Attachment #152839 for bug #182518

Lines 290-295 typedef __useconds_t useconds_t; Link Here

(-)b/include/unistd.h (-3 / +3 lines)
290	#define _SC_NPROCESSORS_CONF 57	290	#define _SC_NPROCESSORS_CONF 57
291	#define _SC_NPROCESSORS_ONLN 58	291	#define _SC_NPROCESSORS_ONLN 58
292	#define _SC_CPUSET_SIZE 122	292	#define _SC_CPUSET_SIZE 122
		293	#define CRYPT_FORMAT_MAX_LEN 20 /* currently strlen("$6$rounds=999999999$") == 20 */
		294	#define CRYPT_SALT_MAX_LEN (CRYPT_FORMAT_MAX_LEN + 17) /* currently strlen("$6$rounds=999999999$AAAABBBBCCCCDDDD$") == 37 */
293	#endif	295	#endif
294		296
295	/* Extensions found in Solaris and Linux. */	297	/* Extensions found in Solaris and Linux. */
Lines 487-495 struct timeval; /* select(2) */ Link Here
487	int acct(const char *);	489	int acct(const char *);
488	int async_daemon(void);	490	int async_daemon(void);
489	int check_utility_compat(const char *);	491	int check_utility_compat(const char *);
490	const char *	492	int crypt_makesalt(char , const char , size_t *);
491	crypt_get_format(void);
492	int crypt_set_format(const char *);
493	int des_cipher(const char , char , long, int);	493	int des_cipher(const char , char , long, int);
494	int des_setkey(const char *key);	494	int des_setkey(const char *key);
495	int dup3(int, int, int);	495	int dup3(int, int, int);

Lines 16-22 SRCS= crypt.c misc.c \ Link Here

(-)b/lib/libcrypt/Makefile (-1 lines)
16	crypt-sha256.c sha256c.c \	16	crypt-sha256.c sha256c.c \
17	crypt-sha512.c sha512c.c	17	crypt-sha512.c sha512c.c
18	MAN= crypt.3	18	MAN= crypt.3
19	MLINKS= crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
20	CFLAGS+= -I${.CURDIR}/../libmd -I${.CURDIR}/../libutil	19	CFLAGS+= -I${.CURDIR}/../libmd -I${.CURDIR}/../libutil
21		20
22	# Pull in the strong crypto, if it is present.	21	# Pull in the strong crypto, if it is present.

Lines 49-56 crypt_md5(const char pw, const char salt) Link Here

(-)b/lib/libcrypt/crypt-md5.c (-2 / +3 lines)
49	int sl, pl;	49	int sl, pl;
50	u_int i;	50	u_int i;
51	u_char final[MD5_SIZE];	51	u_char final[MD5_SIZE];
52	static const char sp, ep;	52	const char sp, ep;
53	static char passwd[120], *p;	53	static __thread char passwd[120];
		54	char *p;
54	static const char *magic = "$1$";	55	static const char *magic = "$1$";
55		56
56	/* Refine the Salt first */	57	/* Refine the Salt first */

Lines 51-59 crypt_nthash(const char pw, const char salt __unused) Link Here

(-)b/lib/libcrypt/crypt-nthash.c (-2 / +2 lines)
51	{	51	{
52	size_t unipwLen;	52	size_t unipwLen;
53	int i, j;	53	int i, j;
54	static char hexconvtab[] = "0123456789abcdef";	54	static const char hexconvtab[] = "0123456789abcdef";
55	static const char *magic = "$3$";	55	static const char *magic = "$3$";
56	static char passwd[120];	56	static __thread char passwd[120];
57	u_int16_t unipw[128];	57	u_int16_t unipw[128];
58	char final[MD4_SIZE*2 + 1];	58	char final[MD4_SIZE*2 + 1];
59	u_char hash[MD4_SIZE];	59	u_char hash[MD4_SIZE];

Lines 274-281 crypt_sha256(const char key, const char salt) Link Here

(-)b/lib/libcrypt/crypt-sha256.c (-2 / +2 lines)
274	* password. We can compute an upper bound for the size of the	274	* password. We can compute an upper bound for the size of the
275	* result in advance and so we can prepare the buffer we pass to	275	* result in advance and so we can prepare the buffer we pass to
276	* `crypt_sha256_r'. */	276	* `crypt_sha256_r'. */
277	static char *buffer;	277	static __thread char *buffer;
278	static int buflen;	278	static __thread int buflen;
279	int needed;	279	int needed;
280	char *new_buffer;	280	char *new_buffer;
281		281

Lines 286-293 crypt_sha512(const char key, const char salt) Link Here

(-)b/lib/libcrypt/crypt-sha512.c (-2 / +2 lines)
286	* password. We can compute an upper bound for the size of the	286	* password. We can compute an upper bound for the size of the
287	* result in advance and so we can prepare the buffer we pass to	287	* result in advance and so we can prepare the buffer we pass to
288	* `crypt_sha512_r'. */	288	* `crypt_sha512_r'. */
289	static char *buffer;	289	static __thread char *buffer;
290	static int buflen;	290	static __thread int buflen;
291	int needed;	291	int needed;
292	char *new_buffer;	292	char *new_buffer;
293		293




__FBSDID("$FreeBSD: head/lib/libcrypt/crypt.c 272830 2014-10-09 16:45:11Z des $");

#include <sys/types.h>
#include <sys/param.h>

#include <libutil.h>
#include <string.h>
#include <unistd.h>
#include <regex.h>
#include <stdbool.h>
#include <stdlib.h>

#include <stdio.h>

#include "crypt.h"

/*
 * List of supported crypt(3) formats.
 *
 * Ordered from most probable to least probable[1], for the find algorithm to 
 * preform a little better in some cases.  Generally, order is not important.
 *
 * 1. as guessed by a random person
 *
 */
static const struct crypt_format {
	const char *const name;
	char *(*const func)(const char *, const char *);
	const char *const magic;
	const char *const default_format;
	const char *const format_regex;
	
	const uint8_t salt_bytes;
	const bool salt_trailing_sign;	/* do we tack on a $ at the end of the salt */
} crypt_formats[] = {
	{ "md5",	crypt_md5,	"$1$",	"$1$",		"^\\$1\\$$",				8,	true	},
	{ "sha512",	crypt_sha512,	"$6$",	"$6$",		"^\\$6\\$(rounds=[0-9]{0,9}\\$)?$",	16,	true	},
#ifdef HAS_BLOWFISH
	{ "blf",	crypt_blowfish,	"$2",	"$2b$04$",	"^\\$2[ab]?\\$[0-9]{2}\\$$",		22 /* 16 * 1.333 */,	false	},
#endif
	{ "nth",	crypt_nthash,		"$3$"	},
	{ "sha256",	crypt_sha256,		"$5$"	},
	{ "sha512",	crypt_sha512,		"$6$"	},
#ifdef HAS_DES
	{ "des",	crypt_des,	NULL,	"",		NULL,					2,	false	},
	{ "des-ext",	crypt_des,	"_",	"_..T.",	"^_[A-Za-z0-9./]{4}$",			4,	false	},
#endif
	{ "nth",	crypt_nthash,	"$3$",	"$3$",		"^\\$3\\$$",				0,	false	},
	{ "sha256",	crypt_sha256,	"$5$",	"$5$",		"^\\$5\\$(rounds=[0-9]{0,9}\\$)?$",	16,	true	},
	
	/* sentinel */
	{ NULL,		NULL,		NULL,	NULL,		NULL,	0,	NULL	}
};

#ifdef HAS_DES
/* must be des if system has des */
static const char default_format[] = "des";
#else 
static const char default_format[] = "sha512";
#endif

/* local-scope only */
static const struct crypt_format *crypt_find_format(const char *);
static bool crypt_validate_format_regex(const char *, const char *);
static bool crypt_format_is_modular(const char*);

#define DES_SALT_ALPHABET \
	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

int
crypt_makesalt(char *out, const char *format, size_t *outlen)
{
	const struct crypt_format *cf;
	char rand_buf[4];
	size_t reqsz;
	const char *prefix;
	size_t prefix_len;
	size_t diff;
	unsigned int i;
	
	/* find the appropriate format entry */
	cf = crypt_find_format(format);
	if (cf == NULL )
		return (0);
	
	/* calculate required output size */
	if (crypt_format_is_modular(format) ) {
		prefix = format;
	} else {
		prefix = cf->default_format;
	}
	prefix_len = strlen(prefix);
	reqsz = prefix_len + (size_t) cf->salt_bytes;
	
	if (cf->salt_trailing_sign)
		reqsz++;
	
	/* trailing '\0' */
	reqsz++;
	
	/* does the output buff have enough */
	if (reqsz > *outlen) {
		*outlen = reqsz;
		return (0);
	}
	
	/* start building our output */
	strncpy(out, prefix, *outlen);
	out += prefix_len;
	
	for (i = 0; i < cf->salt_bytes; i += 4 ) {
		arc4random_buf(rand_buf, 3);
		
		diff = MIN(cf->salt_bytes - i, 4);
		b64_from_24bit((uint8_t) rand_buf[2], (uint8_t) rand_buf[1], (uint8_t) rand_buf[0], diff, (int *) &(diff), &out);
	}
	
