+2007-11-24 Nicolas François <nicolas.francois@centraliens.net>
+
+ * configure.in: New configure option: --with-sha-crypt enabled by
+ default. Keeping the feature enabled is safe. Disabling it permits
+ to disable the references to the SHA256 and SHA512 password
+ encryption algorithms from the usage help and manuals (in addition
+ to the support for these algorithms in the code).
+ * libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
+ src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
+ always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
+ preprocessor condition.
+ * libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
+ src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
+ SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
+ subset of the ENCRYPTMETHOD_SELECT sections).
+
2007-11-24 Nicolas François <nicolas.francois@centraliens.net>
* lib/encrypt.c: If we requested a non DES encryption, make sure
AC_ARG_WITH(libcrack,
[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=yes if found and if PAM not enabled@:>@])],
[with_libcrack=$withval], [with_libcrack=no])
+AC_ARG_WITH(sha-crypt,
+ [AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
+ [with_sha_crypt=$withval], [with_sha_crypt=yes])
+
+AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
+if test "$with_sha_crypt" = "yes"; then
+ AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
+fi
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
echo " SELinux support: $with_selinux"
echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
+echo " SHA passwords encryption: $with_sha_crypt"
echo
int maxlen, oldlen, newlen;
char *new1, *old1;
const char *msg;
-#ifdef ENCRYPTMETHOD_SELECT
char *result;
-#endif
oldlen = strlen (old);
newlen = strlen (new);
if (msg)
return msg;
-#ifdef ENCRYPTMETHOD_SELECT
if ((result = getdef_str ("ENCRYPT_METHOD")) == NULL) {
-#endif
/* The traditional crypt() truncates passwords to 8 chars. It is
possible to circumvent the above checks by choosing an easy
8-char password and adding some random characters to it...
if (getdef_bool ("MD5_CRYPT_ENAB"))
return NULL;
-#ifdef ENCRYPTMETHOD_SELECT
} else {
- if (!strcmp (result, "MD5") ||
- !strcmp (result, "SHA256") ||
- !strcmp (result, "SHA512"))
+ if ( !strcmp (result, "MD5")
+#ifdef USE_SHA_CRYPT
+ || !strcmp (result, "SHA256")
+ || !strcmp (result, "SHA512")
+#endif
+ )
return NULL;
}
-#endif
maxlen = getdef_num ("PASS_MAX_LEN", 8);
if (oldlen <= maxlen && newlen <= maxlen)
return NULL;
*/
#define MAGNUM(array,ch) (array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0'
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
/*
* Return the salt size.
* The size of the salt string is between 8 and 16 bytes for the SHA crypt
if (NULL != meth)
method = meth;
else {
-#ifdef ENCRYPTMETHOD_SELECT
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL)
-#endif
method = getdef_bool ("MD5_CRYPT_ENAB") ? "MD5" : "DES";
}
if (!strcmp (method, "MD5")) {
MAGNUM(result, '1');
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
} else if (!strcmp (method, "SHA256")) {
MAGNUM(result, '5');
strcat(result, SHA_salt_rounds((int *)arg));
"%s"
"\n"),
Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
"NONE DES MD5", ""
#else
"NONE DES MD5 SHA256 SHA512",
{"encrypted", no_argument, NULL, 'e'},
{"help", no_argument, NULL, 'h'},
{"md5", no_argument, NULL, 'm'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif
{NULL, 0, NULL, '\0'}
while ((c =
getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
"c:ehms:",
#else
"c:ehm",
case 'm':
md5flg = 1;
break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
case 's':
sflg = 1;
if (!getlong(optarg, &sha_rounds)) {
if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512")
#endif
"%s"
"\n"),
Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
"NONE DES MD5", ""
#else
"NONE DES MD5 SHA256 SHA512",
{"encrypted", no_argument, NULL, 'e'},
{"help", no_argument, NULL, 'h'},
{"md5", no_argument, NULL, 'm'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif
{NULL, 0, NULL, '\0'}
while ((c =
getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
"c:ehms:",
#else
"c:ehm",
case 'm':
md5flg = 1;
break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
case 's':
sflg = 1;
if (!getlong(optarg, &sha_rounds)) {
if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512")
#endif
"%s"
"\n"),
Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
"NONE DES MD5", ""
#else
"NONE DES MD5 SHA256 SHA512",
static struct option long_options[] = {
{"crypt-method", required_argument, NULL, 'c'},
{"help", no_argument, NULL, 'h'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif
{NULL, 0, NULL, '\0'}
while ((c =
getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
"c:hs:",
#else
"c:h",
case 'h':
usage ();
break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
case 's':
sflg = 1;
if (!getlong(optarg, &sha_rounds)) {
if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512")
#endif
int i; /* Counter for retries */
int warned;
int pass_max_len = -1;
-#ifdef ENCRYPTMETHOD_SELECT
char *method;
-#endif
#ifdef HAVE_LIBCRACK_HIST
int HistUpdate (const char *, const char *);
* for strength, unless it is the root user. This provides an escape
* for initial login passwords.
*/
-#ifdef ENCRYPTMETHOD_SELECT
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
-#endif
if (!getdef_bool ("MD5_CRYPT_ENAB"))
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
-#ifdef ENCRYPTMETHOD_SELECT
} else {
- if (!strcmp (method, "MD5") ||
- !strcmp (method, "SHA256") ||
- !strcmp (method, "SHA512"))
+ if ( !strcmp (method, "MD5")
+#ifdef USE_SHA_CRYPT
+ || !strcmp (method, "SHA256")
+ || !strcmp (method, "SHA512")
+#endif
+ )
pass_max_len = -1;
else
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
}
-#endif
if (!qflg) {
if (pass_max_len == -1) {
printf (_(
projects / thirdparty / shadow.git / commitdiff
