summaryrefslogtreecommitdiff
path: root/modules/pam_unix/unix_chkpwd.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_unix/unix_chkpwd.c')
-rw-r--r--modules/pam_unix/unix_chkpwd.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 9581d046..9ba11041 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -149,7 +149,16 @@ static int _unix_verify_password(const char *name, const char *p, int opt)
}
} else {
pp = bigcrypt(p, salt);
- if (strcmp(pp, salt) == 0) {
+ /*
+ * Note, we are comparing the bigcrypt of the password with
+ * the contents of the password field. If the latter was
+ * encrypted with regular crypt (and not bigcrypt) it will
+ * have been truncated for storage relative to the output
+ * of bigcrypt here. As such we need to compare only the
+ * stored string with the subset of bigcrypt's result.
+ * Bug 521314: the strncmp comparison is for legacy support.
+ */
+ if (strncmp(pp, salt, strlen(salt)) == 0) {
retval = UNIX_PASSED;
}
}