	/* cleanup */
	bzero(rand_buf, sizeof(rand_buf) );
	
	if (cf->salt_trailing_sign) {
		out[0] = '$';
		out++;
	}
	
	/* don't need to add trailing '\0', strncpy above will have set it already */
	
	return (1);
}

static bool
crypt_format_validate_regex(const char* regex, const char *format) 
{
	regex_t regex_c;
	int res = 0;
	
	/* We could cache these, but they are simple, and this function won't be
	 * called often.
	 */
	if (regcomp(&regex_c, regex, REG_EXTENDED) != 0) {
		return false;
	}
	
	res = regexec(&regex_c, format, 0, NULL, 0);
	regfree(&regex_c);
	
	return !res;
}

static bool
crypt_format_is_modular(const char* format) 
{
	/* we'll treat 'new des' as modular, because they can set 24 bits of count via salt */
	return (format[0] == '$' || format[0] == '_');
}

static const struct crypt_format *
crypt_find_format(const char *format)
 */
int
crypt_set_format(const char *format)
{
	const struct crypt_format *cf;
	
	if (strcmp(format, "default") == 0 ) {
		format = default_format;
	}
	
	if (crypt_format_is_modular(format) ) {
		/* modular crypt magic lookup, force full syntax */
		for (cf = crypt_formats; cf->name != NULL; ++cf) {
			if (cf->magic != NULL && strstr(format, cf->magic) == format && crypt_format_validate_regex(cf->format_regex, format) ) {
				return cf;
			}
		}
	} else {
		/* name lookup */
		for (cf = crypt_formats; cf->name != NULL; ++cf) {
			if (strcasecmp(cf->name, format) == 0) {
				return cf;
			}
		}
	}
	
	return NULL;
}

/*

#ifdef HAS_DES
	int len;
#endif
	
	/* use the magic in the salt for lookup */
	for (cf = crypt_formats; cf->name != NULL; ++cf)
		if (cf->magic != NULL && strstr(salt, cf->magic) == salt)
			return (cf->func(passwd, salt));

#ifdef HAS_DES
	/* check if it's standard des */
	len = strlen(salt);
	if ((len == 13 || len == 2) && strspn(salt, DES_SALT_ALPHABET) == len)
		return (crypt_des(passwd, salt));
#endif

	cf = crypt_find_format(default_format);
	return (cf->func(passwd, salt));
}

Lines 9-12 ATF_TESTS_C= crypt_tests Link Here

(-)b/lib/libcrypt/tests/Makefile (+5 lines)
9	CFLAGS+= -I${.CURDIR:H}	9	CFLAGS+= -I${.CURDIR:H}
10	LIBADD= crypt	10	LIBADD= crypt
11		11
		12	# Pull in the strong crypto, if it is present.
		13	.if exists(${.CURDIR}/../../../secure/lib/libcrypt)
		14	CFLAGS+= -DHAS_DES -DHAS_BLOWFISH
		15	.endif
		16
12	.include <bsd.test.mk>	17	.include <bsd.test.mk>




#include <sys/types.h>
#include <crypt.h>
#include <unistd.h>
#include <stdio.h>

#include <atf-c.h>


	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(md5invalid);
ATF_TC_HEAD(md5invalid, tc)
{

	atf_tc_set_md_var(tc, "descr", "Tests that md5invalid password fails");
}

ATF_TC_BODY(md5invalid, tc)
{
	const char want[] = "$1$cafebabe$0Huu6KHrKLVWfqa4WljDE0";
	char *pw;

	ATF_CHECK(strcmp(pw, want) != 0);
}

ATF_TC(sha256_vector_1);
ATF_TC_HEAD(sha256_vector_1, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
}

ATF_TC_BODY(sha256_vector_1, tc)
{
	const char want[] = "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5";
	char *pw;

	pw = crypt("Hello world!", "$5$saltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha256_vector_2);
ATF_TC_HEAD(sha256_vector_2, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
}

ATF_TC_BODY(sha256_vector_2, tc)
{
	const char want[] = "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
		"opqey6IcA";
	char *pw;

	pw = crypt("Hello world!", "$5$rounds=10000$saltstringsaltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha256_vector_3);
ATF_TC_HEAD(sha256_vector_3, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
}

ATF_TC_BODY(sha256_vector_3, tc)
{
	const char want[] = "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
		"mGRcvxa5";
	char *pw;

	pw = crypt("This is just a test", "$5$rounds=5000$toolongsaltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha256_vector_4);
ATF_TC_HEAD(sha256_vector_4, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
}

ATF_TC_BODY(sha256_vector_4, tc)
{
	const char want[] = "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
		"oP84Bnq1";
	char *pw;

	pw = crypt("a very much longer text to encrypt.  This one even stretches over more"
		"than one line.", "$5$rounds=1400$anotherlongsaltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha256_vector_5);
ATF_TC_HEAD(sha256_vector_5, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
}

ATF_TC_BODY(sha256_vector_5, tc)
{
	const char want[] = "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/";
	char *pw;

	pw = crypt("we have a short salt string but not a short password", "$5$rounds=77777$short");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha256_vector_6);
ATF_TC_HEAD(sha256_vector_6, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
}

ATF_TC_BODY(sha256_vector_6, tc)
{
	const char want[] = "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
		"cZKmF/wJvD";
	char *pw;

	pw = crypt("a short string", "$5$rounds=123456$asaltof16chars..");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha256_vector_7);
ATF_TC_HEAD(sha256_vector_7, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
}

ATF_TC_BODY(sha256_vector_7, tc)
{
	const char want[] = "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
		"2bIC";
	char *pw;

	pw = crypt("the minimum number is still observed", "$5$rounds=10$roundstoolow");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha512_vector_1);
ATF_TC_HEAD(sha512_vector_1, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
}

ATF_TC_BODY(sha512_vector_1, tc)
{
	const char want[] = "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
		"esI68u4OTLiBFdcbYEdFCoEOfaS35inz1";
	char *pw;

	pw = crypt("Hello world!", "$6$saltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha512_vector_2);
ATF_TC_HEAD(sha512_vector_2, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
}

ATF_TC_BODY(sha512_vector_2, tc)
{
	const char want[] = "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
		"HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v.";
	char *pw;

	pw = crypt("Hello world!", "$6$rounds=10000$saltstringsaltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha512_vector_3);
ATF_TC_HEAD(sha512_vector_3, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
}

ATF_TC_BODY(sha512_vector_3, tc)
{
	const char want[] = "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
		"zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0";
	char *pw;

	pw = crypt("This is just a test", "$6$rounds=5000$toolongsaltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha512_vector_4);
ATF_TC_HEAD(sha512_vector_4, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
}

ATF_TC_BODY(sha512_vector_4, tc)
{
	const char want[] = "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
		"vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1";
	char *pw;

	pw = crypt("a very much longer text to encrypt.  This one even stretches over more"
		"than one line.", "$6$rounds=1400$anotherlongsaltstring");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha512_vector_5);
ATF_TC_HEAD(sha512_vector_5, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
}

ATF_TC_BODY(sha512_vector_5, tc)
{
	const char want[] = "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
		"ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0";
	char *pw;

	pw = crypt("we have a short salt string but not a short password", "$6$rounds=77777$short");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha512_vector_6);
ATF_TC_HEAD(sha512_vector_6, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
}

ATF_TC_BODY(sha512_vector_6, tc)
{
	const char want[] = "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
		"elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1";
	char *pw;

	pw = crypt("a short string", "$6$rounds=123456$asaltof16chars..");
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(sha512_vector_7);
ATF_TC_HEAD(sha512_vector_7, tc)
{
	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
}

ATF_TC_BODY(sha512_vector_7, tc)
{
	const char want[] = "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
		"hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.";
	char *pw;

	pw = crypt("the minimum number is still observed", "$6$rounds=10$roundstoolow");
	ATF_CHECK_STREQ(pw, want);
}

#ifdef HAS_BLOWFISH	
ATF_TC(blf_vector_1);
ATF_TC_HEAD(blf_vector_1, tc)
{
	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 1");
}

ATF_TC_BODY(blf_vector_1, tc)
{
	const char want[] = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW";
	char *pw;
	
	pw = crypt("U*U", want);
	
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(blf_vector_2);
ATF_TC_HEAD(blf_vector_2, tc)
{
	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 2");
}

ATF_TC_BODY(blf_vector_2, tc)
{
	const char want[] = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK";
	char *pw;
	
	pw = crypt("U*U*", want);
	
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(blf_vector_3);
ATF_TC_HEAD(blf_vector_3, tc)
{
	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 3 - long password");
}

ATF_TC_BODY(blf_vector_3, tc)
{
	const char want[] = "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui";
	char *pw;
	
	pw = crypt("0123456789abcdefghijklmnopqrstuvwxyz"
		"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
		"chars after 72 are ignored", want);
	
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(blf_vector_4);
ATF_TC_HEAD(blf_vector_4, tc)
{
	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 4");
}

ATF_TC_BODY(blf_vector_4, tc)
{
	const char want[] = "$2b$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e";
	char *pw;
	
	pw = crypt("\xff\xff\xa3", want);
	
	ATF_CHECK_STREQ(pw, want);
}

ATF_TC(blf_vector_5);
ATF_TC_HEAD(blf_vector_5, tc)
{
	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 5 - ensure our $2a$05$ matches the $2y$05$");
}

