emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

* configure.in: New configure option: --with-sha-crypt enabled by

Browse Source 
default. Keeping the feature enabled is safe. Disabling it permits
  to disable the references to the SHA256 and SHA512 password
  encryption algorithms from the usage help and manuals (in addition
  to the support for these algorithms in the code).
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
  src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
  always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
  preprocessor condition.
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
  src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
  SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
  subset of the ENCRYPTMETHOD_SELECT sections).
This commit is contained in:
nekral-guest 2007-11-24 13:08:08 +00:00
parent ee5c48d51c
commit 4d606cc690
8 changed files with 54 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ChangeLog
View File

@ -1,3 +1,19 @@
2007-11-24 Nicolas François <nicolas.francois@centraliens.net>
* configure.in: New configure option: --with-sha-crypt enabled by
default. Keeping the feature enabled is safe. Disabling it permits
to disable the references to the SHA256 and SHA512 password
encryption algorithms from the usage help and manuals (in addition
to the support for these algorithms in the code).
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
preprocessor condition.
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
subset of the ENCRYPTMETHOD_SELECT sections).
2007-11-24 Nicolas François <nicolas.francois@centraliens.net> 2007-11-24 Nicolas François <nicolas.francois@centraliens.net>
* lib/encrypt.c: If we requested a non DES encryption, make sure * lib/encrypt.c: If we requested a non DES encryption, make sure

9
configure.in
View File

@ -228,6 +228,14 @@ AC_ARG_WITH(skey,
AC_ARG_WITH(libcrack, AC_ARG_WITH(libcrack,
[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=yes if found and if PAM not enabled@:>@])], [AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=yes if found and if PAM not enabled@:>@])],
[with_libcrack=$withval], [with_libcrack=no]) [with_libcrack=$withval], [with_libcrack=no])
AC_ARG_WITH(sha-crypt,
[AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
[with_sha_crypt=$withval], [with_sha_crypt=yes])
AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
if test "$with_sha_crypt" = "yes"; then
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
fi
dnl Check for some functions in libc first, only if not found check for dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really dnl other libraries. This should prevent linking libnsl if not really
@ -378,4 +386,5 @@ echo " PAM support: $with_libpam"
echo " SELinux support: $with_selinux" echo " SELinux support: $with_selinux"
echo " shadow group support: $enable_shadowgrp" echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey" echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo echo

15
libmisc/obscure.c
View File

@ -210,9 +210,7 @@ static const char *password_check (const char *old, const char *new,
int maxlen, oldlen, newlen; int maxlen, oldlen, newlen;
char *new1, *old1; char *new1, *old1;
const char *msg; const char *msg;
#ifdef ENCRYPTMETHOD_SELECT
char *result; char *result;
#endif
oldlen = strlen (old); oldlen = strlen (old);
newlen = strlen (new); newlen = strlen (new);
@ -230,9 +228,7 @@ static const char *password_check (const char *old, const char *new,
if (msg) if (msg)
return msg; return msg;
#ifdef ENCRYPTMETHOD_SELECT
if ((result = getdef_str ("ENCRYPT_METHOD")) == NULL) { if ((result = getdef_str ("ENCRYPT_METHOD")) == NULL) {
#endif
/* The traditional crypt() truncates passwords to 8 chars. It is /* The traditional crypt() truncates passwords to 8 chars. It is
possible to circumvent the above checks by choosing an easy possible to circumvent the above checks by choosing an easy
8-char password and adding some random characters to it... 8-char password and adding some random characters to it...
@ -242,16 +238,17 @@ static const char *password_check (const char *old, const char *new,
if (getdef_bool ("MD5_CRYPT_ENAB")) if (getdef_bool ("MD5_CRYPT_ENAB"))
return NULL; return NULL;
#ifdef ENCRYPTMETHOD_SELECT
} else { } else {
if (!strcmp (result, "MD5") || if ( !strcmp (result, "MD5")
!strcmp (result, "SHA256") || #ifdef USE_SHA_CRYPT
!strcmp (result, "SHA512")) || !strcmp (result, "SHA256")
|| !strcmp (result, "SHA512")
#endif
)
return NULL; return NULL;
} }
#endif
maxlen = getdef_num ("PASS_MAX_LEN", 8); maxlen = getdef_num ("PASS_MAX_LEN", 8);
if (oldlen <= maxlen && newlen <= maxlen) if (oldlen <= maxlen && newlen <= maxlen)
return NULL; return NULL;

