From ee5c48d51c527eff1807b02457c106872d5bdd77 Mon Sep 17 00:00:00 2001
From: nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7>
Date: Sat, 24 Nov 2007 00:37:37 +0000
Subject: [PATCH] If we requested a non DES encryption, make sure crypt
 returned a encrypted password longer than 13 chars. This protects against the
 GNU crypt() which does not return NULL if the algorithm is not supported, and
 return a DES encrypted password.

---
 ChangeLog     |  7 +++++++
 lib/encrypt.c | 26 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 92dc4816..ddd49437 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2007-11-24  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* lib/encrypt.c: If we requested a non DES encryption, make sure
+	crypt returned a encrypted password longer than 13 chars. This
+	protects against the GNU crypt() which does not return NULL if the
+	algorithm is not supported, and return a DES encrypted password.
+
 2007-11-24  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* lib/groupio.c: Add missing #include "getdef.h"
diff --git a/lib/encrypt.c b/lib/encrypt.c
index 44f04362..eda9713f 100644
--- a/lib/encrypt.c
+++ b/lib/encrypt.c
@@ -49,6 +49,32 @@ char *pw_encrypt (const char *clear, const char *salt)
 		perror ("crypt");
 		exit (1);
 	}
+
+	/* The GNU crypt does not return NULL if the algorithm is not
+	 * supported, and return a DES encrypted password. */
+	if (salt && salt[0] == '$' && strlen (cp) <= 13)
+	{
+		char *method = "$1$";
+		switch (salt[1])
+		{
+			case '1':
+				method = "MD5";
+				break;
+			case '5':
+				method = "SHA256";
+				break;
+			case '6':
+				method = "SHA512";
+				break;
+			default:
+				method[1] = salt[1];
+		}
+		fprintf (stderr,
+			 _("crypt method not supported by libcrypt? (%s)\n"),
+			  method);
+		exit (1);
+	}
+
 	if (strlen (cp) != 13)
 		return cp;	/* nonstandard crypt() in libc, better bail out */
 	strcpy (cipher, cp);