beafbd5665Add patch to use yescrypt for new user passwords, fixes rhbz#1976334 Signed-off-by: Björn Esser <besser82@fedoraproject.org>
107 lines
3.6 KiB
Diff
107 lines
3.6 KiB
Diff
From c4048b11d205762c9cb61ead4c81ba5f49640520 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
|
|
Date: Sun, 27 Jun 2021 21:06:15 +0000
|
|
Subject: [PATCH] act-user: Use stronger hashing methods in make_crypted() if
|
|
available.
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
|
|
---
|
|
meson.build | 16 +++++++++++++++-
|
|
src/libaccountsservice/act-user.c | 31 ++++++++++++++++++++++++-------
|
|
2 files changed, 39 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/meson.build b/meson.build
|
|
index 4465a26..1c42062 100644
|
|
--- a/meson.build
|
|
+++ b/meson.build
|
|
@@ -123,7 +123,21 @@ gio_unix_dep = dependency('gio-unix-2.0')
|
|
glib_dep = dependency('glib-2.0', version: '>= 2.44')
|
|
polkit_gobject_dep = dependency('polkit-gobject-1')
|
|
|
|
-crypt_dep = cc.find_library('crypt')
|
|
+# Using libxcrypt >= 4 we can be sure `crypt_gensalt (NULL, 0, NULL, 0)`
|
|
+# always returns a setting that is valid to use with `crypt (pw, setting)`.
|
|
+#
|
|
+# The setting returned will specify (depending on the system's
|
|
+# configuration of libxcrypt) in order of preferrence either
|
|
+# yescrypt "$y$", (gost-yescrypt "$gy$), bcrypt "$2b$" or sha512crypt "$6$"
|
|
+# as hash method, with a sufficient amount of cost or rounds and a random
|
|
+# salt drawn from secure system ressources with at least 128 bits.
|
|
+# (96 bits for sha512crypt, as more is not supported by this method, since
|
|
+# the effectively used maximum is 16 base64-encoded characters)
|
|
+crypt_dep = dependency('libxcrypt', required: false, version: '>= 4')
|
|
+config_h.set('HAVE_CRYPT_GENSALT', crypt_dep.found())
|
|
+if not crypt_dep.found()
|
|
+ crypt_dep = cc.find_library('crypt')
|
|
+endif
|
|
|
|
dbus_dep = dependency('dbus-1')
|
|
dbus_conf_dir = join_paths(dbus_dep.get_pkgconfig_variable('sysconfdir', define_variable: ['sysconfdir', act_sysconfdir]), 'dbus-1', 'system.d')
|
|
diff --git a/src/libaccountsservice/act-user.c b/src/libaccountsservice/act-user.c
|
|
index e66acb1..5485cbe 100644
|
|
--- a/src/libaccountsservice/act-user.c
|
|
+++ b/src/libaccountsservice/act-user.c
|
|
@@ -1589,18 +1589,25 @@ act_user_set_account_type (ActUser *user,
|
|
}
|
|
}
|
|
|
|
-static gchar
|
|
+#ifdef HAVE_CRYPT_GENSALT
|
|
+static gchar *
|
|
+generate_salt_for_crypt_hash (void)
|
|
+{
|
|
+ return g_strdup (crypt_gensalt (NULL, 0, NULL, 0));
|
|
+}
|
|
+#else
|
|
+static const gchar
|
|
salt_char (GRand *rand)
|
|
{
|
|
- gchar salt[] = "ABCDEFGHIJKLMNOPQRSTUVXYZ"
|
|
- "abcdefghijklmnopqrstuvxyz"
|
|
- "./0123456789";
|
|
+ const gchar salt[] = "ABCDEFGHIJKLMNOPQRSTUVXYZ"
|
|
+ "abcdefghijklmnopqrstuvxyz"
|
|
+ "./0123456789";
|
|
|
|
return salt[g_rand_int_range (rand, 0, G_N_ELEMENTS (salt))];
|
|
}
|
|
|
|
static gchar *
|
|
-make_crypted (const gchar *plain)
|
|
+generate_salt_for_crypt_hash (void)
|
|
{
|
|
g_autoptr(GString) salt = NULL;
|
|
g_autoptr(GRand) rand = NULL;
|
|
@@ -1609,14 +1616,24 @@ make_crypted (const gchar *plain)
|
|
rand = g_rand_new ();
|
|
salt = g_string_sized_new (21);
|
|
|
|
- /* SHA 256 */
|
|
+ /* sha512crypt */
|
|
g_string_append (salt, "$6$");
|
|
for (i = 0; i < 16; i++) {
|
|
g_string_append_c (salt, salt_char (rand));
|
|
}
|
|
g_string_append_c (salt, '$');
|
|
|
|
- return g_strdup (crypt (plain, salt->str));
|
|
+ return g_strdup (salt->str);
|
|
+}
|
|
+#endif
|
|
+
|
|
+static gchar *
|
|
+make_crypted (const gchar *plain)
|
|
+{
|
|
+ g_autofree char *salt = NULL;
|
|
+
|
|
+ salt = generate_salt_for_crypt_hash ();
|
|
+ return g_strdup (crypt (plain, salt));
|
|
}
|
|
|
|
/**
|
|
--
|
|
2.31.1
|
|
|