Re: [PATCH v4] pw_encrypt: Add option to enable bcrypt support

Wed, 25 Jan 2023 10:35:37 -0800 

Adds an option to the Login/Password Management Utilities menu to enable bcrypt
support in passwd and chpasswd.

Add support for bcrypt to BusyBox chpasswd & passwd.

Based on patch proposed by Scott Court.

Changes to the orignal patch:
- added config option for bcrypt cost
- made code changes fully dependend on config option
- changed algorithm tag to $2b$
- help texts added for bcrypt option

Signed-off-by: Andreas Helmcke <a...@helmcke.name>
---
 include/libbb.h       |  5 +++++
 include/usage.src.h   |  5 +++++
 libbb/pw_encrypt.c    | 14 ++++++++++++++
 loginutils/Config.src | 23 +++++++++++++++++++++++
 loginutils/chpasswd.c |  3 ++-
 5 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/include/libbb.h b/include/libbb.h
index cca33a177..6e78df974 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -1777,8 +1777,13 @@ extern int obscure(const char *old, const char *newval, 
const struct passwd *pwd
  * (otherwise we risk having same salt generated)
  */
 extern int crypt_make_salt(char *p, int cnt /*, int rnd*/) FAST_FUNC;
+#if ENABLE_USE_BCRYPT
+/* "$NX$10$" + bcrypt_salt_24_bytes + NUL */
+#define MAX_PW_SALT_LEN (7 + 24 + 1)
+#else
 /* "$N$" + sha_salt_16_bytes + NUL */
 #define MAX_PW_SALT_LEN (3 + 16 + 1)
+#endif
 extern char* crypt_make_pw_salt(char p[MAX_PW_SALT_LEN], const char *algo) 
FAST_FUNC;
diff --git a/include/usage.src.h b/include/usage.src.h 
index 5d2038834..d8a679ab3 100644
--- a/include/usage.src.h
+++ b/include/usage.src.h
@@ -18,8 +18,13 @@
 #define scripted_full_usage ""
#if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA 
+#if ENABLE_USE_BCRYPT
+# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512,bcrypt" \
+       " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
+#else
 # define CRYPT_METHODS_HELP_STR "des,md5,sha256/512" \
        " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
+#endif
 #else
 # define CRYPT_METHODS_HELP_STR "des,md5" \
        " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c
index 3463fd95b..5b71a54a5 100644
--- a/libbb/pw_encrypt.c
+++ b/libbb/pw_encrypt.c
@@ -70,6 +70,20 @@ char* FAST_FUNC crypt_make_pw_salt(char 
salt[MAX_PW_SALT_LEN], const char *algo)
                        salt[1] = '5' + (strcasecmp(algo, "sha512") == 0);
                        len = 16/2;
                }
+#endif
+#if ENABLE_USE_BCRYPT
+#if !ENABLE_FEATURE_BCRYPT_COST || CONFIG_FEATURE_BCRYPT_COST < 4 || 
CONFIG_FEATURE_BCRYPT_COST > 31
+#error Bad FEATURE_BCRYPT_COST in .config
+#endif
+               if ((algo[0]|0x20) == 'b') { /* bcrypt */
+                       salt[1] = '2';
+                       salt[2] = 'b';
+                       *salt_ptr++ = '$';
+                       *salt_ptr++ = ((CONFIG_FEATURE_BCRYPT_COST) / 10) + '0';
+                       *salt_ptr++ = ((CONFIG_FEATURE_BCRYPT_COST) % 10) + '0';
+                       *salt_ptr++ = '$';
+                       len = 24/2;
+               }
 #endif
        }
        crypt_make_salt(salt_ptr, len);
diff --git a/loginutils/Config.src b/loginutils/Config.src
index cbb09646b..cdf36a55f 100644
--- a/loginutils/Config.src
+++ b/loginutils/Config.src
@@ -91,6 +91,29 @@ config USE_BB_CRYPT_SHA
        With this option off, login will fail password check for any
        user which has password encrypted with these algorithms.
+config USE_BCRYPT 
+       bool "Enable bcrypt and other password hashes."
+       default n
+       depends on !USE_BB_CRYPT
+       help
+       Enable this if you use newer password hashes like bcrypt. E.g.
+       if you have passwords starting with $2a$, $2y$ or $2b$ in your
+       /etc/passwd or /etc/shadow files. Requires the use of a C
+       library that supports these hashes.
+       Adds support for bcrypt to passwd, cryptpw and chpasswd.
+
+config FEATURE_BCRYPT_COST
+       int "bcrypt cost"
+       range 4 31
+       default 10
+       depends on USE_BCRYPT
+       help
+       Cost parameter for the bcrypt hashing algorithm.
+       Specifies the number of rounds to use. Must be between 4 and 31,
+       inclusive. This value is logarithmic, the actual number of
+       iterations used will be 2**rounds – increasing the rounds by +1
+       will double the amount of time taken.
+
 INSERT
endmenu 
diff --git a/loginutils/chpasswd.c b/loginutils/chpasswd.c
index a032abbed..74673fa6f 100644
--- a/loginutils/chpasswd.c
+++ b/loginutils/chpasswd.c
@@ -17,7 +17,8 @@
 //config:      default "des"
 //config:      depends on PASSWD || CRYPTPW || CHPASSWD
 //config:      help
-//config:      Possible choices are "d[es]", "m[d5]", "s[ha256]" or "sha512".
+//config:      Possible choices are "d[es]", "m[d5]", "s[ha256]",
+//config:      "sha512" or "b[crypt]" (when enabled).
//applet:IF_CHPASSWD(APPLET(chpasswd, BB_DIR_USR_SBIN, BB_SUID_DROP)) -- 
2.37.2

_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to