ATF_TC_BODY(blf_vector_5, tc)
{
	const char want[] = "$2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e";
	char *pw;
	
	pw = crypt("\xff\xa3" "345", want);
	
	ATF_CHECK_STREQ(pw, want);
}

#endif	

/*
 * This function must not do anything except enumerate
 * the test cases, per atf-c-api(3).
 */
ATF_TP_ADD_TCS(tp)
{

	ATF_TP_ADD_TC(tp, md5);
	ATF_TP_ADD_TC(tp, md5invalid);
	
	ATF_TP_ADD_TC(tp, sha256_vector_1);
	ATF_TP_ADD_TC(tp, sha256_vector_2);
	ATF_TP_ADD_TC(tp, sha256_vector_3);
	ATF_TP_ADD_TC(tp, sha256_vector_4);
/*
	ATF_TP_ADD_TC(tp, sha256_vector_5);
	ATF_TP_ADD_TC(tp, sha256_vector_6);
*/
	ATF_TP_ADD_TC(tp, sha256_vector_7);
	
	ATF_TP_ADD_TC(tp, sha512_vector_1);
	ATF_TP_ADD_TC(tp, sha512_vector_2);
	ATF_TP_ADD_TC(tp, sha512_vector_3);
	ATF_TP_ADD_TC(tp, sha512_vector_4);
/*
	ATF_TP_ADD_TC(tp, sha512_vector_5);
	ATF_TP_ADD_TC(tp, sha512_vector_6);
*/
	ATF_TP_ADD_TC(tp, sha512_vector_7);

#ifdef HAS_BLOWFISH	
	ATF_TP_ADD_TC(tp, blf_vector_1);
	ATF_TP_ADD_TC(tp, blf_vector_2);
	ATF_TP_ADD_TC(tp, blf_vector_3);
	ATF_TP_ADD_TC(tp, blf_vector_4);
	ATF_TP_ADD_TC(tp, blf_vector_5);
#endif	

	return atf_no_error();
}




#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>

#define PASSWORD_HASH		"md5"
#define DEFAULT_WARN		(2L * 7L * 86400L)  /* Two weeks */
#define	SALTSIZE		32

#define	LOCKED_PREFIX		"*LOCKED*"
#define	LOCKED_PREFIX_LEN	(sizeof(LOCKED_PREFIX) - 1)

static void makesalt(char []);

static char password_hash[] =		PASSWORD_HASH;

#define PAM_OPT_LOCAL_PASS	"local_pass"
#define PAM_OPT_NIS_PASS	"nis_pass"


	struct ypclnt *ypclnt;
	const void *yp_domain, *yp_server;
#endif
	char salt[CRYPT_SALT_MAX_LEN + 1];
	size_t salt_sz;
	login_cap_t *lc;
	struct passwd *pwd, *old_pwd;
	const char *user, *old_pass, *new_pass;
	char *encrypted;
	time_t passwordtime;
	int pfd, tfd, retval;
	const char *passwd_format;

	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
		pwd = getpwnam(getlogin());

			return (PAM_BUF_ERR);

		lc = login_getclass(pwd->pw_class);
		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
			openpam_log(PAM_LOG_ERROR,
			    "can't set password cipher, relying on default");
		
		salt_sz = sizeof(salt);
		passwd_format = login_getcapstr(lc, "passwd_format", "", NULL);
		if (!crypt_makesalt(salt, passwd_format, &salt_sz) ) {
			login_close(lc);
			
			if (salt_sz == sizeof(salt) ) {
				PAM_LOG("Unable to create salt for crypt(3) format: %s", passwd_format);
			} else {
				PAM_LOG("Not enough space in buffer to create salt for format: %s. CRYPT_SALT_MAX_LEN is wrong. Buffer size: %zu, required: %zu", passwd_format, sizeof(salt), salt_sz);
			}
			
			return (PAM_SERVICE_ERR);
		}
				
		/* set password expiry date */
		pwd->pw_change = 0;
		passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);

			pwd->pw_change = time(NULL) + passwordtime;
		
		login_close(lc);
		makesalt(salt);
		pwd->pw_passwd = crypt(new_pass, salt);
#ifdef YP
		switch (old_pwd->pw_fields & _PWF_SOURCE) {

	return (retval);
}

/* Mostly stolen from passwd(1)'s local_passwd.c - markm */

static unsigned char itoa64[] =		/* 0 ... 63 => ascii - 64 */
	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

static void
to64(char *s, long v, int n)
{
	while (--n >= 0) {
		*s++ = itoa64[v&0x3f];
		v >>= 6;
	}
}

/* Salt suitable for traditional DES and MD5 */
static void
makesalt(char salt[SALTSIZE + 1])
{
	int i;

	/* These are not really random numbers, they are just
	 * numbers that change to thwart construction of a
	 * dictionary.
	 */
	for (i = 0; i < SALTSIZE; i += 4)
		to64(&salt[i], arc4random(), 4);
	salt[SALTSIZE] = '\0';
}

PAM_MODULE_ENTRY("pam_unix");




	hexdump.c humanize_number.c kinfo_getfile.c kinfo_getfile.c \
	kinfo_getallproc.c kinfo_getproc.c kinfo_getvmmap.c kld.c \
	login_auth.c login_cap.c \
	login_class.c login_ok.c login_times.c login_tty.c \
	pidfile.c property.c pty.c pw_util.c quotafile.c realhostname.c \
	trimdomain.c uucplock.c
INCS=	libutil.h login_cap.h

CFLAGS+= -DLIBC_SCCS

	login_cap.3 login_getcaptime.3 login_cap.3 login_getclass.3 \
	login_cap.3 login_getclassbyname.3 login_cap.3 login_getpath.3 \
	login_cap.3 login_getpwclass.3 login_cap.3 login_getstyle.3 \
	login_cap.3 login_getuserclass.3
MLINKS+=login_class.3 setclasscontext.3 login_class.3 setclassenvironment.3 \
	login_class.3 setclassresources.3 login_class.3 setusercontext.3
MLINKS+=login_ok.3 auth_hostok.3 login_ok.3 auth_timeok.3 \

Lines 114-120 rlim_t login_getcapnum(login_cap_t , const char , rlim_t, rlim_t); Link Here

(-)b/lib/libutil/login_cap.h (-1 lines)
114	rlim_t login_getcapsize(login_cap_t , const char , rlim_t, rlim_t);	114	rlim_t login_getcapsize(login_cap_t , const char , rlim_t, rlim_t);
115	const char login_getpath(login_cap_t , const char , const char );	115	const char login_getpath(login_cap_t , const char , const char );
116	int login_getcapbool(login_cap_t , const char , int);	116	int login_getcapbool(login_cap_t , const char , int);
117	const char login_setcryptfmt(login_cap_t , const char , const char );
118		117
119	int setclasscontext(const char *, unsigned int);	118	int setclasscontext(const char *, unsigned int);
120	void setclasscpumask(login_cap_t *);	119	void setclasscpumask(login_cap_t *);




/*-
 * Copyright (c) 2000 Brian Fundakowski Feldman
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__FBSDID("$FreeBSD: head/lib/libutil/login_crypt.c 94202 2002-04-08 11:04:56Z ru $");

#include <sys/types.h>

#include <login_cap.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

const char *
login_setcryptfmt(login_cap_t *lc, const char *def, const char *error) {
	const char *cipher;

	cipher = login_getcapstr(lc, "passwd_format", def, NULL);
	if (getenv("CRYPT_DEBUG") != NULL)
		fprintf(stderr, "login_setcryptfmt: "
		    "passwd_format = %s\n", cipher);
	if (cipher == NULL)
		return (error);
	if (!crypt_set_format(cipher))
		return (error);
	return (cipher);
}




/*-
 * Copyright (c) 2000 Brian Fundakowski Feldman
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__FBSDID("$FreeBSD: head/lib/libutil/stub.c 121193 2003-10-18 10:04:16Z markm $");

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

/*
 * Stub out what's in -lcrypt.
 */

#pragma weak crypt_set_format
/* ARGSUSED */
int
crypt_set_format(const char *f __unused) {

	if (getenv("CRYPT_DEBUG") != NULL)
		fprintf(stderr, "crypt_set_format: eek, stub called!\n");
	return (0);
}

Lines 75-81 __FBSDID("$FreeBSD: head/secure/lib/libcrypt/crypt-blowfish.c 265995 2014-05-14 Link Here

(-)b/secure/lib/libcrypt/crypt-blowfish.c (-1 / +1 lines)
75	static void encode_base64(u_int8_t , u_int8_t , u_int16_t);	75	static void encode_base64(u_int8_t , u_int8_t , u_int16_t);
76	static void decode_base64(u_int8_t , u_int16_t, const u_int8_t );	76	static void decode_base64(u_int8_t , u_int16_t, const u_int8_t );
77		77
78	static char encrypted[_PASSWORD_LEN];	78	static __thread char encrypted[_PASSWORD_LEN];
79		79
80	const static u_int8_t Base64Code[] =	80	const static u_int8_t Base64Code[] =
81	"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";	81	"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

