diff options
| author | Julian Kranz <juliankranz@gmail.com> | 2023-06-02 04:45:03 +0200 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2023-07-17 07:53:24 +0000 |
| commit | 6caedeff52ee6ae5afce19d22798f895f101a1f1 (patch) | |
| tree | 0510b82e0f1c24f88a0e1ed303b89fca2af5f6b9 | |
| parent | 45c2c496dcf89f568b90fcf403af9d63b2361fbd (diff) | |
| download | pam-6caedeff52ee6ae5afce19d22798f895f101a1f1.tar.gz pam-6caedeff52ee6ae5afce19d22798f895f101a1f1.tar.bz2 pam-6caedeff52ee6ae5afce19d22798f895f101a1f1.zip | |
pam_unix: improve fallback values for "rounds" for yescrypt and blowfish
This change improves the fallback values for the "rounds" parameter for
yescrypt and blowfish by using the smallest reasonable value if the
user sets a too low value and by using the highest reasonable value
if the user sets a too high value. This better realizes user intent
and is consistent with the approach taken for SHA256.
| -rw-r--r-- | modules/pam_unix/support.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 043273d2..7bed0a56 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -189,11 +189,15 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember, if (on(UNIX_ALGO_ROUNDS, ctrl)) { if (on(UNIX_GOST_YESCRYPT_PASS, ctrl) || on(UNIX_YESCRYPT_PASS, ctrl)) { - if (*rounds < 3 || *rounds > 11) - *rounds = 5; + if (*rounds < 3) + *rounds = 3; + else if (*rounds > 11) + *rounds = 11; } else if (on(UNIX_BLOWFISH_PASS, ctrl)) { - if (*rounds < 4 || *rounds > 31) - *rounds = 5; + if (*rounds < 4) + *rounds = 4; + else if (*rounds > 31) + *rounds = 31; } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { if ((*rounds < 1000) || (*rounds == INT_MAX)) { /* don't care about bogus values */ |