Hello, Le mar. 3 mai 2022 à 13:58, Andreas Helmcke <a...@helmcke.name> a écrit : > > Adds an option to the Login/Password Management Utilities menu to enable > bcrypt support in passwd and chpasswd. > > Add support for bcrypt to BusyBox chpasswd & passwd. > > Based on patch proposed by Scott Court. > > Changes to the orignal patch: > - added config option for bcrypt cost > - made code changes fully dependend on config option > - changed algorithm tag to $2b$ > - help texts added for bcrypt option > > Signed-off-by: Andreas Helmcke <a...@helmcke.name> > --- > include/libbb.h | 5 +++++ > include/usage.src.h | 5 +++++ > libbb/pw_encrypt.c | 18 ++++++++++++++++++ > loginutils/Config.src | 22 ++++++++++++++++++++++ > loginutils/chpasswd.c | 3 ++- > 5 files changed, 52 insertions(+), 1 deletion(-) > > diff --git a/include/libbb.h b/include/libbb.h > index 6aeec249d..c6f769082 100644 > --- a/include/libbb.h > +++ b/include/libbb.h > @@ -1776,8 +1776,13 @@ extern int obscure(const char *old, const char > *newval, const struct passwd *pwd > * (otherwise we risk having same salt generated) > */ > extern int crypt_make_salt(char *p, int cnt /*, int rnd*/) FAST_FUNC; > +#if ENABLE_USE_BCRYPT > +/* "$NX$10$" + bcrypt_salt_24_bytes + NUL */ > +#define MAX_PW_SALT_LEN (7 + 24 + 1) > +#else > /* "$N$" + sha_salt_16_bytes + NUL */ > #define MAX_PW_SALT_LEN (3 + 16 + 1) > +#endif > extern char* crypt_make_pw_salt(char p[MAX_PW_SALT_LEN], const char > *algo) FAST_FUNC; > > > diff --git a/include/usage.src.h b/include/usage.src.h > index 5d2038834..d8a679ab3 100644 > --- a/include/usage.src.h > +++ b/include/usage.src.h > @@ -18,8 +18,13 @@ > #define scripted_full_usage "" > > #if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA > +#if ENABLE_USE_BCRYPT > +# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512,bcrypt" \ > + " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")" > +#else > # define CRYPT_METHODS_HELP_STR "des,md5,sha256/512" \ > " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")" > +#endif > #else > # define CRYPT_METHODS_HELP_STR "des,md5" \ > " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")" > diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c > index 3463fd95b..2da4ab1d0 100644 > --- a/libbb/pw_encrypt.c > +++ b/libbb/pw_encrypt.c > @@ -70,6 +70,24 @@ char* FAST_FUNC crypt_make_pw_salt(char > salt[MAX_PW_SALT_LEN], const char *algo) > salt[1] = '5' + (strcasecmp(algo, "sha512") == 0); > len = 16/2; > } > +#endif > +#if ENABLE_USE_BCRYPT > + if ((algo[0]|0x20) == 'b') { /* bcrypt */ > + int cost = 0; > +#if ENABLE_FEATURE_BCRYPT_COST
It seems to me that if ENABLE_USE_BCRYPT is set, then the bcrypt cost is always there. Am I missing something? > + cost = (CONFIG_FEATURE_BCRYPT_COST); > +#endif > + if (cost < 0 || cost > 31) This allows values (1, 2, 3) that are outside the range of the values specified in the config text. BTW, if the values outside [4, 31] are invalid, maybe a compile-time error would be a good thing? (this is actually a real question, not a code change suggestion). That would make the code a bit smaller as you could confidently and directly use (CONFIG_FEATURE_BCRYPT_COST / 10) and (CONFIG_FEATURE_BCRYPT_COST % 10) in the code below (no need to set a cost variable). > + cost = 10; > + > + salt[1] = '2'; > + salt[2] = 'b'; > + *salt_ptr++ = '$'; > + *salt_ptr++ = (cost / 10) + '0'; > + *salt_ptr++ = (cost % 10) + '0'; > + *salt_ptr++ = '$'; > + len = 24/2; > + } > #endif > } > crypt_make_salt(salt_ptr, len); > diff --git a/loginutils/Config.src b/loginutils/Config.src > index cbb09646b..cdcd7132f 100644 > --- a/loginutils/Config.src > +++ b/loginutils/Config.src > @@ -91,6 +91,28 @@ config USE_BB_CRYPT_SHA > With this option off, login will fail password check for any > user which has password encrypted with these algorithms. > > +config USE_BCRYPT > + bool "Enable the bcrypt crypt function" > + default n > + depends on !USE_BB_CRYPT > + help > + Enable this if you have passwords starting with $2a$, $2y$ or > + $2b$ in your /etc/passwd or /etc/shadow files. These passwords > + are hashed using the bcrypt algorithm. Requires the use of a C > + library that supports bcrypt. > + > +config FEATURE_BCRYPT_COST > + int "bcrypt cost" > + range 4 31 > + default 10 > + depends on USE_BCRYPT > + help > + Cost paramter for the bcrypt hashing algorithm. typo: parameter > + Specifies the number of rounds to use. Must be between 4 and 31, > + inclusive. This value is logarithmic, the actual number of > + iterations used will be 2**rounds – increasing the rounds by +1 > + will double the amount of time taken. > + > INSERT > > endmenu > diff --git a/loginutils/chpasswd.c b/loginutils/chpasswd.c > index a032abbed..74673fa6f 100644 > --- a/loginutils/chpasswd.c > +++ b/loginutils/chpasswd.c > @@ -17,7 +17,8 @@ > //config: default "des" > //config: depends on PASSWD || CRYPTPW || CHPASSWD > //config: help > -//config: Possible choices are "d[es]", "m[d5]", "s[ha256]" or > "sha512". > +//config: Possible choices are "d[es]", "m[d5]", "s[ha256]", > +//config: "sha512" or "b[crypt]" (when enabled). > //applet:IF_CHPASSWD(APPLET(chpasswd, BB_DIR_USR_SBIN, BB_SUID_DROP)) > > -- > 2.34.1 Best regards, -- Emmanuel Deloget _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox