[PATCH v4] pw_encrypt: Add option to enable bcrypt support

Andreas Helmcke ahe at helmcke.name
Wed Jan 25 18:25:36 UTC 2023


Adds an option to the Login/Password Management Utilities menu to enable bcrypt
support in passwd and chpasswd.

Add support for bcrypt to BusyBox chpasswd & passwd.

Based on patch proposed by Scott Court.

Changes to the orignal patch:
- added config option for bcrypt cost
- made code changes fully dependend on config option
- changed algorithm tag to $2b$
- help texts added for bcrypt option

Signed-off-by: Andreas Helmcke <ahe at helmcke.name>
---
  include/libbb.h       |  5 +++++
  include/usage.src.h   |  5 +++++
  libbb/pw_encrypt.c    | 14 ++++++++++++++
  loginutils/Config.src | 23 +++++++++++++++++++++++
  loginutils/chpasswd.c |  3 ++-
  5 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/include/libbb.h b/include/libbb.h
index cca33a177..6e78df974 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -1777,8 +1777,13 @@ extern int obscure(const char *old, const char *newval, const struct passwd *pwd
   * (otherwise we risk having same salt generated)
   */
  extern int crypt_make_salt(char *p, int cnt /*, int rnd*/) FAST_FUNC;
+#if ENABLE_USE_BCRYPT
+/* "$NX$10$" + bcrypt_salt_24_bytes + NUL */
+#define MAX_PW_SALT_LEN (7 + 24 + 1)
+#else
  /* "$N$" + sha_salt_16_bytes + NUL */
  #define MAX_PW_SALT_LEN (3 + 16 + 1)
+#endif
  extern char* crypt_make_pw_salt(char p[MAX_PW_SALT_LEN], const char *algo) FAST_FUNC;
  
  
diff --git a/include/usage.src.h b/include/usage.src.h
index 5d2038834..d8a679ab3 100644
--- a/include/usage.src.h
+++ b/include/usage.src.h
@@ -18,8 +18,13 @@
  #define scripted_full_usage ""
  
  #if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA
+#if ENABLE_USE_BCRYPT
+# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512,bcrypt" \
+	" (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
+#else
  # define CRYPT_METHODS_HELP_STR "des,md5,sha256/512" \
  	" (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
+#endif
  #else
  # define CRYPT_METHODS_HELP_STR "des,md5" \
  	" (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c
index 3463fd95b..5b71a54a5 100644
--- a/libbb/pw_encrypt.c
+++ b/libbb/pw_encrypt.c
@@ -70,6 +70,20 @@ char* FAST_FUNC crypt_make_pw_salt(char salt[MAX_PW_SALT_LEN], const char *algo)
  			salt[1] = '5' + (strcasecmp(algo, "sha512") == 0);
  			len = 16/2;
  		}
+#endif
+#if ENABLE_USE_BCRYPT
+#if !ENABLE_FEATURE_BCRYPT_COST || CONFIG_FEATURE_BCRYPT_COST < 4 || CONFIG_FEATURE_BCRYPT_COST > 31
+#error Bad FEATURE_BCRYPT_COST in .config
+#endif
+		if ((algo[0]|0x20) == 'b') { /* bcrypt */
+			salt[1] = '2';
+			salt[2] = 'b';
+			*salt_ptr++ = '$';
+			*salt_ptr++ = ((CONFIG_FEATURE_BCRYPT_COST) / 10) + '0';
+			*salt_ptr++ = ((CONFIG_FEATURE_BCRYPT_COST) % 10) + '0';
+			*salt_ptr++ = '$';
+			len = 24/2;
+		}
  #endif
  	}
  	crypt_make_salt(salt_ptr, len);
diff --git a/loginutils/Config.src b/loginutils/Config.src
index cbb09646b..cdf36a55f 100644
--- a/loginutils/Config.src
+++ b/loginutils/Config.src
@@ -91,6 +91,29 @@ config USE_BB_CRYPT_SHA
  	With this option off, login will fail password check for any
  	user which has password encrypted with these algorithms.
  
+config USE_BCRYPT
+	bool "Enable bcrypt and other password hashes."
+	default n
+	depends on !USE_BB_CRYPT
+	help
+	Enable this if you use newer password hashes like bcrypt. E.g.
+	if you have passwords starting with $2a$, $2y$ or $2b$ in your
+	/etc/passwd or /etc/shadow files. Requires the use of a C
+	library that supports these hashes.
+	Adds support for bcrypt to passwd, cryptpw and chpasswd.
+
+config FEATURE_BCRYPT_COST
+	int "bcrypt cost"
+	range 4 31
+	default 10
+	depends on USE_BCRYPT
+	help
+	Cost parameter for the bcrypt hashing algorithm.
+	Specifies the number of rounds to use. Must be between 4 and 31,
+	inclusive. This value is logarithmic, the actual number of
+	iterations used will be 2**rounds – increasing the rounds by +1
+	will double the amount of time taken.
+
  INSERT
  
  endmenu
diff --git a/loginutils/chpasswd.c b/loginutils/chpasswd.c
index a032abbed..74673fa6f 100644
--- a/loginutils/chpasswd.c
+++ b/loginutils/chpasswd.c
@@ -17,7 +17,8 @@
  //config:	default "des"
  //config:	depends on PASSWD || CRYPTPW || CHPASSWD
  //config:	help
-//config:	Possible choices are "d[es]", "m[d5]", "s[ha256]" or "sha512".
+//config:	Possible choices are "d[es]", "m[d5]", "s[ha256]",
+//config:	"sha512" or "b[crypt]" (when enabled).
  
  //applet:IF_CHPASSWD(APPLET(chpasswd, BB_DIR_USR_SBIN, BB_SUID_DROP))
  
-- 
2.37.2



More information about the busybox mailing list