Lines 119-125 char const *boolean_str(int val); Link Here

(-)b/usr.sbin/pw/pw.h (-1 / +1 lines)
119	char newstr(char const p);	119	char newstr(char const p);
120		120
121	void pw_log(struct userconf * cnf, int mode, int which, char const * fmt,...) __printflike(4, 5);	121	void pw_log(struct userconf * cnf, int mode, int which, char const * fmt,...) __printflike(4, 5);
122	char pw_pwcrypt(char password);	122	char pw_pwcrypt(const char password, const char *format);
123		123
124	extern const char *Modes[];	124	extern const char *Modes[];
125	extern const char *Which[];	125	extern const char *Which[];

Lines 215-221 pw_group(struct userconf * cnf, int mode, struct cargs * args) Link Here

(-)b/usr.sbin/pw/pw_group.c (-1 / +1 lines)
215	return EX_DATAERR;	215	return EX_DATAERR;
216	grp->gr_passwd = line;	216	grp->gr_passwd = line;
217	} else	217	} else
218	grp->gr_passwd = pw_pwcrypt(line);	218	grp->gr_passwd = pw_pwcrypt(line, "default");
219	}	219	}
220	}	220	}
221		221




static time_t   pw_exppolicy(struct userconf * cnf, struct cargs * args);
static char    *pw_homepolicy(struct userconf * cnf, struct cargs * args, char const * user);
static char    *pw_shellpolicy(struct userconf * cnf, struct cargs * args, char *newshell);
static char    *pw_password(struct userconf * cnf, struct cargs * args, char const * user, const char * format);
static char    *shell_path(char const * path, char *shells[], char *sh);
static void     rmat(uid_t uid);
static void     rmopie(char const * name);

		if ((arg = getarg(args, 'w')) != NULL &&
		    getarg(args, 'h') == NULL && getarg(args, 'H') == NULL) {
			login_cap_t *lc;
			char passwd_format[CRYPT_FORMAT_MAX_LEN + 1];

			lc = login_getpwclass(pwd);
			strncpy(passwd_format, login_getcapstr(lc, "passwd_format", "", NULL), sizeof(passwd_format));
			    login_setcryptfmt(lc, "sha512", NULL) == NULL)
				warn("setting crypt(3) format");
			login_close(lc);
			
			pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name, passwd_format);
			edited = 1;
		}

	} else {
		login_cap_t *lc;
		char passwd_format[CRYPT_FORMAT_MAX_LEN + 1];

		/*
		 * Add code

		pwd->pw_dir = pw_homepolicy(cnf, args, pwd->pw_name);
		pwd->pw_shell = pw_shellpolicy(cnf, args, NULL);
		lc = login_getpwclass(pwd);
		strncpy(passwd_format, login_getcapstr(lc, "passwd_format", "", NULL), sizeof(passwd_format) );
			warn("setting crypt(3) format");
		login_close(lc);
		pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name, passwd_format);
		edited = 1;

		if (pwd->pw_uid == 0 && strcmp(pwd->pw_name, "root") != 0)

			int             istty = isatty(fd);
			struct termios  t;
			login_cap_t	*lc;
			char passwd_format[CRYPT_FORMAT_MAX_LEN + 1];

			if (istty) {
				if (tcgetattr(fd, &t) == -1)

				pwd->pw_passwd = line;
			} else {
				lc = login_getpwclass(pwd);
				strncpy(passwd_format, login_getcapstr(lc, "passwd_format", "", NULL), sizeof(passwd_format));
				    login_setcryptfmt(lc, "sha512", NULL) == NULL)
					warn("setting crypt(3) format");
				login_close(lc);
				pwd->pw_passwd = pw_pwcrypt(line, passwd_format);
			}
			edited = 1;
		}

	return shell_path(cnf->shelldir, cnf->shells, sh ? sh : cnf->shell_default);
}

#define	SALTSIZE	32

static char const chars[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./";

char           *
pw_pwcrypt(const char *password, const char *format)
{
	char            salt[CRYPT_SALT_MAX_LEN + 1];
	size_t		salt_sz = sizeof(salt);
	char		*cryptpw;

	static char     buf[_PASSWORD_LEN + 1];
	
	if (!crypt_makesalt(salt, format, &salt_sz) ) {
		if (salt_sz == sizeof(salt) ) {
			errx(EX_CONFIG, "Unable to create salt for crypt(3) format: %s", format);
		} else {
			/* really shouldn't get here */
			errx(EX_CONFIG, "Not enough space to write salt to buffer.  CRYPT_SALT_MAX_LEN is wrong.");
		}
	}

	cryptpw = crypt(password, salt);
	if (cryptpw == NULL)



static char    *
pw_password(struct userconf * cnf, struct cargs * args, char const * user, const char * format)
{
	static char const chars[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./!@#$%^&*()-+=<>?";
	int             i, l;
	char            pwbuf[32];


		strlcpy(pwbuf, user, sizeof(pwbuf));
		break;
	}
	return pw_pwcrypt(pwbuf, format);
}



Return to bug 182518

Lines 59-65 static time_t pw_pwdpolicy(struct userconf * cnf, struct cargs * args); Link Here

(-)b/usr.sbin/pw/pw_user.c (-29 / +27 lines)
59	static time_t pw_exppolicy(struct userconf * cnf, struct cargs * args);	59	static time_t pw_exppolicy(struct userconf * cnf, struct cargs * args);
60	static char pw_homepolicy(struct userconf cnf, struct cargs * args, char const * user);	60	static char pw_homepolicy(struct userconf cnf, struct cargs * args, char const * user);
61	static char pw_shellpolicy(struct userconf cnf, struct cargs * args, char *newshell);	61	static char pw_shellpolicy(struct userconf cnf, struct cargs * args, char *newshell);
62	static char pw_password(struct userconf cnf, struct cargs * args, char const * user);	62	static char pw_password(struct userconf cnf, struct cargs * args, char const * user, const char * format);
63	static char shell_path(char const path, char shells[], char sh);	63	static char shell_path(char const path, char shells[], char sh);
64	static void rmat(uid_t uid);	64	static void rmat(uid_t uid);
65	static void rmopie(char const * name);	65	static void rmopie(char const * name);
Lines 583-600 pw_user(struct userconf * cnf, int mode, struct cargs * args) Link Here
583	if ((arg = getarg(args, 'w')) != NULL &&	583	if ((arg = getarg(args, 'w')) != NULL &&
584	getarg(args, 'h') == NULL && getarg(args, 'H') == NULL) {	584	getarg(args, 'h') == NULL && getarg(args, 'H') == NULL) {
585	login_cap_t *lc;	585	login_cap_t *lc;
		586	char passwd_format[CRYPT_FORMAT_MAX_LEN + 1];
586		587
587	lc = login_getpwclass(pwd);	588	lc = login_getpwclass(pwd);
588	if (lc == NULL \|\|	589	strncpy(passwd_format, login_getcapstr(lc, "passwd_format", "", NULL), sizeof(passwd_format));
589	login_setcryptfmt(lc, "sha512", NULL) == NULL)
590	warn("setting crypt(3) format");
591	login_close(lc);	590	login_close(lc);
592	pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name);	591
		592	pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name, passwd_format);
593	edited = 1;	593	edited = 1;
594	}	594	}
595		595
596	} else {	596	} else {
597	login_cap_t *lc;	597	login_cap_t *lc;
		598	char passwd_format[CRYPT_FORMAT_MAX_LEN + 1];
598		599
599	/*	600	/*
600	* Add code	601	* Add code
Lines 618-627 pw_user(struct userconf * cnf, int mode, struct cargs * args) Link Here
618	pwd->pw_dir = pw_homepolicy(cnf, args, pwd->pw_name);	619	pwd->pw_dir = pw_homepolicy(cnf, args, pwd->pw_name);
619	pwd->pw_shell = pw_shellpolicy(cnf, args, NULL);	620	pwd->pw_shell = pw_shellpolicy(cnf, args, NULL);
620	lc = login_getpwclass(pwd);	621	lc = login_getpwclass(pwd);
621	if (lc == NULL \|\| login_setcryptfmt(lc, "sha512", NULL) == NULL)	622	strncpy(passwd_format, login_getcapstr(lc, "passwd_format", "", NULL), sizeof(passwd_format) );
622	warn("setting crypt(3) format");
623	login_close(lc);	623	login_close(lc);
624	pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name);	624	pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name, passwd_format);
625	edited = 1;	625	edited = 1;
626		626
627	if (pwd->pw_uid == 0 && strcmp(pwd->pw_name, "root") != 0)	627	if (pwd->pw_uid == 0 && strcmp(pwd->pw_name, "root") != 0)
Lines 653-658 pw_user(struct userconf * cnf, int mode, struct cargs * args) Link Here
653	int istty = isatty(fd);	653	int istty = isatty(fd);
654	struct termios t;	654	struct termios t;
655	login_cap_t *lc;	655	login_cap_t *lc;
		656	char passwd_format[CRYPT_FORMAT_MAX_LEN + 1];
656		657
657	if (istty) {	658	if (istty) {
658	if (tcgetattr(fd, &t) == -1)	659	if (tcgetattr(fd, &t) == -1)
Lines 692-702 pw_user(struct userconf * cnf, int mode, struct cargs * args) Link Here
692	pwd->pw_passwd = line;	693	pwd->pw_passwd = line;
693	} else {	694	} else {
694	lc = login_getpwclass(pwd);	695	lc = login_getpwclass(pwd);
695	if (lc == NULL \|\|	696	strncpy(passwd_format, login_getcapstr(lc, "passwd_format", "", NULL), sizeof(passwd_format));
696	login_setcryptfmt(lc, "sha512", NULL) == NULL)
697	warn("setting crypt(3) format");
698	login_close(lc);	697	login_close(lc);
699	pwd->pw_passwd = pw_pwcrypt(line);	698	pwd->pw_passwd = pw_pwcrypt(line, passwd_format);
700	}	699	}
701	edited = 1;	700	edited = 1;
702	}	701	}
Lines 1082-1106 pw_shellpolicy(struct userconf * cnf, struct cargs * args, char *newshell) Link Here
1082	return shell_path(cnf->shelldir, cnf->shells, sh ? sh : cnf->shell_default);	1081	return shell_path(cnf->shelldir, cnf->shells, sh ? sh : cnf->shell_default);
1083	}	1082	}
1084		1083
1085	#define SALTSIZE 32
1086
1087	static char const chars[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./";
1088
1089	char *	1084	char *
1090	pw_pwcrypt(char *password)	1085	pw_pwcrypt(const char password, const char format)
1091	{	1086	{
1092	int i;	1087	char salt[CRYPT_SALT_MAX_LEN + 1];
1093	char salt[SALTSIZE + 1];	1088	size_t salt_sz = sizeof(salt);
1094	char *cryptpw;	1089	char *cryptpw;
1095		1090
1096	static char buf[256];	1091	static char buf[_PASSWORD_LEN + 1];
1097		1092
1098	/*	1093	if (!crypt_makesalt(salt, format, &salt_sz) ) {
1099	* Calculate a salt value	1094	if (salt_sz == sizeof(salt) ) {
1100	*/	1095	errx(EX_CONFIG, "Unable to create salt for crypt(3) format: %s", format);
1101	for (i = 0; i < SALTSIZE; i++)	1096	} else {
1102	salt[i] = chars[arc4random_uniform(sizeof(chars) - 1)];	1097	/* really shouldn't get here */
1103	salt[SALTSIZE] = '\0';	1098	errx(EX_CONFIG, "Not enough space to write salt to buffer. CRYPT_SALT_MAX_LEN is wrong.");
		1099	}
		1100	}
1104		1101
1105	cryptpw = crypt(password, salt);	1102	cryptpw = crypt(password, salt);
1106	if (cryptpw == NULL)	1103	if (cryptpw == NULL)
Lines 1110-1117 pw_pwcrypt(char *password) Link Here
1110		1107
1111		1108
1112	static char *	1109	static char *
1113	pw_password(struct userconf * cnf, struct cargs * args, char const * user)	1110	pw_password(struct userconf * cnf, struct cargs * args, char const * user, const char * format)
1114	{	1111	{
		1112	static char const chars[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./!@#$%^&*()-+=<>?";
1115	int i, l;	1113	int i, l;
1116	char pwbuf[32];	1114	char pwbuf[32];
1117		1115
Lines 1145-1151 pw_password(struct userconf * cnf, struct cargs * args, char const * user) Link Here
1145	strlcpy(pwbuf, user, sizeof(pwbuf));	1143	strlcpy(pwbuf, user, sizeof(pwbuf));
1146	break;	1144	break;
1147	}	1145	}
1148	return pw_pwcrypt(pwbuf);	1146	return pw_pwcrypt(pwbuf, format);
1149	}	1147	}
1150		1148
1151		1149

