On Friday April 27 2007 09:00, Jan Dvořák wrote: > Robert Connolly wrote: > > The md5 salt detection is really simple, from openssh's md5crypt.c. > > Blowfish salt detection should be no problem, but adding openssl blowfish > > encryption might take a little longer. > > Have you tested for backwards compatibility with already generated DES > and MD5 passwords?
It looks like I tested with the previously installed /bin/passwd, and not the newly installed (patched) /usr/bin/passwd.. so, DES_crypt from libcrypto does work and is backward compatible with libcrypt. I installed the patched passwd, changed nobody's passwd, installed the vanilla passwd, su'd to nobody and was able to change passwd. But md5_crypt does not work and does not error either (nothing happens). I found a copy of shadow-961025. This version of Shadow had its own md5crypt.c, before it was in Glibc. It works, and it is very very similar to md5 from openssl and openssh. I just need to narrow down why openssl's is silently failing. > I've looked into exact same thing, but I've given up for not enough will > to emulate blowfish crypt with openssl. And, oh, crypt()'s way of > computing MD5 is not very straightforward, maybe they wanted to increase > security. If you find it reasonable, it would be nice to have same fun > with sha1 and others as well. I didn't realize, until just now, that bcrypt and blowfish are not exactly the same thing. It looks possible to emulate bcrypt with openssl/libcrypto, but this is over my head for the moment, and would probably involve copying bcrypt.c to shadow/lib/ so passwd knows how to tell libcrypto to behave like bcrypt. bcrypt.c looks like it's just using BF_*_encrypt() with very specific options. This one is unique, in that it's the only crypto function not supplied by openssl, because it has no use in openssl. Adding it to stdlib/libc might be more practical, still using openssl (circular dependency), but in libc and stdlib.h it wouldn't need to be duplicated for each package that uses it. libcrypto.so (1.3MB) will need to be moved to /lib, if this works. But one thing at a time, I'll go back to md5_crypt. robert
pgpYGyRK28R2w.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
