libuser

Clone
Source Code
GIT

#49 Add the yescrypt hashing method for crypt_style configuration.
Merged 2 years ago by thalman. Opened 2 years ago by besser82.
besser82/libuser topic/besser82/yescrypt  into  master

file modified
+2 -2 
@@ -69,8 +69,8 @@ 
 

  when changing a password of an existing user, depending on the application.
 

  

  Possible values are \fBdes\fR, \fBmd5\fR, \fBblowfish\fR,
 

- .B sha256
 

- and \fBsha512\fR, all case-insensitive.
 

+ .B sha256,
 

+ \fBsha512\fR, and \fByescrypt\fR, all case-insensitive.
 

  Unrecognized values are treated as \fBdes\fR.
 

  Default value is \fBdes\fR.

file modified
+52 -3 
@@ -43,6 +43,21 @@ 
 

  #define HASH_ROUNDS_MIN 1000
 

  #define HASH_ROUNDS_MAX 999999999
 

  

+ #if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \
 

+      CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY)
 

+ #define USE_XCRYPT_GENSALT 1
 

+ #else
 

+ #define USE_XCRYPT_GENSALT 0
 

+ #endif
 

+ 

+ #if ((defined XCRYPT_VERSION_NUM && \
 

+       XCRYPT_VERSION_NUM >= ((4 << 16) | 3)) && \
 

+       USE_XCRYPT_GENSALT)
 

+ #define HAVE_YESCRYPT 1
 

+ #else
 

+ #define HAVE_YESCRYPT 0
 

+ #endif
 

+ 

  struct lu_lock {
 

  	int fd;
 

  	struct flock lock;
 
@@ -66,6 +81,7 @@ 
 

  	return strcmp((char *) v1, (char *) v2);
 

  }
 

  

+ #if !USE_XCRYPT_GENSALT
 

  /* A list of allowed salt characters, according to SUSv2. */
 

  #define ACCEPTABLE "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
 

  		   "abcdefghijklmnopqrstuvwxyz" \
 
@@ -115,6 +131,7 @@ 
 

  	close(fd);
 

  	return TRUE;
 

  }
 

+ #endif
 

  

  static const struct {
 

  	const char initial[5];
 
@@ -124,9 +141,12 @@ 
 

  } salt_type_info[] = {
 

  	{"$1$", "$", 8, FALSE },
 

  	/* FIXME: number of rounds, base64 of 128 bits */
 

- 	{"$2a$", "$", 8, FALSE },
 

+ 	{"$2b$", "$", 8, FALSE },
 

  	{"$5$", "$", 16, TRUE },
 

  	{"$6$", "$", 16, TRUE },
 

+ #if HAVE_YESCRYPT
 

+ 	{"$y$", "$", 24, FALSE },
 

+ #endif
 

  	{ "", "", 2 },
 

  };
 

  
@@ -135,6 +155,9 @@ 
 

  {
 

  	char salt[2048];
 

  	size_t i, len = 0;
 

+ #if USE_XCRYPT_GENSALT
 

+ 	unsigned long rounds = 0;
 

+ #endif
 

  

  	if (previous == NULL) {
 

  		previous = LU_DEFAULT_SALT_TYPE;
 
@@ -151,6 +174,23 @@ 
 

  

  	if (salt_type_info[i].sha_rounds != FALSE
 

  	    && strncmp(previous + len, "rounds=", strlen("rounds=")) == 0) {
 

+ #if USE_XCRYPT_GENSALT
 

+ 		const char *start;
 

+ 		char *end;
 

+ 

+ 		start = previous + len + strlen("rounds=");
 

+ 		rounds = strtoul (start, &end, 10);
 

+ 

+ 		if (rounds < HASH_ROUNDS_MIN)
 

+ 			rounds = HASH_ROUNDS_MIN;
 

+ 		else if (rounds > HASH_ROUNDS_MAX)
 

+ 			rounds = HASH_ROUNDS_MAX;
 

+ 	}
 

+ 

+ 	g_assert(CRYPT_GENSALT_OUTPUT_SIZE <= sizeof(salt));
 

+ 

+ 	crypt_gensalt_rn(previous, rounds, NULL, 0, salt, sizeof(salt));
 

+ #else
 

  		const char *start, *end;
 

  

  		start = previous + len + strlen("rounds=");
 
@@ -168,6 +208,7 @@ 
 

  		return NULL;
 

  	strcpy(salt + len + salt_type_info[i].salt_length,
 

  	       salt_type_info[i].separator);
 

+ #endif
 

  

  	return crypt(plain, salt);
 