Lines 29-101 Link Here

(-)b/lib/libcrypt/crypt.c (-34 / +148 lines)
29	__FBSDID("$FreeBSD: head/lib/libcrypt/crypt.c 272830 2014-10-09 16:45:11Z des $");	29	__FBSDID("$FreeBSD: head/lib/libcrypt/crypt.c 272830 2014-10-09 16:45:11Z des $");
30		30
31	#include <sys/types.h>	31	#include <sys/types.h>
		32	#include <sys/param.h>
32		33
33	#include <libutil.h>	34	#include <libutil.h>
34	#include <string.h>	35	#include <string.h>
35	#include <unistd.h>	36	#include <unistd.h>
		37	#include <regex.h>
		38	#include <stdbool.h>
		39	#include <stdlib.h>
		40
		41	#include <stdio.h>
36		42
37	#include "crypt.h"	43	#include "crypt.h"
38		44
39	/*	45	/*
40	* List of supported crypt(3) formats.	46	* List of supported crypt(3) formats.
41	*	47	*
42	* The default algorithm is the last entry in the list (second-to-last	48	* Ordered from most probable to least probable[1], for the find algorithm to
43	* array element since the last is a sentinel). The reason for placing	49	* preform a little better in some cases. Generally, order is not important.
44	* the default last rather than first is that DES needs to be at the	50	*
45	* bottom for the algorithm guessing logic in crypt(3) to work correctly,	51	* 1. as guessed by a random person
46	* and it needs to be the default for backward compatibility.	52	*
47	*/	53	*/
48	static const struct crypt_format {	54	static const struct crypt_format {
49	const char *const name;	55	const char *const name;
50	char (const func)(const char , const char );	56	char (const func)(const char , const char );
51	const char *const magic;	57	const char *const magic;
		58	const char *const default_format;
		59	const char *const format_regex;
		60
		61	const uint8_t salt_bytes;
		62	const bool salt_trailing_sign; /* do we tack on a $ at the end of the salt */
52	} crypt_formats[] = {	63	} crypt_formats[] = {
53	{ "md5", crypt_md5, "$1$" },	64	{ "md5", crypt_md5, "$1$", "$1$", "^\\$1\\$$", 8, true },
		65	{ "sha512", crypt_sha512, "$6$", "$6$", "^\\$6\\$(rounds=[0-9]{0,9}\\$)?$", 16, true },
54	#ifdef HAS_BLOWFISH	66	#ifdef HAS_BLOWFISH
55	{ "blf", crypt_blowfish, "$2" },	67	{ "blf", crypt_blowfish, "$2", "$2b$04$", "^\\$2[ab]?\\$[0-9]{2}\\$$", 22 /* 16 * 1.333 */, false },
56	#endif	68	#endif
57	{ "nth", crypt_nthash, "$3$" },
58	{ "sha256", crypt_sha256, "$5$" },
59	{ "sha512", crypt_sha512, "$6$" },
60	#ifdef HAS_DES	69	#ifdef HAS_DES
61	{ "des", crypt_des, "_" },	70	{ "des", crypt_des, NULL, "", NULL, 2, false },
		71	{ "des-ext", crypt_des, "_", "_..T.", "^_[A-Za-z0-9./]{4}$", 4, false },
62	#endif	72	#endif
63		73	{ "nth", crypt_nthash, "$3$", "$3$", "^\\$3\\$$", 0, false },
		74	{ "sha256", crypt_sha256, "$5$", "$5$", "^\\$5\\$(rounds=[0-9]{0,9}\\$)?$", 16, true },
		75
64	/* sentinel */	76	/* sentinel */
65	{ NULL, NULL, NULL }	77	{ NULL, NULL, NULL, NULL, NULL, 0, NULL }
66	};	78	};
67		79
68	static const struct crypt_format *crypt_format =	80	#ifdef HAS_DES
69	&crypt_formats[(sizeof crypt_formats / sizeof *crypt_formats) - 2];	81	/* must be des if system has des */
		82	static const char default_format[] = "des";
		83	#else
		84	static const char default_format[] = "sha512";
		85	#endif
		86
		87	/* local-scope only */
		88	static const struct crypt_format crypt_find_format(const char );
		89	static bool crypt_validate_format_regex(const char , const char );
		90	static bool crypt_format_is_modular(const char*);
70		91
71	#define DES_SALT_ALPHABET \	92	#define DES_SALT_ALPHABET \
72	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"	93	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
73		94
74	/*	95	int
75	* Returns the name of the currently selected format.	96	crypt_makesalt(char out, const char format, size_t *outlen)
76	*/	97	{
77	const char *	98	const struct crypt_format *cf;
78	crypt_get_format(void)	99	char rand_buf[4];
		100	size_t reqsz;
		101	const char *prefix;
		102	size_t prefix_len;
		103	size_t diff;
		104	unsigned int i;
		105
		106	/* find the appropriate format entry */
		107	cf = crypt_find_format(format);
		108	if (cf == NULL )
		109	return (0);
		110
		111	/* calculate required output size */
		112	if (crypt_format_is_modular(format) ) {
		113	prefix = format;
		114	} else {
		115	prefix = cf->default_format;
		116	}
		117	prefix_len = strlen(prefix);
		118	reqsz = prefix_len + (size_t) cf->salt_bytes;
		119
		120	if (cf->salt_trailing_sign)
		121	reqsz++;
		122
		123	/* trailing '\0' */
		124	reqsz++;
		125
		126	/* does the output buff have enough */
		127	if (reqsz > *outlen) {
		128	*outlen = reqsz;
		129	return (0);
		130	}
		131
		132	/* start building our output */
		133	strncpy(out, prefix, *outlen);
		134	out += prefix_len;
		135
		136	for (i = 0; i < cf->salt_bytes; i += 4 ) {
		137	arc4random_buf(rand_buf, 3);
		138
		139	diff = MIN(cf->salt_bytes - i, 4);
		140	b64_from_24bit((uint8_t) rand_buf[2], (uint8_t) rand_buf[1], (uint8_t) rand_buf[0], diff, (int *) &(diff), &out);
		141	}
		142
		143	/* cleanup */
		144	bzero(rand_buf, sizeof(rand_buf) );
		145
		146	if (cf->salt_trailing_sign) {
		147	out[0] = '$';
		148	out++;
		149	}
		150
		151	/* don't need to add trailing '\0', strncpy above will have set it already */
		152
		153	return (1);
		154	}
		155
		156	static bool
		157	crypt_format_validate_regex(const char* regex, const char *format)
79	{	158	{
		159	regex_t regex_c;
		160	int res = 0;
		161
		162	/* We could cache these, but they are simple, and this function won't be
		163	* called often.
		164	*/
		165	if (regcomp(&regex_c, regex, REG_EXTENDED) != 0) {
		166	return false;
		167	}
		168
		169	res = regexec(&regex_c, format, 0, NULL, 0);
		170	regfree(&regex_c);
		171
		172	return !res;
		173	}
80		174
81	return (crypt_format->name);	175	static bool
		176	crypt_format_is_modular(const char* format)
		177	{
		178	/* we'll treat 'new des' as modular, because they can set 24 bits of count via salt */
		179	return (format[0] == '$' \|\| format[0] == '_');
82	}	180	}
83		181
84	/*	182	static const struct crypt_format *
85	* Selects the format to use for subsequent crypt(3) invocations.	183	crypt_find_format(const char *format)
86	*/
87	int
88	crypt_set_format(const char *format)
89	{	184	{
90	const struct crypt_format *cf;	185	const struct crypt_format *cf;
91		186
92	for (cf = crypt_formats; cf->name != NULL; ++cf) {	187	if (strcmp(format, "default") == 0 ) {
93	if (strcasecmp(cf->name, format) == 0) {	188	format = default_format;
94	crypt_format = cf;	189	}
95	return (1);	190
		191	if (crypt_format_is_modular(format) ) {
		192	/* modular crypt magic lookup, force full syntax */
		193	for (cf = crypt_formats; cf->name != NULL; ++cf) {
		194	if (cf->magic != NULL && strstr(format, cf->magic) == format && crypt_format_validate_regex(cf->format_regex, format) ) {
		195	return cf;
		196	}
		197	}
		198	} else {
		199	/* name lookup */
		200	for (cf = crypt_formats; cf->name != NULL; ++cf) {
		201	if (strcasecmp(cf->name, format) == 0) {
		202	return cf;
		203	}
96	}	204	}
97	}	205	}
98	return (0);	206
		207	return NULL;
99	}	208	}
100		209
101	/*	210	/*
Lines 110-123 crypt(const char passwd, const char salt) Link Here
110	#ifdef HAS_DES	219	#ifdef HAS_DES
111	int len;	220	int len;
112	#endif	221	#endif
113		222
		223	/* use the magic in the salt for lookup */
114	for (cf = crypt_formats; cf->name != NULL; ++cf)	224	for (cf = crypt_formats; cf->name != NULL; ++cf)
115	if (cf->magic != NULL && strstr(salt, cf->magic) == salt)	225	if (cf->magic != NULL && strstr(salt, cf->magic) == salt)
116	return (cf->func(passwd, salt));	226	return (cf->func(passwd, salt));
		227
117	#ifdef HAS_DES	228	#ifdef HAS_DES
		229	/* check if it's standard des */
118	len = strlen(salt);	230	len = strlen(salt);
119	if ((len == 13 \|\| len == 2) && strspn(salt, DES_SALT_ALPHABET) == len)	231	if ((len == 13 \|\| len == 2) && strspn(salt, DES_SALT_ALPHABET) == len)
120	return (crypt_des(passwd, salt));	232	return (crypt_des(passwd, salt));
121	#endif	233	#endif
122	return (crypt_format->func(passwd, salt));	234
		235	cf = crypt_find_format(default_format);
		236	return (cf->func(passwd, salt));
123	}	237	}

