[Pkg-shadow-commits] r1458 - in upstream/trunk: . libmisc src
nekral-guest at alioth.debian.org
nekral-guest at alioth.debian.org
Sat Nov 24 13:08:09 UTC 2007
Author: nekral-guest
Date: 2007-11-24 13:08:08 +0000 (Sat, 24 Nov 2007)
New Revision: 1458
Modified:
upstream/trunk/ChangeLog
upstream/trunk/configure.in
upstream/trunk/libmisc/obscure.c
upstream/trunk/libmisc/salt.c
upstream/trunk/src/chgpasswd.c
upstream/trunk/src/chpasswd.c
upstream/trunk/src/newusers.c
upstream/trunk/src/passwd.c
Log:
* configure.in: New configure option: --with-sha-crypt enabled by
default. Keeping the feature enabled is safe. Disabling it permits
to disable the references to the SHA256 and SHA512 password
encryption algorithms from the usage help and manuals (in addition
to the support for these algorithms in the code).
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
preprocessor condition.
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
subset of the ENCRYPTMETHOD_SELECT sections).
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/ChangeLog 2007-11-24 13:08:08 UTC (rev 1458)
@@ -1,5 +1,21 @@
2007-11-24 Nicolas François <nicolas.francois at centraliens.net>
+ * configure.in: New configure option: --with-sha-crypt enabled by
+ default. Keeping the feature enabled is safe. Disabling it permits
+ to disable the references to the SHA256 and SHA512 password
+ encryption algorithms from the usage help and manuals (in addition
+ to the support for these algorithms in the code).
+ * libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
+ src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
+ always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
+ preprocessor condition.
+ * libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
+ src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
+ SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
+ subset of the ENCRYPTMETHOD_SELECT sections).
+
+2007-11-24 Nicolas François <nicolas.francois at centraliens.net>
+
* lib/encrypt.c: If we requested a non DES encryption, make sure
crypt returned a encrypted password longer than 13 chars. This
protects against the GNU crypt() which does not return NULL if the
Modified: upstream/trunk/configure.in
===================================================================
--- upstream/trunk/configure.in 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/configure.in 2007-11-24 13:08:08 UTC (rev 1458)
@@ -228,7 +228,15 @@
AC_ARG_WITH(libcrack,
[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=yes if found and if PAM not enabled@:>@])],
[with_libcrack=$withval], [with_libcrack=no])
+AC_ARG_WITH(sha-crypt,
+ [AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
+ [with_sha_crypt=$withval], [with_sha_crypt=yes])
+AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
+if test "$with_sha_crypt" = "yes"; then
+ AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
+fi
+
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
@@ -378,4 +386,5 @@
echo " SELinux support: $with_selinux"
echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
+echo " SHA passwords encryption: $with_sha_crypt"
echo
Modified: upstream/trunk/libmisc/obscure.c
===================================================================
--- upstream/trunk/libmisc/obscure.c 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/libmisc/obscure.c 2007-11-24 13:08:08 UTC (rev 1458)
@@ -210,9 +210,7 @@
int maxlen, oldlen, newlen;
char *new1, *old1;
const char *msg;
-#ifdef ENCRYPTMETHOD_SELECT
char *result;
-#endif
oldlen = strlen (old);
newlen = strlen (new);
@@ -230,9 +228,7 @@
if (msg)
return msg;
-#ifdef ENCRYPTMETHOD_SELECT
if ((result = getdef_str ("ENCRYPT_METHOD")) == NULL) {
-#endif
/* The traditional crypt() truncates passwords to 8 chars. It is
possible to circumvent the above checks by choosing an easy
8-char password and adding some random characters to it...
@@ -242,16 +238,17 @@
if (getdef_bool ("MD5_CRYPT_ENAB"))
return NULL;
-#ifdef ENCRYPTMETHOD_SELECT
} else {
- if (!strcmp (result, "MD5") ||
- !strcmp (result, "SHA256") ||
- !strcmp (result, "SHA512"))
+ if ( !strcmp (result, "MD5")
+#ifdef USE_SHA_CRYPT
+ || !strcmp (result, "SHA256")
+ || !strcmp (result, "SHA512")
+#endif
+ )
return NULL;
}
-#endif
maxlen = getdef_num ("PASS_MAX_LEN", 8);
if (oldlen <= maxlen && newlen <= maxlen)
return NULL;
Modified: upstream/trunk/libmisc/salt.c
===================================================================
--- upstream/trunk/libmisc/salt.c 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/libmisc/salt.c 2007-11-24 13:08:08 UTC (rev 1458)
@@ -58,7 +58,7 @@
*/
#define MAGNUM(array,ch) (array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0'
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
/*
* Return the salt size.