6
libmisc/salt.c
View File

@ -58,7 +58,7 @@ char *l64a(long value)
*/ */
#define MAGNUM(array,ch) (array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0' #define MAGNUM(array,ch) (array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0'
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
/* /*
* Return the salt size. * Return the salt size.
* The size of the salt string is between 8 and 16 bytes for the SHA crypt * The size of the salt string is between 8 and 16 bytes for the SHA crypt
@ -187,15 +187,13 @@ char *crypt_make_salt (char *meth, void *arg)
if (NULL != meth) if (NULL != meth)
method = meth; method = meth;
else { else {
#ifdef ENCRYPTMETHOD_SELECT
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL)
#endif
method = getdef_bool ("MD5_CRYPT_ENAB") ? "MD5" : "DES"; method = getdef_bool ("MD5_CRYPT_ENAB") ? "MD5" : "DES";
} }
if (!strcmp (method, "MD5")) { if (!strcmp (method, "MD5")) {
MAGNUM(result, '1'); MAGNUM(result, '1');
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
} else if (!strcmp (method, "SHA256")) { } else if (!strcmp (method, "SHA256")) {
MAGNUM(result, '5'); MAGNUM(result, '5');
strcat(result, SHA_salt_rounds((int *)arg)); strcat(result, SHA_salt_rounds((int *)arg));

10
src/chgpasswd.c
View File

@ -80,7 +80,7 @@ static void usage (void)
"%s" "%s"
"\n"), "\n"),
Prog, Prog,
#ifndef ENCRYPTMETHOD_SELECT #ifndef USE_SHA_CRYPT
"NONE DES MD5", "" "NONE DES MD5", ""
#else #else
"NONE DES MD5 SHA256 SHA512", "NONE DES MD5 SHA256 SHA512",
@ -127,7 +127,7 @@ int main (int argc, char **argv)
{"encrypted", no_argument, NULL, 'e'}, {"encrypted", no_argument, NULL, 'e'},
{"help", no_argument, NULL, 'h'}, {"help", no_argument, NULL, 'h'},
{"md5", no_argument, NULL, 'm'}, {"md5", no_argument, NULL, 'm'},
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'}, {"sha-rounds", required_argument, NULL, 's'},
#endif #endif
{NULL, 0, NULL, '\0'} {NULL, 0, NULL, '\0'}
@ -135,7 +135,7 @@ int main (int argc, char **argv)
while ((c = while ((c =
getopt_long (argc, argv, getopt_long (argc, argv,
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
"c:ehms:", "c:ehms:",
#else #else
"c:ehm", "c:ehm",
@ -156,7 +156,7 @@ int main (int argc, char **argv)
case 'm': case 'm':
md5flg = 1; md5flg = 1;
break; break;
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
case 's': case 's':
sflg = 1; sflg = 1;
if (!getlong(optarg, &sha_rounds)) { if (!getlong(optarg, &sha_rounds)) {
@ -195,7 +195,7 @@ int main (int argc, char **argv)
if ( 0 != strcmp (crypt_method, "DES") if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5") && 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE") && 0 != strcmp (crypt_method, "NONE")
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256") && 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512") && 0 != strcmp (crypt_method, "SHA512")
#endif #endif

10
src/chpasswd.c
View File

@ -77,7 +77,7 @@ static void usage (void)
"%s" "%s"
"\n"), "\n"),
Prog, Prog,
#ifndef ENCRYPTMETHOD_SELECT #ifndef USE_SHA_CRYPT
"NONE DES MD5", "" "NONE DES MD5", ""
#else #else
"NONE DES MD5 SHA256 SHA512", "NONE DES MD5 SHA256 SHA512",
@ -123,7 +123,7 @@ int main (int argc, char **argv)
{"encrypted", no_argument, NULL, 'e'}, {"encrypted", no_argument, NULL, 'e'},
{"help", no_argument, NULL, 'h'}, {"help", no_argument, NULL, 'h'},
{"md5", no_argument, NULL, 'm'}, {"md5", no_argument, NULL, 'm'},
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'}, {"sha-rounds", required_argument, NULL, 's'},
#endif #endif
{NULL, 0, NULL, '\0'} {NULL, 0, NULL, '\0'}
@ -131,7 +131,7 @@ int main (int argc, char **argv)
while ((c = while ((c =
getopt_long (argc, argv, getopt_long (argc, argv,
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
"c:ehms:", "c:ehms:",
#else #else
"c:ehm", "c:ehm",
@ -152,7 +152,7 @@ int main (int argc, char **argv)
case 'm': case 'm':
md5flg = 1; md5flg = 1;
break; break;
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
case 's': case 's':
sflg = 1; sflg = 1;
if (!getlong(optarg, &sha_rounds)) { if (!getlong(optarg, &sha_rounds)) {
@ -191,7 +191,7 @@ int main (int argc, char **argv)
if ( 0 != strcmp (crypt_method, "DES") if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5") && 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE") && 0 != strcmp (crypt_method, "NONE")
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256") && 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512") && 0 != strcmp (crypt_method, "SHA512")
#endif #endif

