From: Alejandro Colomar Date: Fri, 26 Dec 2025 23:59:04 +0000 (+0100) Subject: lib/, man/: Default to SHA512 instead of DES X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=26dcae860cdb85098b10a45bc4bbcf411a105481;p=thirdparty%2Fshadow.git lib/, man/: Default to SHA512 instead of DES DES is insecure; use it only if explicitly requested. Closes: Reported-by: Andre Boscatto Cc: Iker Pedrosa Signed-off-by: Alejandro Colomar --- diff --git a/lib/obscure.c b/lib/obscure.c index 342bb812d..64d0e7ee5 100644 --- a/lib/obscure.c +++ b/lib/obscure.c @@ -215,19 +215,11 @@ obscure_get_range(int *minlen, int *maxlen) } method = getdef_str ("ENCRYPT_METHOD"); - if (NULL != method) { - if ( streq(method, "MD5") - || streq(method, "SHA256") - || streq(method, "SHA512") -#ifdef USE_BCRYPT - || streq(method, "BCRYPT") -#endif -#ifdef USE_YESCRYPT - || streq(method, "YESCRYPT") -#endif - ) { - return; - } - } + if (NULL == method) + return; + + if (!streq(method, "DES")) + return; + *maxlen = getdef_num ("PASS_MAX_LEN", 8); } diff --git a/lib/salt.c b/lib/salt.c index 4a66d0132..98b8a8194 100644 --- a/lib/salt.c +++ b/lib/salt.c @@ -356,7 +356,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size) bzero(result, GENSALT_SETTING_SIZE); - method = meth ?: getdef_str("ENCRYPT_METHOD") ?: "DES"; + method = meth ?: getdef_str("ENCRYPT_METHOD") ?: "SHA512"; if (streq(method, "MD5")) { MAGNUM(result, '1'); @@ -382,6 +382,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size) rounds = SHA_get_salt_rounds (arg); SHA_salt_rounds_to_buf (result, rounds); } else if (streq(method, "SHA512")) { +sha512: MAGNUM(result, '6'); salt_len = SHA_CRYPT_SALT_SIZE; rounds = SHA_get_salt_rounds (arg); @@ -389,11 +390,9 @@ static /*@observer@*/const char *gensalt (size_t salt_size) } else if (!streq(method, "DES")) { fprintf (log_get_logfd(), _("Invalid ENCRYPT_METHOD value: '%s'.\n" - "Defaulting to DES.\n"), + "Defaulting to SHA512.\n"), method); - salt_len = MAX_SALT_SIZE; - rounds = 0; - bzero(result, GENSALT_SETTING_SIZE); + goto sha512; } #if USE_XCRYPT_GENSALT diff --git a/man/login.defs.d/ENCRYPT_METHOD.xml b/man/login.defs.d/ENCRYPT_METHOD.xml index 1865bf0f9..6af3b1187 100644 --- a/man/login.defs.d/ENCRYPT_METHOD.xml +++ b/man/login.defs.d/ENCRYPT_METHOD.xml @@ -12,10 +12,10 @@ It can take one of these values: BCRYPT, - DES (default), + DES, MD5, SHA256, - SHA512, + SHA512 (default), YESCRYPT. MD5 and DES should not be used for new hashes, see