CVE-2016-6210: Mitigate user enumeration via covert timing channel.

1 files changed, 40 insertions, 0 deletions

diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 8577cbd8a..cf6a9b99f 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -25,6 +25,7 @@
 #include "includes.h"
 
 #include <sys/types.h>
+#include <string.h>
 #include <unistd.h>
 #include <pwd.h>
 
@@ -62,11 +63,50 @@
 #  define crypt DES_crypt
 # endif
 
+/*
+ * Pick an appropriate password encryption type and salt for the running
+ * system by searching through accounts until we find one that has a valid
+ * salt.  Usually this will be root unless the root account is locked out.
+ * If we don't find one we return a traditional DES-based salt.
+ */
+static const char *
+pick_salt(void)
+{
+        struct passwd *pw;
+        char *passwd, *p;
+        size_t typelen;
+        static char salt[32];
+
+        if (salt[0] != '\0')
+                return salt;
+        strlcpy(salt, "xx", sizeof(salt));
+        setpwent();
+        while ((pw = getpwent()) != NULL) {
+                passwd = shadow_pw(pw);
+                if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
+                        typelen = p - passwd + 1;
+                        strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+                        explicit_bzero(passwd, strlen(passwd));
+                        goto out;
+                }
+        }
+ out:
+        endpwent();
+        return salt;
+}
+
 char *
 xcrypt(const char *password, const char *salt)
 {
         char *crypted;
 
+        /*
+         * If we don't have a salt we are encrypting a fake password for
+         * for timing purposes.  Pick an appropriate salt.
+         */
+        if (salt == NULL)
+                salt = pick_salt();
+
 # ifdef HAVE_MD5_PASSWORDS
         if (is_md5_salt(salt))
                 crypted = md5_crypt(password, salt);