Lines 4-9 __FBSDID("$FreeBSD: head/lib/libcrypt/tests/crypt_tests.c 256365 2013-10-12 06:0 Link Here

(-)b/lib/libcrypt/tests/crypt_tests.c (-6 / +344 lines)
4	#include <sys/types.h>	4	#include <sys/types.h>
5	#include <crypt.h>	5	#include <crypt.h>
6	#include <unistd.h>	6	#include <unistd.h>
		7	#include <stdio.h>
7		8
8	#include <atf-c.h>	9	#include <atf-c.h>
9		10
Lines 25-38 ATF_TC_BODY(md5, tc) Link Here
25	ATF_CHECK_STREQ(pw, want);	26	ATF_CHECK_STREQ(pw, want);
26	}	27	}
27		28
28	ATF_TC(invalid);	29	ATF_TC(md5invalid);
29	ATF_TC_HEAD(invalid, tc)	30	ATF_TC_HEAD(md5invalid, tc)
30	{	31	{
31		32
32	atf_tc_set_md_var(tc, "descr", "Tests that invalid password fails");	33	atf_tc_set_md_var(tc, "descr", "Tests that md5invalid password fails");
33	}	34	}
34		35
35	ATF_TC_BODY(invalid, tc)	36	ATF_TC_BODY(md5invalid, tc)
36	{	37	{
37	const char want[] = "$1$cafebabe$0Huu6KHrKLVWfqa4WljDE0";	38	const char want[] = "$1$cafebabe$0Huu6KHrKLVWfqa4WljDE0";
38	char *pw;	39	char *pw;
Lines 41-54 ATF_TC_BODY(invalid, tc) Link Here
41	ATF_CHECK(strcmp(pw, want) != 0);	42	ATF_CHECK(strcmp(pw, want) != 0);
42	}	43	}
43		44
		45	ATF_TC(sha256_vector_1);
		46	ATF_TC_HEAD(sha256_vector_1, tc)
		47	{
		48	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
		49	}
		50
		51	ATF_TC_BODY(sha256_vector_1, tc)
		52	{
		53	const char want[] = "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5";
		54	char *pw;
		55
		56	pw = crypt("Hello world!", "$5$saltstring");
		57	ATF_CHECK_STREQ(pw, want);
		58	}
		59
		60	ATF_TC(sha256_vector_2);
		61	ATF_TC_HEAD(sha256_vector_2, tc)
		62	{
		63	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
		64	}
		65
		66	ATF_TC_BODY(sha256_vector_2, tc)
		67	{
		68	const char want[] = "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
		69	"opqey6IcA";
		70	char *pw;
		71
		72	pw = crypt("Hello world!", "$5$rounds=10000$saltstringsaltstring");
		73	ATF_CHECK_STREQ(pw, want);
		74	}
		75
		76	ATF_TC(sha256_vector_3);
		77	ATF_TC_HEAD(sha256_vector_3, tc)
		78	{
		79	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
		80	}
		81
		82	ATF_TC_BODY(sha256_vector_3, tc)
		83	{
		84	const char want[] = "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
		85	"mGRcvxa5";
		86	char *pw;
		87
		88	pw = crypt("This is just a test", "$5$rounds=5000$toolongsaltstring");
		89	ATF_CHECK_STREQ(pw, want);
		90	}
		91
		92	ATF_TC(sha256_vector_4);
		93	ATF_TC_HEAD(sha256_vector_4, tc)
		94	{
		95	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
		96	}
		97
		98	ATF_TC_BODY(sha256_vector_4, tc)
		99	{
		100	const char want[] = "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
		101	"oP84Bnq1";
		102	char *pw;
		103
		104	pw = crypt("a very much longer text to encrypt. This one even stretches over more"
		105	"than one line.", "$5$rounds=1400$anotherlongsaltstring");
		106	ATF_CHECK_STREQ(pw, want);
		107	}
		108
109	ATF_TC(sha256_vector_5);
110	ATF_TC_HEAD(sha256_vector_5, tc)
111	{
112	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
113	}
114
115	ATF_TC_BODY(sha256_vector_5, tc)
116	{
117	const char want[] = "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/";
118	char *pw;
119
120	pw = crypt("we have a short salt string but not a short password", "$5$rounds=77777$short");
121	ATF_CHECK_STREQ(pw, want);
122	}
123
124	ATF_TC(sha256_vector_6);
125	ATF_TC_HEAD(sha256_vector_6, tc)
126	{
127	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
128	}
129
130	ATF_TC_BODY(sha256_vector_6, tc)
131	{
132	const char want[] = "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
133	"cZKmF/wJvD";
134	char *pw;
135
136	pw = crypt("a short string", "$5$rounds=123456$asaltof16chars..");
137	ATF_CHECK_STREQ(pw, want);
138	}
139
140	ATF_TC(sha256_vector_7);
141	ATF_TC_HEAD(sha256_vector_7, tc)
142	{
143	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha256.c");
144	}
145
146	ATF_TC_BODY(sha256_vector_7, tc)
147	{
148	const char want[] = "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
149	"2bIC";
150	char *pw;
151
152	pw = crypt("the minimum number is still observed", "$5$rounds=10$roundstoolow");
153	ATF_CHECK_STREQ(pw, want);
154	}
155
156	ATF_TC(sha512_vector_1);
157	ATF_TC_HEAD(sha512_vector_1, tc)
158	{
159	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
160	}
161
162	ATF_TC_BODY(sha512_vector_1, tc)
163	{
164	const char want[] = "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
165	"esI68u4OTLiBFdcbYEdFCoEOfaS35inz1";
166	char *pw;
167
168	pw = crypt("Hello world!", "$6$saltstring");
169	ATF_CHECK_STREQ(pw, want);
170	}
171
172	ATF_TC(sha512_vector_2);
173	ATF_TC_HEAD(sha512_vector_2, tc)
174	{
175	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
176	}
177
178	ATF_TC_BODY(sha512_vector_2, tc)
179	{
180	const char want[] = "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
181	"HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v.";
182	char *pw;
183
184	pw = crypt("Hello world!", "$6$rounds=10000$saltstringsaltstring");
185	ATF_CHECK_STREQ(pw, want);
186	}
187
188	ATF_TC(sha512_vector_3);
189	ATF_TC_HEAD(sha512_vector_3, tc)
190	{
191	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
192	}
193
194	ATF_TC_BODY(sha512_vector_3, tc)
195	{
196	const char want[] = "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
197	"zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0";
198	char *pw;
199
200	pw = crypt("This is just a test", "$6$rounds=5000$toolongsaltstring");
201	ATF_CHECK_STREQ(pw, want);
