Hello,
Le mar. 3 mai 2022 à 13:58, Andreas Helmcke <a...@helmcke.name> a écrit :
>
> Adds an option to the Login/Password Management Utilities menu to enable
> bcrypt support in passwd and chpasswd.
>
> Add support for bcrypt to BusyBox chpasswd & passwd.
>
> Based on patch proposed by Scott Court.
>
> Changes to the orignal patch:
> - added config option for bcrypt cost
> - made code changes fully dependend on config option
> - changed algorithm tag to $2b$
> - help texts added for bcrypt option
>
> Signed-off-by: Andreas Helmcke <a...@helmcke.name>
> ---
> include/libbb.h | 5 +++++
> include/usage.src.h | 5 +++++
> libbb/pw_encrypt.c | 18 ++++++++++++++++++
> loginutils/Config.src | 22 ++++++++++++++++++++++
> loginutils/chpasswd.c | 3 ++-
> 5 files changed, 52 insertions(+), 1 deletion(-)
>
> diff --git a/include/libbb.h b/include/libbb.h
> index 6aeec249d..c6f769082 100644
> --- a/include/libbb.h
> +++ b/include/libbb.h
> @@ -1776,8 +1776,13 @@ extern int obscure(const char *old, const char
> *newval, const struct passwd *pwd
> * (otherwise we risk having same salt generated)
> */
> extern int crypt_make_salt(char *p, int cnt /*, int rnd*/) FAST_FUNC;
> +#if ENABLE_USE_BCRYPT
> +/* "$NX$10$" + bcrypt_salt_24_bytes + NUL */
> +#define MAX_PW_SALT_LEN (7 + 24 + 1)
> +#else
> /* "$N$" + sha_salt_16_bytes + NUL */
> #define MAX_PW_SALT_LEN (3 + 16 + 1)
> +#endif
> extern char* crypt_make_pw_salt(char p[MAX_PW_SALT_LEN], const char
> *algo) FAST_FUNC;
>
>
> diff --git a/include/usage.src.h b/include/usage.src.h
> index 5d2038834..d8a679ab3 100644
> --- a/include/usage.src.h
> +++ b/include/usage.src.h
> @@ -18,8 +18,13 @@
> #define scripted_full_usage ""
>
> #if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA
> +#if ENABLE_USE_BCRYPT
> +# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512,bcrypt" \
> + " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
> +#else
> # define CRYPT_METHODS_HELP_STR "des,md5,sha256/512" \
> " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
> +#endif
> #else
> # define CRYPT_METHODS_HELP_STR "des,md5" \
> " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
> diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c
> index 3463fd95b..2da4ab1d0 100644
> --- a/libbb/pw_encrypt.c
> +++ b/libbb/pw_encrypt.c
> @@ -70,6 +70,24 @@ char* FAST_FUNC crypt_make_pw_salt(char
> salt[MAX_PW_SALT_LEN], const char *algo)
> salt[1] = '5' + (strcasecmp(algo, "sha512") == 0);
> len = 16/2;
> }
> +#endif
> +#if ENABLE_USE_BCRYPT
> + if ((algo[0]|0x20) == 'b') { /* bcrypt */
> + int cost = 0;
> +#if ENABLE_FEATURE_BCRYPT_COST
It seems to me that if ENABLE_USE_BCRYPT is set, then the bcrypt cost
is always there. Am I missing something?
> + cost = (CONFIG_FEATURE_BCRYPT_COST);
> +#endif
> + if (cost < 0 || cost > 31)
This allows values (1, 2, 3) that are outside the range of the values
specified in the config text.
BTW, if the values outside [4, 31] are invalid, maybe a compile-time
error would be a good thing? (this is actually a real question, not a
code change suggestion). That would make the code a bit smaller as you
could confidently and directly use (CONFIG_FEATURE_BCRYPT_COST / 10)
and (CONFIG_FEATURE_BCRYPT_COST % 10) in the code below (no need to
set a cost variable).
> + cost = 10;
> +
> + salt[1] = '2';
> + salt[2] = 'b';
> + *salt_ptr++ = '$';
> + *salt_ptr++ = (cost / 10) + '0';
> + *salt_ptr++ = (cost % 10) + '0';
> + *salt_ptr++ = '$';
> + len = 24/2;
> + }
> #endif
> }
> crypt_make_salt(salt_ptr, len);
> diff --git a/loginutils/Config.src b/loginutils/Config.src
> index cbb09646b..cdcd7132f 100644
> --- a/loginutils/Config.src
> +++ b/loginutils/Config.src
> @@ -91,6 +91,28 @@ config USE_BB_CRYPT_SHA
> With this option off, login will fail password check for any
> user which has password encrypted with these algorithms.
>
> +config USE_BCRYPT
> + bool "Enable the bcrypt crypt function"
> + default n
> + depends on !USE_BB_CRYPT
> + help
> + Enable this if you have passwords starting with $2a$, $2y$ or
> + $2b$ in your /etc/passwd or /etc/shadow files. These passwords
> + are hashed using the bcrypt algorithm. Requires the use of a C
> + library that supports bcrypt.
> +
> +config FEATURE_BCRYPT_COST
> + int "bcrypt cost"
> + range 4 31
> + default 10
> + depends on USE_BCRYPT
> + help
> + Cost paramter for the bcrypt hashing algorithm.
typo: parameter
> + Specifies the number of rounds to use. Must be between 4 and 31,
> + inclusive. This value is logarithmic, the actual number of
> + iterations used will be 2**rounds – increasing the rounds by +1
> + will double the amount of time taken.
> +
> INSERT
>
> endmenu
> diff --git a/loginutils/chpasswd.c b/loginutils/chpasswd.c
> index a032abbed..74673fa6f 100644
> --- a/loginutils/chpasswd.c
> +++ b/loginutils/chpasswd.c
> @@ -17,7 +17,8 @@
> //config: default "des"
> //config: depends on PASSWD || CRYPTPW || CHPASSWD
> //config: help
> -//config: Possible choices are "d[es]", "m[d5]", "s[ha256]" or
> "sha512".
> +//config: Possible choices are "d[es]", "m[d5]", "s[ha256]",
> +//config: "sha512" or "b[crypt]" (when enabled).
> //applet:IF_CHPASSWD(APPLET(chpasswd, BB_DIR_USR_SBIN, BB_SUID_DROP))
>
> --
> 2.34.1
Best regards,
-- Emmanuel Deloget
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
