From 166a3e6260ee97ab891ee99170ffc544c409f346 Mon Sep 17 00:00:00 2001 From: kcwu Date: Thu, 26 Jun 2003 02:25:40 +0000 Subject: always clear plaintext password in memory after checking code clean up git-svn-id: http://opensvn.csie.org/pttbbs/pttbbs/trunk/pttbbs@972 63ad8ddf-47c3-0310-b6dd-a9e9d9715204 --- mbbsd/register.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'mbbsd') diff --git a/mbbsd/register.c b/mbbsd/register.c index 63aa579f..51880eb7 100644 --- a/mbbsd/register.c +++ b/mbbsd/register.c @@ -1,9 +1,7 @@ -/* $Id: register.c,v 1.12 2003/06/19 15:49:07 bbs Exp $ */ +/* $Id: register.c,v 1.13 2003/06/26 02:25:40 kcwu Exp $ */ #define _XOPEN_SOURCE #include "bbs.h" -/* password encryption */ -static char pwbuf[14]; char * genpasswd(char *pw) @@ -24,20 +22,25 @@ genpasswd(char *pw) c += 6; saltc[i] = c; } - strlcpy(pwbuf, pw, sizeof(pwbuf)); - return crypt(pwbuf, saltc); + return crypt(pw, saltc); } return ""; } +// NOTE it will clean string in "plain" int -checkpasswd(char *passwd, char *test) +checkpasswd(char *passwd, char *plain) { + int ok; char *pw; - strncpy(pwbuf, test, 14); - pw = crypt(pwbuf, passwd); - return (!strncmp(pw, passwd, 14)); + ok = 0; + pw = crypt(plain, passwd); + if(pw && strcmp(pw, passwd)==0) + ok = 1; + memset(plain, 0, strlen(plain)); + + return ok; } /* Àˬd user µù¥U±¡ªp */ -- cgit v1.2.3