202	}
203
204	ATF_TC(sha512_vector_4);
205	ATF_TC_HEAD(sha512_vector_4, tc)
206	{
207	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
208	}
209
210	ATF_TC_BODY(sha512_vector_4, tc)
211	{
212	const char want[] = "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
213	"vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1";
214	char *pw;
215
216	pw = crypt("a very much longer text to encrypt. This one even stretches over more"
217	"than one line.", "$6$rounds=1400$anotherlongsaltstring");
218	ATF_CHECK_STREQ(pw, want);
219	}
220
221	ATF_TC(sha512_vector_5);
222	ATF_TC_HEAD(sha512_vector_5, tc)
223	{
224	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
225	}
226
227	ATF_TC_BODY(sha512_vector_5, tc)
228	{
229	const char want[] = "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
230	"ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0";
231	char *pw;
232
233	pw = crypt("we have a short salt string but not a short password", "$6$rounds=77777$short");
234	ATF_CHECK_STREQ(pw, want);
235	}
236
237	ATF_TC(sha512_vector_6);
238	ATF_TC_HEAD(sha512_vector_6, tc)
239	{
240	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
241	}
242
243	ATF_TC_BODY(sha512_vector_6, tc)
244	{
245	const char want[] = "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
246	"elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1";
247	char *pw;
248
249	pw = crypt("a short string", "$6$rounds=123456$asaltof16chars..");
250	ATF_CHECK_STREQ(pw, want);
251	}
252
253	ATF_TC(sha512_vector_7);
254	ATF_TC_HEAD(sha512_vector_7, tc)
255	{
256	atf_tc_set_md_var(tc, "descr", "Test vector from crypt-sha512.c");
257	}
258
259	ATF_TC_BODY(sha512_vector_7, tc)
260	{
261	const char want[] = "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
262	"hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.";
263	char *pw;
264
265	pw = crypt("the minimum number is still observed", "$6$rounds=10$roundstoolow");
266	ATF_CHECK_STREQ(pw, want);
267	}
268
269	#ifdef HAS_BLOWFISH
270	ATF_TC(blf_vector_1);
271	ATF_TC_HEAD(blf_vector_1, tc)
272	{
273	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 1");
274	}
275
276	ATF_TC_BODY(blf_vector_1, tc)
277	{
278	const char want[] = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW";
279	char *pw;
280
281	pw = crypt("U*U", want);
282
283	ATF_CHECK_STREQ(pw, want);
284	}
285
286	ATF_TC(blf_vector_2);
287	ATF_TC_HEAD(blf_vector_2, tc)
288	{
289	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 2");
290	}
291
292	ATF_TC_BODY(blf_vector_2, tc)
293	{
294	const char want[] = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK";
295	char *pw;
296
297	pw = crypt("UU", want);
298
299	ATF_CHECK_STREQ(pw, want);
300	}
301
302	ATF_TC(blf_vector_3);
303	ATF_TC_HEAD(blf_vector_3, tc)
304	{
305	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 3 - long password");
306	}
307
308	ATF_TC_BODY(blf_vector_3, tc)
309	{
310	const char want[] = "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui";
311	char *pw;
312
313	pw = crypt("0123456789abcdefghijklmnopqrstuvwxyz"
314	"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
315	"chars after 72 are ignored", want);
316
317	ATF_CHECK_STREQ(pw, want);
318	}
319
320	ATF_TC(blf_vector_4);
321	ATF_TC_HEAD(blf_vector_4, tc)
322	{
323	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 4");
324	}
325
326	ATF_TC_BODY(blf_vector_4, tc)
327	{
328	const char want[] = "$2b$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e";
329	char *pw;
330
331	pw = crypt("\xff\xff\xa3", want);
332
333	ATF_CHECK_STREQ(pw, want);
334	}
335
336	ATF_TC(blf_vector_5);
337	ATF_TC_HEAD(blf_vector_5, tc)
338	{
339	atf_tc_set_md_var(tc, "descr", "Solar Designer wrapper.c test vector 5 - ensure our $2a$05$ matches the $2y$05$");
340	}
341
342	ATF_TC_BODY(blf_vector_5, tc)
343	{
344	const char want[] = "$2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e";
345	char *pw;
346
347	pw = crypt("\xff\xa3" "345", want);
348
349	ATF_CHECK_STREQ(pw, want);
350	}
351
352	#endif
353
44	/*	354	/*
45	* This function must not do anything except enumerate	355	* This function must not do anything except enumerate
46	* the test cases, per atf-c-api(3).	356	* the test cases, per atf-c-api(3).
47	*/	357	*/
48	ATF_TP_ADD_TCS(tp)	358	ATF_TP_ADD_TCS(tp)
49	{	359	{
50
51	ATF_TP_ADD_TC(tp, md5);	360	ATF_TP_ADD_TC(tp, md5);
52	ATF_TP_ADD_TC(tp, invalid);	361	ATF_TP_ADD_TC(tp, md5invalid);
		362
		363	ATF_TP_ADD_TC(tp, sha256_vector_1);
		364	ATF_TP_ADD_TC(tp, sha256_vector_2);
		365	ATF_TP_ADD_TC(tp, sha256_vector_3);
		366	ATF_TP_ADD_TC(tp, sha256_vector_4);
		367	/*
		368	ATF_TP_ADD_TC(tp, sha256_vector_5);
		369	ATF_TP_ADD_TC(tp, sha256_vector_6);
		370	*/
		371	ATF_TP_ADD_TC(tp, sha256_vector_7);
		372
		373	ATF_TP_ADD_TC(tp, sha512_vector_1);
		374	ATF_TP_ADD_TC(tp, sha512_vector_2);
		375	ATF_TP_ADD_TC(tp, sha512_vector_3);
		376	ATF_TP_ADD_TC(tp, sha512_vector_4);
		377	/*
		378	ATF_TP_ADD_TC(tp, sha512_vector_5);
		379	ATF_TP_ADD_TC(tp, sha512_vector_6);
		380	*/
		381	ATF_TP_ADD_TC(tp, sha512_vector_7);
		382
		383	#ifdef HAS_BLOWFISH
		384	ATF_TP_ADD_TC(tp, blf_vector_1);
		385	ATF_TP_ADD_TC(tp, blf_vector_2);
		386	ATF_TP_ADD_TC(tp, blf_vector_3);
		387	ATF_TP_ADD_TC(tp, blf_vector_4);
		388	ATF_TP_ADD_TC(tp, blf_vector_5);
		389	#endif
		390
53	return atf_no_error();	391	return atf_no_error();
54	}	392	}

Lines 67-83 __FBSDID("$FreeBSD: head/lib/libpam/modules/pam_unix/pam_unix.c 249177 2013-04-0 Link Here