* The size of the salt string is between 8 and 16 bytes for the SHA crypt
@@ -187,15 +187,13 @@
if (NULL != meth)
method = meth;
else {
-#ifdef ENCRYPTMETHOD_SELECT
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL)
-#endif
method = getdef_bool ("MD5_CRYPT_ENAB") ? "MD5" : "DES";
}
if (!strcmp (method, "MD5")) {
MAGNUM(result, '1');
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
} else if (!strcmp (method, "SHA256")) {
MAGNUM(result, '5');
strcat(result, SHA_salt_rounds((int *)arg));
Modified: upstream/trunk/src/chgpasswd.c
===================================================================
--- upstream/trunk/src/chgpasswd.c 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/src/chgpasswd.c 2007-11-24 13:08:08 UTC (rev 1458)
@@ -80,7 +80,7 @@
"%s"
"\n"),
Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
"NONE DES MD5", ""
#else
"NONE DES MD5 SHA256 SHA512",
@@ -127,7 +127,7 @@
{"encrypted", no_argument, NULL, 'e'},
{"help", no_argument, NULL, 'h'},
{"md5", no_argument, NULL, 'm'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif
{NULL, 0, NULL, '\0'}
@@ -135,7 +135,7 @@
while ((c =
getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
"c:ehms:",
#else
"c:ehm",
@@ -156,7 +156,7 @@
case 'm':
md5flg = 1;
break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
case 's':
sflg = 1;
if (!getlong(optarg, &sha_rounds)) {
@@ -195,7 +195,7 @@
if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512")
#endif
Modified: upstream/trunk/src/chpasswd.c
===================================================================
--- upstream/trunk/src/chpasswd.c 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/src/chpasswd.c 2007-11-24 13:08:08 UTC (rev 1458)
@@ -77,7 +77,7 @@
"%s"
"\n"),
Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
"NONE DES MD5", ""
#else
"NONE DES MD5 SHA256 SHA512",
@@ -123,7 +123,7 @@
{"encrypted", no_argument, NULL, 'e'},
{"help", no_argument, NULL, 'h'},
{"md5", no_argument, NULL, 'm'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif
{NULL, 0, NULL, '\0'}
@@ -131,7 +131,7 @@
while ((c =
getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
"c:ehms:",
#else
"c:ehm",
@@ -152,7 +152,7 @@
case 'm':
md5flg = 1;
break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
case 's':
sflg = 1;
if (!getlong(optarg, &sha_rounds)) {
@@ -191,7 +191,7 @@
if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512")
#endif
Modified: upstream/trunk/src/newusers.c
===================================================================
--- upstream/trunk/src/newusers.c 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/src/newusers.c 2007-11-24 13:08:08 UTC (rev 1458)
@@ -84,7 +84,7 @@
"%s"
"\n"),
Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
"NONE DES MD5", ""
#else
"NONE DES MD5 SHA256 SHA512",
@@ -344,7 +344,7 @@
static struct option long_options[] = {
{"crypt-method", required_argument, NULL, 'c'},
{"help", no_argument, NULL, 'h'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif
{NULL, 0, NULL, '\0'}
@@ -352,7 +352,7 @@
while ((c =
getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
"c:hs:",
#else
"c:h",
@@ -367,7 +367,7 @@
case 'h':
usage ();
break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
case 's':
sflg = 1;
if (!getlong(optarg, &sha_rounds)) {
@@ -399,7 +399,7 @@
if ( 0 != strcmp (crypt_method, "DES")
&& 0 != strcmp (crypt_method, "MD5")
&& 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
&& 0 != strcmp (crypt_method, "SHA256")
&& 0 != strcmp (crypt_method, "SHA512")
#endif
Modified: upstream/trunk/src/passwd.c
===================================================================
--- upstream/trunk/src/passwd.c 2007-11-24 00:37:37 UTC (rev 1457)
+++ upstream/trunk/src/passwd.c 2007-11-24 13:08:08 UTC (rev 1458)
@@ -204,9 +204,7 @@
int i; /* Counter for retries */
int warned;
int pass_max_len = -1;
-#ifdef ENCRYPTMETHOD_SELECT
char *method;
-#endif
#ifdef HAVE_LIBCRACK_HIST
int HistUpdate (const char *, const char *);
@@ -244,21 +242,20 @@
* for strength, unless it is the root user. This provides an escape
* for initial login passwords.
*/
-#ifdef ENCRYPTMETHOD_SELECT
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
-#endif
if (!getdef_bool ("MD5_CRYPT_ENAB"))
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
-#ifdef ENCRYPTMETHOD_SELECT
} else {
- if (!strcmp (method, "MD5") ||
- !strcmp (method, "SHA256") ||
- !strcmp (method, "SHA512"))
+ if ( !strcmp (method, "MD5")
+#ifdef USE_SHA_CRYPT
+ || !strcmp (method, "SHA256")
+ || !strcmp (method, "SHA512")
+#endif
+ )
pass_max_len = -1;
else
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
}
-#endif
if (!qflg) {
if (pass_max_len == -1) {
printf (_(
More information about the Pkg-shadow-commits
mailing list