Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 5 Jul 2018 02:32:48 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: [PATCH 5/5] pam_tcb: request automatic prefix and entropy if
 libcrypt implements it

Specify null pointers as PREFIX and RBYTES arguments of crypt_gensalt*
functions if libcrypt supports this.
---
 pam_tcb/pam_tcb.8 |  3 ++-
 pam_tcb/support.c | 12 +++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pam_tcb/pam_tcb.8 b/pam_tcb/pam_tcb.8
index 0c6ed3c..8447352 100644
--- a/pam_tcb/pam_tcb.8
+++ b/pam_tcb/pam_tcb.8
@@ -211,7 +211,8 @@ obsolete FreeBSD-derived MD5-based algorithm.
 When updating a user's password, generate the salt with the specified
 .I prefix
 (which determines the hashing method to use).
-The default is "$2y$", which requests
+Unless the underlying libcrypt library implements a default hashing method,
+the default is "$2y$", which requests
 .BR bcrypt ,
 a Blowfish-based hashing method, which supports variable iteration counts.
 .TP
diff --git a/pam_tcb/support.c b/pam_tcb/support.c
index 5a60a5d..5b72426 100644
--- a/pam_tcb/support.c
+++ b/pam_tcb/support.c
@@ -676,6 +676,11 @@ char *do_crypt(pam_handle_t *pamh, const char *pass)
 {
 	char *retval;
 	char *salt;
+
+#ifdef CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
+	salt = crypt_gensalt_ra(pam_unix_param.crypt_prefix,
+	    pam_unix_param.count, NULL, 0);
+#else
 	char entropy[16];
 	int fd;
 
@@ -695,6 +700,7 @@ char *do_crypt(pam_handle_t *pamh, const char *pass)
 	    pam_unix_param.count, entropy, sizeof(entropy));
 
 	memset(entropy, 0, sizeof(entropy));
+#endif
 
 	if (!salt) {
 		pam_syslog(pamh, LOG_CRIT, "crypt_gensalt_ra: %m");
@@ -833,7 +839,11 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		if (!parse_opt(pamh, *argv, the_cmdline_opts))
 			return 0;
 	param = get_optval("prefix=", the_cmdline_opts);
-	pam_unix_param.crypt_prefix = param ?: "$2y$";
+	pam_unix_param.crypt_prefix = param;
+#ifndef CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX
+	if (!pam_unix_param.crypt_prefix)
+		pam_unix_param.crypt_prefix = "$2y$";
+#endif
 
 	param = get_optval("helper=", the_cmdline_opts);
 	pam_unix_param.helper = param ?: CHKPWD_HELPER;
-- 
ldv

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