From dce80b3f11b3c3aa137d18f22699809094dd64b6 Mon Sep 17 00:00:00 2001 From: Björn Esser Date: Thu, 15 Nov 2018 15:58:56 +0100 Subject: pam_unix: Prefer a gensalt function, that supports auto entropy. * modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0. * modules/pam_unix/passverify.c: Prefer gensalt with auto entropy. * modules/pam_unix/support.c: Fix sanitizing of rounds parameter. --- modules/pam_unix/passverify.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'modules/pam_unix/passverify.c') diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 1f433b3a..0d2c8029 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -375,7 +375,12 @@ PAMH_ARG_DECL(char * create_password_hash, const char *password, unsigned int ctrl, int rounds) { const char *algoid; +#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64 + /* Strings returned by crypt_gensalt_rn will be no longer than this. */ + char salt[CRYPT_GENSALT_OUTPUT_SIZE]; +#else char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */ +#endif char *sp; #ifdef HAVE_CRYPT_R struct crypt_data *cdata = NULL; @@ -406,6 +411,13 @@ PAMH_ARG_DECL(char * create_password_hash, return crypted; } +#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY + /* + * Any version of libcrypt supporting auto entropy is + * guaranteed to have crypt_gensalt_rn(). + */ + sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt)); +#else #ifdef HAVE_CRYPT_GENSALT_R if (on(UNIX_BLOWFISH_PASS, ctrl)) { char entropy[17]; @@ -423,6 +435,7 @@ PAMH_ARG_DECL(char * create_password_hash, #ifdef HAVE_CRYPT_GENSALT_R } #endif +#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */ #ifdef HAVE_CRYPT_R sp = NULL; cdata = malloc(sizeof(*cdata)); -- cgit v1.2.3