From 2211d5268cc6fc5575f758a9835070fae5ffc405 Mon Sep 17 00:00:00 2001 From: Denis Vlasenko Date: Mon, 10 Nov 2008 18:52:35 +0000 Subject: libbb: add optionl support for SHA256/512 encrypted passwords function old new delta sha_crypt - 2423 +2423 cryptpw_main 128 183 +55 to64 - 29 +29 pw_encrypt 974 1000 +26 str_rounds - 11 +11 login_main 1532 1541 +9 packed_usage 25215 25200 -15 __md5_to64 29 - -29 ------------------------------------------------------------------------------ (add/remove: 3/1 grow/shrink: 3/1 up/down: 2553/-44) Total: 2509 bytes --- loginutils/Config.in | 14 +++++++++++++- loginutils/cryptpw.c | 28 +++++++++++++++++++++------- 2 files changed, 34 insertions(+), 8 deletions(-) (limited to 'loginutils') diff --git a/loginutils/Config.in b/loginutils/Config.in index bb1369cdd..5f66e8685 100644 --- a/loginutils/Config.in +++ b/loginutils/Config.in @@ -58,7 +58,7 @@ config USE_BB_SHADOW password servers and whatnot. config USE_BB_CRYPT - bool "Use internal DES and MD5 crypt functions" + bool "Use internal crypt functions" default y help Busybox has internal DES and MD5 crypt functions. @@ -79,6 +79,18 @@ config USE_BB_CRYPT In static build, it makes code _smaller_ by about 1.2k, and likely many kilobytes less of bss. +config USE_BB_CRYPT_SHA + bool "Enable SHA256/512 crypt functions" + default n + depends on USE_BB_CRYPT + help + Enable this if you have passwords starting with "$5$" or "$6$" + in your /etc/passwd or /etc/shadow files. These passwords + are hashed using SHA256 and SHA512 algorithms. Support for them + was added to glibc in 2008. + With this option off, login will fail password check for any + user which has password encrypted with these algorithms. + config ADDGROUP bool "addgroup" default n diff --git a/loginutils/cryptpw.c b/loginutils/cryptpw.c index db5d95920..d76deac20 100644 --- a/loginutils/cryptpw.c +++ b/loginutils/cryptpw.c @@ -34,22 +34,36 @@ done int cryptpw_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; int cryptpw_main(int argc UNUSED_PARAM, char **argv) { - char salt[sizeof("$N$XXXXXXXX")]; + char salt[sizeof("$N$") + 16]; char *opt_a; + int opts; - if (!getopt32(argv, "a:", &opt_a) || opt_a[0] != 'd') { + opts = getopt32(argv, "a:", &opt_a); + + if (opts && opt_a[0] == 'd') { + crypt_make_salt(salt, 2/2, 0); /* des */ +#if TESTING + strcpy(salt, "a."); +#endif + } else { salt[0] = '$'; salt[1] = '1'; salt[2] = '$'; - crypt_make_salt(salt + 3, 4, 0); /* md5 */ +#if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA + if (opts && opt_a[0] == 's') { + salt[1] = '5' + (strcmp(opt_a, "sha512") == 0); + crypt_make_salt(salt + 3, 16/2, 0); /* sha */ #if TESTING - strcpy(salt + 3, "ajg./bcf"); + strcpy(salt, "$6$em7yVj./Mv5n1V5X"); #endif - } else { - crypt_make_salt(salt, 1, 0); /* des */ + } else +#endif + { + crypt_make_salt(salt + 3, 8/2, 0); /* md5 */ #if TESTING - strcpy(salt, "a."); + strcpy(salt + 3, "ajg./bcf"); #endif + } } puts(pw_encrypt(argv[optind] ? argv[optind] : xmalloc_fgetline(stdin), salt, 1)); -- cgit v1.2.3