From 090693e116fc6ea0dfb649e11a01af08e19b33d9 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 1 Dec 2008 12:40:40 +0000 Subject: Relevant BUGIDs: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Purpose of commit: new feature Commit summary: --------------- 2008-12-01 Thorsten Kukuk * modules/pam_unix/pam_unix.8.xml: Document blowfish option. * configure.in: Check for crypt_gensalt_rn. * modules/pam_unix/pam_unix_passwd.c: Pass pamh to create_password_hash function. * modules/pam_unix/passverify.c (create_password_hash): Add blowfish support. * modules/pam_unix/passverify.h: Adjust create_password_hash prototype. * modules/pam_unix/support.c: Add support for blowfish option. * modules/pam_unix/support.h: Add defines for blowfish option. Patch from Diego Flameeyes Pettenò --- modules/pam_unix/support.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) (limited to 'modules/pam_unix/support.c') diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index db630f51..faec20dc 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -109,16 +109,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, *remember = 400; } } - if (rounds != NULL) { - if (j == UNIX_ALGO_ROUNDS) { - *rounds = strtol(*argv + 7, NULL, 10); - if ((*rounds < 1000) || (*rounds == INT_MAX)) - /* don't care about bogus values */ - unset(UNIX_ALGO_ROUNDS, ctrl); - if (*rounds >= 10000000) - *rounds = 9999999; - } - } + if (rounds != NULL && j == UNIX_ALGO_ROUNDS) + *rounds = strtol(*argv + 7, NULL, 10); } ++argv; /* step to next argument */ @@ -128,6 +120,26 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, D(("DISALLOW_NULL_AUTHTOK")); set(UNIX__NONULL, ctrl); } + + /* Set default rounds for blowfish */ + if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl)) { + *rounds = 5; + set(UNIX_ALGO_ROUNDS, ctrl); + } + + /* Enforce sane "rounds" values */ + if (on(UNIX_ALGO_ROUNDS, ctrl)) { + if (on(UNIX_BLOWFISH_PASS, ctrl)) { + if (*rounds < 4 || *rounds > 31) + *rounds = 5; + } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { + if ((*rounds < 1000) || (*rounds == INT_MAX)) + /* don't care about bogus values */ + unset(UNIX_ALGO_ROUNDS, ctrl); + if (*rounds >= 10000000) + *rounds = 9999999; + } + } /* auditing is a more sensitive version of debug */ -- cgit v1.2.3