DES is insecure; use it only if explicitly requested.
Closes: <https://github.com/shadow-maint/shadow/issues/1278>
Reported-by: Andre Boscatto <andreboscatto@gmail.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
}
method = getdef_str ("ENCRYPT_METHOD");
- if (NULL != method) {
- if ( streq(method, "MD5")
- || streq(method, "SHA256")
- || streq(method, "SHA512")
-#ifdef USE_BCRYPT
- || streq(method, "BCRYPT")
-#endif
-#ifdef USE_YESCRYPT
- || streq(method, "YESCRYPT")
-#endif
- ) {
- return;
- }
- }
+ if (NULL == method)
+ return;
+
+ if (!streq(method, "DES"))
+ return;
+
*maxlen = getdef_num ("PASS_MAX_LEN", 8);
}
bzero(result, GENSALT_SETTING_SIZE);
- method = meth ?: getdef_str("ENCRYPT_METHOD") ?: "DES";
+ method = meth ?: getdef_str("ENCRYPT_METHOD") ?: "SHA512";
if (streq(method, "MD5")) {
MAGNUM(result, '1');
rounds = SHA_get_salt_rounds (arg);
SHA_salt_rounds_to_buf (result, rounds);
} else if (streq(method, "SHA512")) {
+sha512:
MAGNUM(result, '6');
salt_len = SHA_CRYPT_SALT_SIZE;
rounds = SHA_get_salt_rounds (arg);
} else if (!streq(method, "DES")) {
fprintf (log_get_logfd(),
_("Invalid ENCRYPT_METHOD value: '%s'.\n"
- "Defaulting to DES.\n"),
+ "Defaulting to SHA512.\n"),
method);
- salt_len = MAX_SALT_SIZE;
- rounds = 0;
- bzero(result, GENSALT_SETTING_SIZE);
+ goto sha512;
}
#if USE_XCRYPT_GENSALT
<para>
It can take one of these values: <phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable>,</phrase>
- <replaceable>DES</replaceable> (default),
+ <replaceable>DES</replaceable>,
<replaceable>MD5</replaceable>,
<replaceable>SHA256</replaceable>,
- <replaceable>SHA512</replaceable>,
+ <replaceable>SHA512</replaceable> (default),
<phrase condition="yescrypt">
<replaceable>YESCRYPT</replaceable></phrase>.
MD5 and DES should not be used for new hashes, see