  }
 
@@ -231,9 +272,12 @@ 
 

  	} salt_types[] = {
 

  		{ "des", "", FALSE },
 

  		{ "md5", "$1$", FALSE },
 

- 		{ "blowfish", "$2a$", FALSE },
 

+ 		{ "blowfish", "$2b$", FALSE },
 

  		{ "sha256", "$5$", TRUE },
 

  		{ "sha512", "$6$", TRUE },
 

+ #if HAVE_YESCRYPT
 

+ 		{ "yescrypt", "$y$", FALSE },
 

+ #endif
 

  	};
 

  

  	const char *salt_type;
 
@@ -251,13 +295,18 @@ 
 

  

  found:
 

  	if (salt_types[i].sha_rounds != FALSE) {
 

- 		unsigned long rounds;
 

+ 		unsigned long rounds = 0;
 

  

  		rounds = select_hash_rounds(context);
 

+ #if USE_XCRYPT_GENSALT
 

+ 		return g_strdup(crypt_gensalt(salt_types[i].initializer,
 

+ 					      rounds, NULL, 0));
 

+ #else
 

  		if (rounds != 0)
 

  			return g_strdup_printf("%srounds=%lu$",
 

  					       salt_types[i].initializer,
 

  					       rounds);
 

+ #endif
 

  	}
 

  	return g_strdup(salt_types[i].initializer);
 

  }

file modified
+1 -1 
@@ -17,7 +17,7 @@ 
 

  # skeleton = /etc/skel
 

  # mailspooldir = /var/mail
 

  

- crypt_style = sha512
 

+ crypt_style = yescrypt
 

  modules = files shadow
 

  create_modules = files shadow
 

  # modules = files shadow ldap

The yescrypt hashing method is considered to be much stronger than sha512crypt and fully supported by libxcrypt. It is based on NIST-approved primitives and on par with argon2 in strength.

Fresh installed systems, as well as newly computed hashes for the UNIX shadow file should prefer this method.

See: https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow

1 new commit added

  • libuser.conf: Use yescrypt as default value for crypt_style.
2 years ago

5 new commits added

  • libuser.conf: Use yescrypt as default value for crypt_style.
  • docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
  • lib/util.c: Add yescrypt hashing method for user passwords.
  • lib/util.c: Use crypt_gensalt(), if available in libcrypt.
  • lib/util.c: bcrypt should use $2b$ as prefix for setting.
2 years ago

5 new commits added

  • libuser.conf: Use yescrypt as default value for crypt_style.
  • docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
  • lib/util.c: Add yescrypt hashing method for user passwords.
  • lib/util.c: Use crypt_gensalt(), if available in libcrypt.
  • lib/util.c: bcrypt should use $2b$ as prefix for setting.
2 years ago

@jhrozek, @mitr, @thalman: Ping. Any thoughts and/or comments?

5 new commits added

  • libuser.conf: Use yescrypt as default value for crypt_style.
  • docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
  • lib/util.c: Add yescrypt hashing method for user passwords.
  • lib/util.c: Use crypt_gensalt(), if available in libcrypt.
  • lib/util.c: bcrypt should use $2b$ as prefix for setting.
2 years ago

5 new commits added

  • libuser.conf: Use yescrypt as default value for crypt_style.
  • docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
  • lib/util.c: Add yescrypt hashing method for user passwords.
  • lib/util.c: Use crypt_gensalt(), if available in libcrypt.
  • lib/util.c: bcrypt should use $2b$ as prefix for setting.
2 years ago

From irc query with @thalman at 2021-06-21 ~11:00 UTC, for documentation purposes:

<besser82[m]> Hello Tomas
<besser82[m]> I'm pinging you because of https://pagure.io/libuser/pull-request/49
<besser82[m]> The SWC is likely to be approved today by FESCo: https://pagure.io/fesco/issue/2623
<thalman> Hi
<besser82[m]> Well, I didn't get any feddback whether from you neither jhrozek about it.
<thalman> Sorry, for the delay. I'm now quite busy with other things. But generally I do not object the patch. I will have time to do the review in three weeks.
<thalman> I hope you do not mind.
<besser82[m]> No, that's fine with me, but I need to check the schedule for F35 code-completeness.
<thalman> OK
<besser82[m]> Mass rebuild will be on Wed 2021-07-21, so it would be fine to get things finished and merged until then.
<thalman> That should be OK. I may get to it even earlier but I do not want to promise that.
<besser82[m]> I'm really busy from 07-12 to 07-16, so we hopefully can get that done in the week between 07-05 and 07-09.

Thank you for the patch, ACk

Commit 382d510 fixes this pull-request

Pull-Request has been merged by thalman
2 years ago

Pull-Request has been merged by thalman
2 years ago

Thank you! =)
Metadata
None
No Tags
Changes Summary 3
+2 -2
file changed
docs/libuser.conf.5.in
+52 -3
file changed
lib/util.c
+1 -1
file changed
libuser.conf
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.