Merge into a single US-exportable libcrypt, which only provides
one-way hash functions for authentication purposes. There is no more "set the libcrypt->libXXXcrypt" nightmare. - Undo the libmd.so hack, use -D to hide the md5c.c internals. - Remove the symlink hacks in release/Makefile - the algorthm is set by set_crypt_format() as before. If this is not called, it tries to heuristically figure out the hash format, and if all else fails, it uses the optional auth.conf entry to chose the overall default hash. - Since source has non-hidden crypto in it there may be some issues with having the source it in some countries, so preserve the "secure/*" division. You can still build a des-free libcrypt library if you want to badly enough. This should not be a problem in the US or exporting from the US as freebsd.org had notified BXA some time ago. That makes this stuff re-exportable by anyone. - For consistancy, the default in absence of any other clues is md5. This is to try and minimize POLA across buildworld where folk may suddenly be activating des-crypt()-hash support. Since the des hash may not always be present, it seemed sensible to make the stronger md5 algorithm the default. All things being equal, no functionality is lost. Reviewed-by: jkh (flame-proof suit on)
This commit is contained in:
parent
f497697850
commit
117ae0dab3
@ -4,7 +4,7 @@
|
||||
# This file contains information on what types of authentication to use.
|
||||
# It is just the beginnings of a greater scheme.
|
||||
|
||||
# auth_default = des
|
||||
# crypt_default = md5 des
|
||||
# auth_list = passwd kerberos
|
||||
|
||||
auth_list = passwd
|
||||
|
@ -19,7 +19,7 @@
|
||||
#
|
||||
# Otherwise, the SUBDIR list should be in alphabetical order.
|
||||
|
||||
SUBDIR= ${_csu} libcom_err ${_libcrypt} msun libmd \
|
||||
SUBDIR= ${_csu} libcom_err libcrypt msun libmd \
|
||||
libncurses libradius libskey libtacplus libutil \
|
||||
${_compat} libalias libatm ${_libbind} libc ${_libc_r} libcalendar \
|
||||
libcam libcompat libdevstat libdisk libedit libfetch libform \
|
||||
@ -43,13 +43,6 @@ _libc_r= libc_r
|
||||
_libbind= libbind
|
||||
.endif
|
||||
|
||||
_libcrypt= libcrypt
|
||||
.if exists(${.CURDIR}/../secure) && !defined(NOSECURE) && !defined(NOCRYPT) && !defined(NO_DESCRYPT)
|
||||
# Build both libraries. They have different names, so no harm,
|
||||
# and this avoids having stale libscrypt.*
|
||||
_libcrypt+= ../secure/lib/libcrypt
|
||||
.endif
|
||||
|
||||
.if ${MACHINE_ARCH} == "i386"
|
||||
_compat= compat
|
||||
_libncp= libncp
|
||||
|
@ -3,66 +3,28 @@
|
||||
#
|
||||
|
||||
SHLIB_MAJOR= 2
|
||||
LIB= scrypt
|
||||
|
||||
LCRYPTBASE= libcrypt
|
||||
LSCRYPTBASE= lib${LIB}
|
||||
|
||||
LCRYPTSO= ${LCRYPTBASE}.so.${SHLIB_MAJOR}
|
||||
LSCRYPTSO= ${LSCRYPTBASE}.so.${SHLIB_MAJOR}
|
||||
|
||||
.if ${OBJFORMAT} == elf
|
||||
SONAME= ${LCRYPTSO}
|
||||
.endif
|
||||
LIB= crypt
|
||||
|
||||
.PATH: ${.CURDIR}/../libmd
|
||||
SRCS= crypt.c crypt-md5.c misc.c
|
||||
STATICSRCS= md5c.c
|
||||
STATICOBJS= ${STATICSRCS:S/.c/.o/g}
|
||||
SRCS= crypt.c crypt-md5.c md5c.c misc.c
|
||||
MAN3= crypt.3
|
||||
MLINKS= crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
|
||||
CFLAGS+= -I${.CURDIR}/../libmd
|
||||
CFLAGS+= -DLIBC_SCCS -Wall
|
||||
# Pull in the crypt-des.c source, assuming it is present.
|
||||
.if exists(${.CURDIR}/../../secure/lib/libcrypt/crypt-des.c) && \
|
||||
!defined(NOSECURE) && !defined(NOCRYPT)
|
||||
.PATH: ${.CURDIR}/../../secure/lib/libcrypt
|
||||
SRCS+= crypt-des.c
|
||||
CFLAGS+= -I${.CURDIR} -DHAS_DES
|
||||
.endif
|
||||
# And the auth_getval() code and support.
|
||||
.PATH: ${.CURDIR}/../libutil
|
||||
SRCS+= auth.c property.c
|
||||
.for sym in MD5Init MD5Final MD5Update MD5Pad auth_getval \
|
||||
property_find properties_read properties_free
|
||||
CFLAGS+= -D${sym}=__${sym}
|
||||
.endfor
|
||||
PRECIOUSLIB= yes
|
||||
|
||||
# Include this early to pick up the definitions of SHLIB_MAJOR and
|
||||
# SHLIB_MINOR which are used in the existence tests.
|
||||
.include "${.CURDIR}/../Makefile.inc"