(-)b/lib/libpam/modules/pam_unix/pam_unix.c (-40 / +17 lines)
67	#include <security/pam_modules.h>	67	#include <security/pam_modules.h>
68	#include <security/pam_mod_misc.h>	68	#include <security/pam_mod_misc.h>
69		69
70	#define PASSWORD_HASH "md5"
71	#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */	70	#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
72	#define SALTSIZE 32
73		71
74	#define LOCKED_PREFIX "LOCKED"	72	#define LOCKED_PREFIX "LOCKED"
75	#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1)	73	#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1)
76		74
77	static void makesalt(char []);
78
79	static char password_hash[] = PASSWORD_HASH;
80
81	#define PAM_OPT_LOCAL_PASS "local_pass"	75	#define PAM_OPT_LOCAL_PASS "local_pass"
82	#define PAM_OPT_NIS_PASS "nis_pass"	76	#define PAM_OPT_NIS_PASS "nis_pass"
83		77
Lines 269-281 pam_sm_chauthtok(pam_handle_t *pamh, int flags, Link Here
269	struct ypclnt *ypclnt;	263	struct ypclnt *ypclnt;
270	const void yp_domain, yp_server;	264	const void yp_domain, yp_server;
271	#endif	265	#endif
272	char salt[SALTSIZE + 1];	266	char salt[CRYPT_SALT_MAX_LEN + 1];
		267	size_t salt_sz;
273	login_cap_t *lc;	268	login_cap_t *lc;
274	struct passwd pwd, old_pwd;	269	struct passwd pwd, old_pwd;
275	const char user, old_pass, *new_pass;	270	const char user, old_pass, *new_pass;
276	char *encrypted;	271	char *encrypted;
277	time_t passwordtime;	272	time_t passwordtime;
278	int pfd, tfd, retval;	273	int pfd, tfd, retval;
		274	const char *passwd_format;
279		275
280	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))	276	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
281	pwd = getpwnam(getlogin());	277	pwd = getpwnam(getlogin());
Lines 378-387 pam_sm_chauthtok(pam_handle_t *pamh, int flags, Link Here
378	return (PAM_BUF_ERR);	374	return (PAM_BUF_ERR);
379		375
380	lc = login_getclass(pwd->pw_class);	376	lc = login_getclass(pwd->pw_class);
381	if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
382	openpam_log(PAM_LOG_ERROR,
383	"can't set password cipher, relying on default");
384		377
		378	salt_sz = sizeof(salt);
		379	passwd_format = login_getcapstr(lc, "passwd_format", "", NULL);
		380	if (!crypt_makesalt(salt, passwd_format, &salt_sz) ) {
		381	login_close(lc);
		382
		383	if (salt_sz == sizeof(salt) ) {
		384	PAM_LOG("Unable to create salt for crypt(3) format: %s", passwd_format);
		385	} else {
		386	PAM_LOG("Not enough space in buffer to create salt for format: %s. CRYPT_SALT_MAX_LEN is wrong. Buffer size: %zu, required: %zu", passwd_format, sizeof(salt), salt_sz);
		387	}
		388
		389	return (PAM_SERVICE_ERR);
		390	}
		391
385	/* set password expiry date */	392	/* set password expiry date */
386	pwd->pw_change = 0;	393	pwd->pw_change = 0;
387	passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);	394	passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);
Lines 389-395 pam_sm_chauthtok(pam_handle_t *pamh, int flags, Link Here
389	pwd->pw_change = time(NULL) + passwordtime;	396	pwd->pw_change = time(NULL) + passwordtime;
390		397
391	login_close(lc);	398	login_close(lc);
392	makesalt(salt);
393	pwd->pw_passwd = crypt(new_pass, salt);	399	pwd->pw_passwd = crypt(new_pass, salt);
394	#ifdef YP	400	#ifdef YP
395	switch (old_pwd->pw_fields & _PWF_SOURCE) {	401	switch (old_pwd->pw_fields & _PWF_SOURCE) {
Lines 445-477 pam_sm_chauthtok(pam_handle_t *pamh, int flags, Link Here
445	return (retval);	451	return (retval);
446	}	452	}
447		453
448	/* Mostly stolen from passwd(1)'s local_passwd.c - markm */
449
450	static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
451	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
452
453	static void
454	to64(char *s, long v, int n)
455	{
456	while (--n >= 0) {
457	*s++ = itoa64[v&0x3f];
458	v >>= 6;
459	}
460	}
461
462	/* Salt suitable for traditional DES and MD5 */
463	static void
464	makesalt(char salt[SALTSIZE + 1])
465	{
466	int i;
467
468	/* These are not really random numbers, they are just
469	* numbers that change to thwart construction of a
470	* dictionary.
471	*/
472	for (i = 0; i < SALTSIZE; i += 4)
473	to64(&salt[i], arc4random(), 4);
474	salt[SALTSIZE] = '\0';
475	}
476
477	PAM_MODULE_ENTRY("pam_unix");	454	PAM_MODULE_ENTRY("pam_unix");

Lines 12-20 SRCS= _secure_path.c auth.c expand_number.c flopen.c fparseln.c gr_util.c \ Link Here

(-)b/lib/libutil/Makefile (-3 / +3 lines)
12	hexdump.c humanize_number.c kinfo_getfile.c kinfo_getfile.c \	12	hexdump.c humanize_number.c kinfo_getfile.c kinfo_getfile.c \
13	kinfo_getallproc.c kinfo_getproc.c kinfo_getvmmap.c kld.c \	13	kinfo_getallproc.c kinfo_getproc.c kinfo_getvmmap.c kld.c \
14	login_auth.c login_cap.c \	14	login_auth.c login_cap.c \
15	login_class.c login_crypt.c login_ok.c login_times.c login_tty.c \	15	login_class.c login_ok.c login_times.c login_tty.c \
16	pidfile.c property.c pty.c pw_util.c quotafile.c realhostname.c \	16	pidfile.c property.c pty.c pw_util.c quotafile.c realhostname.c \
17	stub.c trimdomain.c uucplock.c	17	trimdomain.c uucplock.c
18	INCS= libutil.h login_cap.h	18	INCS= libutil.h login_cap.h
19		19
20	CFLAGS+= -DLIBC_SCCS	20	CFLAGS+= -DLIBC_SCCS
Lines 40-46 MLINKS+=login_cap.3 login_close.3 login_cap.3 login_getcapbool.3 \ Link Here
40	login_cap.3 login_getcaptime.3 login_cap.3 login_getclass.3 \	40	login_cap.3 login_getcaptime.3 login_cap.3 login_getclass.3 \
41	login_cap.3 login_getclassbyname.3 login_cap.3 login_getpath.3 \	41	login_cap.3 login_getclassbyname.3 login_cap.3 login_getpath.3 \
42	login_cap.3 login_getpwclass.3 login_cap.3 login_getstyle.3 \	42	login_cap.3 login_getpwclass.3 login_cap.3 login_getstyle.3 \
43	login_cap.3 login_getuserclass.3 login_cap.3 login_setcryptfmt.3	43	login_cap.3 login_getuserclass.3
44	MLINKS+=login_class.3 setclasscontext.3 login_class.3 setclassenvironment.3 \	44	MLINKS+=login_class.3 setclasscontext.3 login_class.3 setclassenvironment.3 \
45	login_class.3 setclassresources.3 login_class.3 setusercontext.3	45	login_class.3 setclassresources.3 login_class.3 setusercontext.3
46	MLINKS+=login_ok.3 auth_hostok.3 login_ok.3 auth_timeok.3 \	46	MLINKS+=login_ok.3 auth_hostok.3 login_ok.3 auth_timeok.3 \

Removed Link Here

(-)a/lib/libutil/login_crypt.c (-50 lines)
1	/*-
2	* Copyright (c) 2000 Brian Fundakowski Feldman
3	* All rights reserved.
4	*
5	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions
7	* are met:
8	* 1. Redistributions of source code must retain the above copyright
9	* notice, this list of conditions and the following disclaimer.
10	* 2. Redistributions in binary form must reproduce the above copyright
11	* notice, this list of conditions and the following disclaimer in the
12	* documentation and/or other materials provided with the distribution.
13	*
14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24	* SUCH DAMAGE.
25	*/
26
27	#include <sys/cdefs.h>
28	__FBSDID("$FreeBSD: head/lib/libutil/login_crypt.c 94202 2002-04-08 11:04:56Z ru $");
29
30	#include <sys/types.h>
31
32	#include <login_cap.h>
33	#include <stdio.h>
34	#include <stdlib.h>
35	#include <unistd.h>
36
37	const char *
38	login_setcryptfmt(login_cap_t lc, const char def, const char *error) {
39	const char *cipher;
40
41	cipher = login_getcapstr(lc, "passwd_format", def, NULL);
42	if (getenv("CRYPT_DEBUG") != NULL)
43	fprintf(stderr, "login_setcryptfmt: "
44	"passwd_format = %s\n", cipher);
45	if (cipher == NULL)
46	return (error);
47	if (!crypt_set_format(cipher))
48	return (error);
49	return (cipher);
50	}

Removed Link Here

(-)a/lib/libutil/stub.c (-46 lines)
1	/*-
2	* Copyright (c) 2000 Brian Fundakowski Feldman
3	* All rights reserved.
4	*
5	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions
7	* are met:
8	* 1. Redistributions of source code must retain the above copyright
9	* notice, this list of conditions and the following disclaimer.
10	* 2. Redistributions in binary form must reproduce the above copyright
11	* notice, this list of conditions and the following disclaimer in the
12	* documentation and/or other materials provided with the distribution.
13	*
14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24	* SUCH DAMAGE.
25	*/
26
27	#include <sys/cdefs.h>
28	__FBSDID("$FreeBSD: head/lib/libutil/stub.c 121193 2003-10-18 10:04:16Z markm $");
29
30	#include <stdio.h>
31	#include <stdlib.h>
32	#include <unistd.h>
33
34	/*
35	* Stub out what's in -lcrypt.
36	*/
37
38	#pragma weak crypt_set_format
39	/* ARGSUSED */
40	int
41	crypt_set_format(const char *f __unused) {
42
43	if (getenv("CRYPT_DEBUG") != NULL)
44	fprintf(stderr, "crypt_set_format: eek, stub called!\n");
45	return (0);
46	}