]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/libcrypt-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
6 #include "alloc-util.h"
7 #include "libcrypt-util.h"
10 #include "missing_stdlib.h"
11 #include "random-util.h"
12 #include "string-util.h"
15 int make_salt(char **ret
) {
17 #ifdef XCRYPT_VERSION_MAJOR
21 /* If we have libxcrypt we default to the "preferred method" (i.e. usually yescrypt), and generate it
22 * with crypt_gensalt_ra(). */
24 e
= secure_getenv("SYSTEMD_CRYPT_PREFIX");
26 e
= crypt_preferred_method();
28 log_debug("Generating salt for hash prefix: %s", e
);
30 salt
= crypt_gensalt_ra(e
, 0, NULL
, 0);
37 /* If libxcrypt is not used, we use SHA512 and generate the salt on our own since crypt_gensalt_ra()
38 * is not available. */
40 static const char table
[] =
41 "abcdefghijklmnopqrstuvwxyz"
42 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
51 /* This is a bit like crypt_gensalt_ra(), but doesn't require libcrypt, and doesn't do anything but
52 * SHA512, i.e. is legacy-free and minimizes our deps. */
54 assert_cc(sizeof(table
) == 64U + 1U);
56 /* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */
57 r
= genuine_random_bytes(raw
, sizeof(raw
), RANDOM_BLOCK
);
61 salt
= new(char, 3+sizeof(raw
)+1+1);
65 /* We only bother with SHA512 hashed passwords, the rest is legacy, and we don't do legacy. */
66 j
= stpcpy(salt
, "$6$");
67 for (i
= 0; i
< sizeof(raw
); i
++)
68 j
[i
] = table
[raw
[i
] & 63];
77 bool looks_like_hashed_password(const char *s
) {
78 /* Returns false if the specified string is certainly not a hashed UNIX password. crypt(5) lists
79 * various hashing methods. We only reject (return false) strings which are documented to have
82 * In particular, we allow locked passwords, i.e. strings starting with "!", including just "!",
83 * i.e. the locked empty password. See also fc58c0c7bf7e4f525b916e3e5be0de2307fef04e.
88 s
+= strspn(s
, "!"); /* Skip (possibly duplicated) locking prefix */
90 return !STR_IN_SET(s
, "x", "*");