10
src/newusers.c
View File

@ -84,7 +84,7 @@ static void usage (void)
"%s" "%s"
"\n"), "\n"),
Prog, Prog,
#ifndef ENCRYPTMETHOD_SELECT #ifndef USE_SHA_CRYPT
"NONE DES MD5", "" "NONE DES MD5", ""
#else #else
"NONE DES MD5 SHA256 SHA512", "NONE DES MD5 SHA256 SHA512",
@ -344,7 +344,7 @@ int main (int argc, char **argv)
static struct option long_options[] = { static struct option long_options[] = {
{"crypt-method", required_argument, NULL, 'c'}, {"crypt-method", required_argument, NULL, 'c'},
{"help", no_argument, NULL, 'h'}, {"help", no_argument, NULL, 'h'},
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'}, {"sha-rounds", required_argument, NULL, 's'},
#endif #endif
{NULL, 0, NULL, '\0'} {NULL, 0, NULL, '\0'}
@ -352,7 +352,7 @@ int main (int argc, char **argv)
while ((c = while ((c =
getopt_long (argc, argv, getopt_long (argc, argv,
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
"c:hs:", "c:hs:",
#else #else
"c:h", "c:h",
@ -367,7 +367,7 @@ int main (int argc, char **argv)
case 'h': case 'h':
usage (); usage ();
break; break;
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
case 's': case 's':
sflg = 1; sflg = 1;
if (!getlong(optarg, &sha_rounds)) { if (!getlong(optarg, &sha_rounds)) {
@ -399,7 +399,7 @@ int main (int argc, char **argv)
if ( 0 != strcmp (crypt_method, "DES") if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5") && 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE") && 0 != strcmp (crypt_method, "NONE")
#ifdef ENCRYPTMETHOD_SELECT #ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256") && 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512") && 0 != strcmp (crypt_method, "SHA512")
#endif #endif

15
src/passwd.c
View File

@ -204,9 +204,7 @@ static int new_password (const struct passwd *pw)
int i; /* Counter for retries */ int i; /* Counter for retries */
int warned; int warned;
int pass_max_len = -1; int pass_max_len = -1;
#ifdef ENCRYPTMETHOD_SELECT
char *method; char *method;
#endif
#ifdef HAVE_LIBCRACK_HIST #ifdef HAVE_LIBCRACK_HIST
int HistUpdate (const char *, const char *); int HistUpdate (const char *, const char *);
@ -244,21 +242,20 @@ static int new_password (const struct passwd *pw)
* for strength, unless it is the root user. This provides an escape * for strength, unless it is the root user. This provides an escape
* for initial login passwords. * for initial login passwords.
*/ */
#ifdef ENCRYPTMETHOD_SELECT
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) { if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
#endif
if (!getdef_bool ("MD5_CRYPT_ENAB")) if (!getdef_bool ("MD5_CRYPT_ENAB"))
pass_max_len = getdef_num ("PASS_MAX_LEN", 8); pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
#ifdef ENCRYPTMETHOD_SELECT
} else { } else {
if (!strcmp (method, "MD5") || if ( !strcmp (method, "MD5")
!strcmp (method, "SHA256") || #ifdef USE_SHA_CRYPT
!strcmp (method, "SHA512")) || !strcmp (method, "SHA256")
|| !strcmp (method, "SHA512")
#endif
)
pass_max_len = -1; pass_max_len = -1;
else else
pass_max_len = getdef_num ("PASS_MAX_LEN", 8); pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
} }
#endif
if (!qflg) { if (!qflg) {
if (pass_max_len == -1) { if (pass_max_len == -1) {
printf (_( printf (_(