Starting with sudo 1.8.0 the plaintext password buffer is dynamically sized so it is not safe to assume that it is at least 9 bytes in size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. 2022-10-28 07:29:55 -06:00			`char des_pass[9], *epass;`
No need to look up shadow password unless we are doing password-style authentication. This moves the shadow password lookup to the auth functions that need it. 2010-08-06 13:55:33 -04:00			`char *pw_epasswd = auth->data;`
Better fix for handling HP-UX aging info. 2000-03-23 00:27:41 +00:00			`size_t pw_len;`
Check for crypt() returning NULL. Traditionally, crypt() never returned NULL but newer versions of eglibc have a crypt() that does. Bug #598 2013-04-11 13:10:40 -04:00			`int matched = 0;`
debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00			`debug_decl(sudo_passwd_verify, SUDOERS_DEBUG_AUTH);`
New authentication API and methods 1999-07-11 00:32:11 +00:00
Historically, crypt() returned the empty string on error, which ensured that crypt("", "") would return "", which supported matcing empty encrypted passwords with no additional code. Some modern versions of crypt() (such as glibc) return NULL on error so we need an explicit test to match an empty plaintext password and an empty encrypted password. 2015-02-19 14:17:57 -07:00			`/* An empty plain-text password must match an empty encrypted password. */`
			`if (pass[0] == '\0')`
			`debug_return_int(pw_epasswd[0] ? AUTH_FAILURE : AUTH_SUCCESS);`
Better fix for handling HP-UX aging info. 2000-03-23 00:27:41 +00:00
Truncate unencrypted password to 8 chars if encrypted password is exactly 13 characters (indicateing standard a DES password). Many versions of crypt() do this for you, but not all (like HP-UX's). 2000-03-03 23:04:50 +00:00			`/*`
			`* Truncate to 8 chars if standard DES since not all crypt()'s do this.`
			`*/`
Historically, crypt() returned the empty string on error, which ensured that crypt("", "") would return "", which supported matcing empty encrypted passwords with no additional code. Some modern versions of crypt() (such as glibc) return NULL on error so we need an explicit test to match an empty plaintext password and an empty encrypted password. 2015-02-19 14:17:57 -07:00			`pw_len = strlen(pw_epasswd);`
Fix CVE-2022-43995, potential heap overflow for passwords < 8 characters. Starting with sudo 1.8.0 the plaintext password buffer is dynamically sized so it is not safe to assume that it is at least 9 bytes in size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. 2022-10-28 07:29:55 -06:00			`if (pw_len == DESLEN \|\| HAS_AGEINFO(pw_epasswd, pw_len)) {`
			`strlcpy(des_pass, pass, sizeof(des_pass));`
			`pass = des_pass;`
			`}`
Truncate unencrypted password to 8 chars if encrypted password is exactly 13 characters (indicateing standard a DES password). Many versions of crypt() do this for you, but not all (like HP-UX's). 2000-03-03 23:04:50 +00:00
HP-UX adds extra info at the end for password aging so when comparing the result of crypt to pw_passwd we only compare the first len(epass) bytes unless the user entered an empty string for a password. 2000-03-13 20:52:25 +00:00			`/*`
			`* Normal UN*X password check.`
Better fix for handling HP-UX aging info. 2000-03-23 00:27:41 +00:00			`* HP-UX may add aging info (separated by a ',') at the end so`
			`* only compare the first DESLEN characters in that case.`
HP-UX adds extra info at the end for password aging so when comparing the result of crypt to pw_passwd we only compare the first len(epass) bytes unless the user entered an empty string for a password. 2000-03-13 20:52:25 +00:00			`*/`
No need to look up shadow password unless we are doing password-style authentication. This moves the shadow password lookup to the auth functions that need it. 2010-08-06 13:55:33 -04:00			`epass = (char *) crypt(pass, pw_epasswd);`
Check for crypt() returning NULL. Traditionally, crypt() never returned NULL but newer versions of eglibc have a crypt() that does. Bug #598 2013-04-11 13:10:40 -04:00			`if (epass != NULL) {`
			`if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)`
			`matched = !strncmp(pw_epasswd, epass, DESLEN);`
			`else`
			`matched = !strcmp(pw_epasswd, epass);`
			`}`
New authentication API and methods 1999-07-11 00:32:11 +00:00
sudo_passwd_verify: zero out des_pass before returning. 2022-11-08 13:17:11 -07:00			`explicit_bzero(des_pass, sizeof(des_pass));`

Check for crypt() returning NULL. Traditionally, crypt() never returned NULL but newer versions of eglibc have a crypt() that does. Bug #598 2013-04-11 13:10:40 -04:00			`debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);`
New authentication API and methods 1999-07-11 00:32:11 +00:00			`}`
Use a simple string compare on systems without crypt(3). This is only used on systems without PAM, BSD authentication or AIX authentication. Bug #940. 2020-09-18 08:18:07 -06:00			`#else`
			`int`
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. 2023-08-21 09:21:49 -06:00			`sudo_passwd_verify(const struct sudoers_context ctx, struct passwd pw,`
			`const char pass, sudo_auth auth, struct sudo_conv_callback *callback)`
Use a simple string compare on systems without crypt(3). This is only used on systems without PAM, BSD authentication or AIX authentication. Bug #940. 2020-09-18 08:18:07 -06:00			`{`
			`char *pw_passwd = auth->data;`
			`int matched;`
			`debug_decl(sudo_passwd_verify, SUDOERS_DEBUG_AUTH);`

Apply Google inclusive language guidelines. Also replace backwards with backward. 2020-10-30 10:15:30 -06:00			`/* Simple string compare for systems without crypt(). */`
Use a simple string compare on systems without crypt(3). This is only used on systems without PAM, BSD authentication or AIX authentication. Bug #940. 2020-09-18 08:18:07 -06:00			`matched = !strcmp(pass, pw_passwd);`

			`debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);`
			`}`
			`#endif`
No need to look up shadow password unless we are doing password-style authentication. This moves the shadow password lookup to the auth functions that need it. 2010-08-06 13:55:33 -04:00
			`int`
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. 2023-08-21 09:21:49 -06:00			`sudo_passwd_cleanup(const struct sudoers_context ctx, struct passwd pw,`
			`sudo_auth *auth, bool force)`
No need to look up shadow password unless we are doing password-style authentication. This moves the shadow password lookup to the auth functions that need it. 2010-08-06 13:55:33 -04:00			`{`
debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00			`debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH);`
No need to look up shadow password unless we are doing password-style authentication. This moves the shadow password lookup to the auth functions that need it. 2010-08-06 13:55:33 -04:00
sudo_passwd_cleanup: Set auth->data to NULL after freeing. GitHub issue #201 2022-11-17 08:10:35 -07:00			`if (auth->data != NULL) {`
			`/* Zero out encrypted password before freeing. */`
			`size_t len = strlen((char *)auth->data);`
			`freezero(auth->data, len);`
			`auth->data = NULL;`
			`}`
Use OpenBSD-compatible freezero() in place of explicit_bzero() + free() 2020-08-10 19:24:33 -06:00
Add debug_decl/debug_return (almost) everywhere. Remove old sudo_debug() and convert users to sudo_debug_printf(). 2011-10-22 14:40:21 -04:00			`debug_return_int(AUTH_SUCCESS);`
No need to look up shadow password unless we are doing password-style authentication. This moves the shadow password lookup to the auth functions that need it. 2010-08-06 13:55:33 -04:00			`}`