[PATCH v4] pw_encrypt: Add option to enable bcrypt support
Andreas Helmcke
ahe at helmcke.name
Wed Jan 25 18:25:36 UTC 2023
Adds an option to the Login/Password Management Utilities menu to enable bcrypt
support in passwd and chpasswd.
Add support for bcrypt to BusyBox chpasswd & passwd.
Based on patch proposed by Scott Court.
Changes to the orignal patch:
- added config option for bcrypt cost
- made code changes fully dependend on config option
- changed algorithm tag to $2b$
- help texts added for bcrypt option
Signed-off-by: Andreas Helmcke <ahe at helmcke.name>
---
include/libbb.h | 5 +++++
include/usage.src.h | 5 +++++
libbb/pw_encrypt.c | 14 ++++++++++++++
loginutils/Config.src | 23 +++++++++++++++++++++++
loginutils/chpasswd.c | 3 ++-
5 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/include/libbb.h b/include/libbb.h
index cca33a177..6e78df974 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -1777,8 +1777,13 @@ extern int obscure(const char *old, const char *newval, const struct passwd *pwd
* (otherwise we risk having same salt generated)
*/
extern int crypt_make_salt(char *p, int cnt /*, int rnd*/) FAST_FUNC;
+#if ENABLE_USE_BCRYPT
+/* "$NX$10$" + bcrypt_salt_24_bytes + NUL */
+#define MAX_PW_SALT_LEN (7 + 24 + 1)
+#else
/* "$N$" + sha_salt_16_bytes + NUL */
#define MAX_PW_SALT_LEN (3 + 16 + 1)
+#endif
extern char* crypt_make_pw_salt(char p[MAX_PW_SALT_LEN], const char *algo) FAST_FUNC;
diff --git a/include/usage.src.h b/include/usage.src.h
index 5d2038834..d8a679ab3 100644
--- a/include/usage.src.h
+++ b/include/usage.src.h
@@ -18,8 +18,13 @@
#define scripted_full_usage ""
#if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA
+#if ENABLE_USE_BCRYPT
+# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512,bcrypt" \
+ " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
+#else
# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512" \
" (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
+#endif
#else
# define CRYPT_METHODS_HELP_STR "des,md5" \
" (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c
index 3463fd95b..5b71a54a5 100644
--- a/libbb/pw_encrypt.c
+++ b/libbb/pw_encrypt.c
@@ -70,6 +70,20 @@ char* FAST_FUNC crypt_make_pw_salt(char salt[MAX_PW_SALT_LEN], const char *algo)
salt[1] = '5' + (strcasecmp(algo, "sha512") == 0);
len = 16/2;
}
+#endif
+#if ENABLE_USE_BCRYPT
+#if !ENABLE_FEATURE_BCRYPT_COST || CONFIG_FEATURE_BCRYPT_COST < 4 || CONFIG_FEATURE_BCRYPT_COST > 31
+#error Bad FEATURE_BCRYPT_COST in .config
+#endif
+ if ((algo[0]|0x20) == 'b') { /* bcrypt */
+ salt[1] = '2';
+ salt[2] = 'b';
+ *salt_ptr++ = '$';
+ *salt_ptr++ = ((CONFIG_FEATURE_BCRYPT_COST) / 10) + '0';
+ *salt_ptr++ = ((CONFIG_FEATURE_BCRYPT_COST) % 10) + '0';
+ *salt_ptr++ = '$';
+ len = 24/2;
+ }
#endif
}
crypt_make_salt(salt_ptr, len);
diff --git a/loginutils/Config.src b/loginutils/Config.src
index cbb09646b..cdf36a55f 100644
--- a/loginutils/Config.src
+++ b/loginutils/Config.src
@@ -91,6 +91,29 @@ config USE_BB_CRYPT_SHA
With this option off, login will fail password check for any
user which has password encrypted with these algorithms.
+config USE_BCRYPT
+ bool "Enable bcrypt and other password hashes."
+ default n
+ depends on !USE_BB_CRYPT
+ help
+ Enable this if you use newer password hashes like bcrypt. E.g.
+ if you have passwords starting with $2a$, $2y$ or $2b$ in your
+ /etc/passwd or /etc/shadow files. Requires the use of a C
+ library that supports these hashes.
+ Adds support for bcrypt to passwd, cryptpw and chpasswd.
+
+config FEATURE_BCRYPT_COST
+ int "bcrypt cost"
+ range 4 31
+ default 10
+ depends on USE_BCRYPT
+ help
+ Cost parameter for the bcrypt hashing algorithm.
+ Specifies the number of rounds to use. Must be between 4 and 31,
+ inclusive. This value is logarithmic, the actual number of
+ iterations used will be 2**rounds – increasing the rounds by +1
+ will double the amount of time taken.
+
INSERT
endmenu
diff --git a/loginutils/chpasswd.c b/loginutils/chpasswd.c
index a032abbed..74673fa6f 100644
--- a/loginutils/chpasswd.c
+++ b/loginutils/chpasswd.c
@@ -17,7 +17,8 @@
//config: default "des"
//config: depends on PASSWD || CRYPTPW || CHPASSWD
//config: help
-//config: Possible choices are "d[es]", "m[d5]", "s[ha256]" or "sha512".
+//config: Possible choices are "d[es]", "m[d5]", "s[ha256]",
+//config: "sha512" or "b[crypt]" (when enabled).
//applet:IF_CHPASSWD(APPLET(chpasswd, BB_DIR_USR_SBIN, BB_SUID_DROP))
--
2.37.2
More information about the busybox
mailing list