Blowfish

Alex Merry alexander.merry at ccc.ox.ac.uk
Thu Aug 3 14:46:58 PDT 2006


On Wed, Aug 02, 2006 at 11:11:45AM -0400, Robert Connolly wrote:
> Hi. I have a couple patches ported from the Owl blowfish patches:
> 
> http://www.topside.org/~ashes/new/glibc-2.4-owl_blowfish.patch
> http://www.topside.org/~ashes/new/shadow-4.0.17-owl_blowfish.patch
> 
> I'm not sure if sulogin needs a patch or not. I noticed sulogin.c doesn't seem 
> to care what hash you use (it used to).

sulogin only cares about the format of the password field in /etc/passwd
(for the "read /etc/passwd" fallback). valid() checks for crypt-style
passwords (13 chars, 0-9a-zA-z./) and for md5-style passwords (starting
$1$).

The glibc crypt() function deals with the actual hashing method
selection (based on the format of the salt passed to it), so it only
matters in this fallback scenario.

I think the attached patch should fix sulogin.c.

> 
> Do we want this in HLFS?

Personally, I'd say yes...

Alex :-)


-- 
Pippin
Computer Monkey to the Pelican
www.oxrev.org.uk, www.corpusjcr.org, www.rev.org.uk
-------------- next part --------------
diff -ru sysvinit-2.86.old/src/sulogin.c sysvinit-2.86/src/sulogin.c
--- sysvinit-2.86.old/src/sulogin.c	2004-07-30 12:40:28.000000000 +0100
+++ sysvinit-2.86/src/sulogin.c	2006-08-03 22:37:46.000000000 +0100
@@ -29,7 +29,9 @@
 #endif
 
 #define CHECK_DES	1
+#define CHECK_BDES	1
 #define CHECK_MD5	1
+#define CHECK_BLOWFISH	1
 
 #define F_PASSWD	"/etc/passwd"
 #define F_SHADOW	"/etc/shadow"
@@ -119,8 +121,36 @@
 		return 1;
 	}
 #endif
-#if CHECK_DES
-	if (strlen(pass) != 13) return 0;
+#if CHECK_BLOWFISH
+	/*
+	 *	4 bytes for the signature $1$
+	 *	2 bytes for base 2 log of iter count (must be >4)
+	 *	$
+	 *	the MD5 hash (128 bits or 16 bytes) encoded in base64 = 22 bytes
+	 */
+	if (strncmp(pass, "$2a$", 4) == 0) {
+		s = pass + 4;
+		if (*s < '0' || *s > '9') return 0;
+		if (*(s+1) < '0' || *(s+1) > '9') return 0;
+		if (*s == '0' && *(s+1) < '4') return 0;
+
+		s = s + 2;
+		if (*s++ != '$') return 0;
+
+		if (strlen(s) != 53) return 0;
+
+		return 1;
+	}
+#endif
+#if CHECK_BDES || CHECK_DES
+	len = strlen(pass);
+#if ! CHECK_DES
+	if (len != 19) return 0;
+#elif ! CHECK_BDES
+	if (len != 13) return 0;
+#else
+	if (len != 13 && len != 19) return 0;
+#endif
 	for (s = pass; *s; s++) {
 		if ((*s < '0' || *s > '9') &&
 		    (*s < 'a' || *s > 'z') &&
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060803/a4170d1b/attachment.sig>


More information about the hlfs-dev mailing list