diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-12-01 12:40:40 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-12-01 12:40:40 +0000 |
| commit | 090693e116fc6ea0dfb649e11a01af08e19b33d9 (patch) | |
| tree | 1d3cde1416515bc7136e604d58e96e90caa510be /modules/pam_unix/support.c | |
| parent | 1395ff30321ce605ab2ca79b1301cd93f51a5ca1 (diff) | |
| download | pam-090693e116fc6ea0dfb649e11a01af08e19b33d9.tar.gz pam-090693e116fc6ea0dfb649e11a01af08e19b33d9.tar.bz2 pam-090693e116fc6ea0dfb649e11a01af08e19b33d9.zip | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-12-01 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_unix/pam_unix.8.xml: Document blowfish option.
* configure.in: Check for crypt_gensalt_rn.
* modules/pam_unix/pam_unix_passwd.c: Pass pamh to
create_password_hash function.
* modules/pam_unix/passverify.c (create_password_hash): Add
blowfish support.
* modules/pam_unix/passverify.h: Adjust create_password_hash
prototype.
* modules/pam_unix/support.c: Add support for blowfish option.
* modules/pam_unix/support.h: Add defines for blowfish option.
Patch from Diego Flameeyes Pettenò <flameeyes@gmail.com>
Diffstat (limited to 'modules/pam_unix/support.c')
| -rw-r--r-- | modules/pam_unix/support.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index db630f51..faec20dc 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -109,16 +109,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, *remember = 400; } } - if (rounds != NULL) { - if (j == UNIX_ALGO_ROUNDS) { - *rounds = strtol(*argv + 7, NULL, 10); - if ((*rounds < 1000) || (*rounds == INT_MAX)) - /* don't care about bogus values */ - unset(UNIX_ALGO_ROUNDS, ctrl); - if (*rounds >= 10000000) - *rounds = 9999999; - } - } + if (rounds != NULL && j == UNIX_ALGO_ROUNDS) + *rounds = strtol(*argv + 7, NULL, 10); } ++argv; /* step to next argument */ @@ -128,6 +120,26 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, D(("DISALLOW_NULL_AUTHTOK")); set(UNIX__NONULL, ctrl); } + + /* Set default rounds for blowfish */ + if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl)) { + *rounds = 5; + set(UNIX_ALGO_ROUNDS, ctrl); + } + + /* Enforce sane "rounds" values */ + if (on(UNIX_ALGO_ROUNDS, ctrl)) { + if (on(UNIX_BLOWFISH_PASS, ctrl)) { + if (*rounds < 4 || *rounds > 31) + *rounds = 5; + } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { + if ((*rounds < 1000) || (*rounds == INT_MAX)) + /* don't care about bogus values */ + unset(UNIX_ALGO_ROUNDS, ctrl); + if (*rounds >= 10000000) + *rounds = 9999999; + } + } /* auditing is a more sensitive version of debug */ |