From 2923d026e55998133c0f6e5186dca2a3c0fa5ff5 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Sat, 26 Mar 2022 12:49:50 +1100
Subject: Factor out platform-specific locked account check.

Also fixes an incorrect free on platforms with both libiaf and shadow
passwords (probably only Unixware).  Prompted by github PR#284,
originally from @c3h2_ctf and stoeckmann@.
---
 platform.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

(limited to 'platform.c')

diff --git a/platform.c b/platform.c
index 44ba71dc..4fe8744e 100644
--- a/platform.c
+++ b/platform.c
@@ -18,6 +18,7 @@
 
 #include <stdarg.h>
 #include <stdio.h>
+#include <string.h>
 #include <unistd.h>
 
 #include "log.h"
@@ -197,3 +198,53 @@ platform_krb5_get_principal_name(const char *pw_name)
 	return NULL;
 #endif
 }
+
+/* returns 1 if account is locked */
+int
+platform_locked_account(struct passwd *pw)
+{
+	int locked = 0;
+	char *passwd = pw->pw_passwd;
+#ifdef USE_SHADOW
+	struct spwd *spw = NULL;
+#ifdef USE_LIBIAF
+	char *iaf_passwd = NULL;
+#endif
+
+	spw = getspnam(pw->pw_name);
+#ifdef HAS_SHADOW_EXPIRE
+	if (spw != NULL && auth_shadow_acctexpired(spw))
+		return 1;
+#endif /* HAS_SHADOW_EXPIRE */
+
+	if (spw != NULL)
+#ifdef USE_LIBIAF
+		iaf_passwd = passwd = get_iaf_password(pw);
+#else
+		passwd = spw->sp_pwdp;
+#endif /* USE_LIBIAF */
+#endif
+
+	/* check for locked account */
+	if (passwd && *passwd) {
+#ifdef LOCKED_PASSWD_STRING
+		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
+			locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_PREFIX
+		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
+		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
+			locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_SUBSTR
+		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
+			locked = 1;
+#endif
+	}
+#ifdef USE_LIBIAF
+	if (iaf_passwd != NULL)
+		freezero(iaf_passwd, strlen(iaf_passwd));
+#endif /* USE_LIBIAF */
+
+	return locked;
+}
-- 
cgit v1.2.1