diff options
| author | Björn Esser <besser82@fedoraproject.org> | 2021-06-27 21:06:15 +0000 |
|---|---|---|
| committer | Ray Strode <halfline@gmail.com> | 2021-06-27 21:06:15 +0000 |
| commit | c4048b11d205762c9cb61ead4c81ba5f49640520 (patch) | |
| tree | e863d28968555f75b91648232aea0e049cd8867f | |
| parent | 2c5c80d1cd5f03616c8ca0f6cf69048c63f21dfd (diff) | |
act-user: Use stronger hashing methods in make_crypted() if available.
| -rw-r--r-- | meson.build | 16 | ||||
| -rw-r--r-- | src/libaccountsservice/act-user.c | 31 |
2 files changed, 39 insertions, 8 deletions
diff --git a/meson.build b/meson.build index a866229..7d4dd77 100644 --- a/meson.build +++ b/meson.build @@ -146,7 +146,21 @@ gio_unix_dep = dependency('gio-unix-2.0') glib_dep = dependency('glib-2.0', version: '>= ' + glib_min_version) polkit_gobject_dep = dependency('polkit-gobject-1') -crypt_dep = cc.find_library('crypt') +# Using libxcrypt >= 4 we can be sure `crypt_gensalt (NULL, 0, NULL, 0)` +# always returns a setting that is valid to use with `crypt (pw, setting)`. +# +# The setting returned will specify (depending on the system's +# configuration of libxcrypt) in order of preferrence either +# yescrypt "$y$", (gost-yescrypt "$gy$), bcrypt "$2b$" or sha512crypt "$6$" +# as hash method, with a sufficient amount of cost or rounds and a random +# salt drawn from secure system ressources with at least 128 bits. +# (96 bits for sha512crypt, as more is not supported by this method, since +# the effectively used maximum is 16 base64-encoded characters) +crypt_dep = dependency('libxcrypt', required: false, version: '>= 4') +config_h.set('HAVE_CRYPT_GENSALT', crypt_dep.found()) +if not crypt_dep.found() + crypt_dep = cc.find_library('crypt') +endif dbus_dep = dependency('dbus-1') if dbus_dep.version().version_compare('>=1.9.18') diff --git a/src/libaccountsservice/act-user.c b/src/libaccountsservice/act-user.c index bc92cf4..33c6493 100644 --- a/src/libaccountsservice/act-user.c +++ b/src/libaccountsservice/act-user.c @@ -1624,18 +1624,25 @@ act_user_set_account_type (ActUser *user, } } -static gchar +#ifdef HAVE_CRYPT_GENSALT +static gchar * +generate_salt_for_crypt_hash (void) +{ + return g_strdup (crypt_gensalt (NULL, 0, NULL, 0)); +} +#else +static const gchar salt_char (GRand *rand) { - gchar salt[] = "ABCDEFGHIJKLMNOPQRSTUVXYZ" - "abcdefghijklmnopqrstuvxyz" - "./0123456789"; + const gchar salt[] = "ABCDEFGHIJKLMNOPQRSTUVXYZ" + "abcdefghijklmnopqrstuvxyz" + "./0123456789"; return salt[g_rand_int_range (rand, 0, G_N_ELEMENTS (salt))]; } static gchar * -make_crypted (const gchar *plain) +generate_salt_for_crypt_hash (void) { g_autoptr(GString) salt = NULL; g_autoptr(GRand) rand = NULL; @@ -1644,14 +1651,24 @@ make_crypted (const gchar *plain) rand = g_rand_new (); salt = g_string_sized_new (21); - /* SHA 256 */ + /* sha512crypt */ g_string_append (salt, "$6$"); for (i = 0; i < 16; i++) { g_string_append_c (salt, salt_char (rand)); } g_string_append_c (salt, '$'); - return g_strdup (crypt (plain, salt->str)); + return g_strdup (salt->str); +} +#endif + +static gchar * +make_crypted (const gchar *plain) +{ + g_autofree char *salt = NULL; + + salt = generate_salt_for_crypt_hash (); + return g_strdup (crypt (plain, salt)); } /** |