I've been thinking about this some more. After looking around Shadow-utils' source, and the Owl blowfish patch, it looks like Glibc detects the algorithm type intended to be used based on the salt prefix... if it starts with '$1$' then it's md5, if it doesn't start with '$1$' then its des. Owl's patch adds '$2a$' for blowfish. This is in the crypt() function in glibc/crypt/crypt-entry.c.
I linked Shadow-utils to OpenSSL's libcrypto, and des works. I used DES_crypt() to replace crypt() in lib/encrypt.c. But OpenSSL does not detect salt prefixes like libcrypt does, so it's complicated to change this on the fly in /etc/login.defs. So now I'm thinking to copy glibc/crypt to something-else-crypt/, remove all the algorithm arithmetic, and just keep the salt prefix detection, and have it externally call DES_crypt(), MD5_Init(), SHA512_Init(), BF_cbc_encrypt(), CAST_encrypt(), maybe AES_encrypt() too, linking libcrypt.so to libcrypto.so. OpenSSL is missing MD5_crypt(), but this is provided in OpenSSH's md5crypt.c if needed. This modified libcrypt would need to be installed after libc and libssl. Preferably this would work by leaving openssl/libcrypto alone and unmodified. Then modify Shadow, and /etc/login.defs, to use CRYPT_PREFIX="$5$", or whatever, to use aes passwords primarily, meanwhile it will still be able to decrypt des, md5, or blowfish. Any of you have another idea, or comments? For those of you who missed the previous discussions, the purpose of this is to put all our eggs in one basket, so if there's a bugfix for sha1 then there's only one package to update. Furthermore, OpenSSL can use the kernel crypto-api, with a patch, to again keep all the eggs in the same basket, and perform better. robert
pgpnohX54uuUu.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