|
||||
|
||||
# We only install the links if they do not already exist.
|
||||
# This may have to be revised
|
||||
.if !exists(${DESTDIR}${LIBDIR}/${LCRYPTBASE}.a)
|
||||
SYMLINKS+= ${LSCRYPTBASE}.a ${LIBDIR}/${LCRYPTBASE}.a
|
||||
.endif
|
||||
.if !defined(NOPROFILE) && !exists(${DESTDIR}${LIBDIR}/${LCRYPTBASE}_p.a)
|
||||
SYMLINKS+= ${LSCRYPTBASE}_p.a ${LIBDIR}/${LCRYPTBASE}_p.a
|
||||
.endif
|
||||
.if !defined(NOPIC) && !exists(${DESTDIR}${SHLIBDIR}/${LCRYPTSO})
|
||||
SYMLINKS+= ${LSCRYPTSO} ${SHLIBDIR}/${LCRYPTSO}
|
||||
.endif
|
||||
.if !defined(NOPIC) && ${OBJFORMAT} == elf && \
|
||||
!exists(${DESTDIR}${SHLIBDIR}/${LCRYPTBASE}.so)
|
||||
SYMLINKS+= ${LSCRYPTBASE}.so ${SHLIBDIR}/${LCRYPTBASE}.so
|
||||
.endif
|
||||
|
||||
.include <bsd.lib.mk>
|
||||
|
||||
afterinstall:
|
||||
.if !defined(NOPIC)
|
||||
@cd ${DESTDIR}${SHLIBDIR}; \
|
||||
rm -f ${LCRYPTSO}; \
|
||||
ln -sf ${LSCRYPTSO} ${LCRYPTSO};
|
||||
.endif
|
||||
.if !defined(NOPIC) && ${OBJFORMAT} == elf
|
||||
@cd ${DESTDIR}${SHLIBDIR}; \
|
||||
rm -f ${LCRYPTBASE}.so; \
|
||||
ln -sf ${LSCRYPTBASE}.so libcrypt.so
|
||||
.endif
|
||||
@cd ${DESTDIR}${LIBDIR}; \
|
||||
rm -f ${LCRYPTBASE}.a; \
|
||||
ln -sf ${LSCRYPTBASE}.a libcrypt.a
|
||||
.if !defined(NOPROFILE)
|
||||
@cd ${DESTDIR}${LIBDIR}; \
|
||||
rm -f ${LCRYPTBASE}_p.a; \
|
||||
ln -sf ${LSCRYPTBASE}_p.a libcrypt_p.a
|
||||
.endif
|
||||
|
@ -22,18 +22,6 @@ static const char rcsid[] = \
|
||||
#include <err.h>
|
||||
#include "crypt.h"
|
||||
|
||||
#ifdef __PIC__
|
||||
#include <dlfcn.h>
|
||||
|
||||
#define MD5Init(ctx) dl_MD5Init(ctx)
|
||||
#define MD5Update(ctx, data, len) dl_MD5Update(ctx, data, len)
|
||||
#define MD5Final(dgst, ctx) dl_MD5Final(dgst, ctx)
|
||||
|
||||
static void (*dl_MD5Init)(MD5_CTX *);
|
||||
static void (*dl_MD5Update)(MD5_CTX *, const unsigned char *, unsigned int);
|
||||
static void (*dl_MD5Final)(unsigned char digest[16], MD5_CTX *);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* UNIX password
|
||||
*/
|
||||
@ -55,9 +43,6 @@ crypt_md5(pw, salt)
|
||||
int sl,pl,i;
|
||||
MD5_CTX ctx,ctx1;
|
||||
unsigned long l;
|
||||
#ifdef __PIC__
|
||||
void *libmd;
|
||||
#endif
|
||||
|
||||
/* Refine the Salt first */
|
||||
sp = salt;
|
||||
@ -73,31 +58,6 @@ crypt_md5(pw, salt)
|
||||
/* get the length of the true salt */
|
||||
sl = ep - sp;
|
||||
|
||||
#ifdef __PIC__
|
||||
libmd = dlopen("libmd.so", RTLD_NOW);
|
||||
if (libmd == NULL) {
|
||||
warnx("libcrypt-md5: dlopen(libmd.so): %s\n", dlerror());
|
||||
return NULL;
|
||||
}
|
||||
dl_MD5Init = dlsym(libmd, "MD5Init");
|
||||
if (dl_MD5Init == NULL) {
|
||||
warnx("libcrypt-md5: looking for MD5Init: %s\n", dlerror());
|
||||
dlclose(libmd);
|
||||
return NULL;
|
||||
}
|
||||
dl_MD5Update = dlsym(libmd, "MD5Update");
|
||||
if (dl_MD5Update == NULL) {
|
||||
warnx("libcrypt-md5: looking for MD5Update: %s\n", dlerror());
|
||||
dlclose(libmd);
|
||||
return NULL;
|
||||
}
|
||||
dl_MD5Final = dlsym(libmd, "MD5Final");
|
||||
if (dl_MD5Final == NULL) {
|
||||
warnx("libcrypt-md5: looking for MD5Final: %s\n", dlerror());
|
||||
dlclose(libmd);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
MD5Init(&ctx);
|
||||
|
||||
/* The password first, since that is what is most unknown */
|
||||
@ -160,9 +120,6 @@ crypt_md5(pw, salt)
|
||||
MD5Final(final,&ctx1);
|
||||
}
|
||||
|
||||
#ifdef __PIC__
|
||||
dlclose(libmd);
|
||||
#endif
|
||||
p = passwd + strlen(passwd);
|
||||
|
||||
l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
|
||||
|
@ -184,14 +184,11 @@ Other crypt formats may be easilly added. An example salt would be:
|
||||
.Pp
|
||||
The algorithm used will depend upon whether
|
||||
.Fn crypt_set_format
|
||||
has been called and whether
|
||||
.Tn DES
|
||||
is installed or not. If
|
||||
.Tn DES
|
||||
is installed and
|
||||
has been called and whether a global default format has been specified.
|
||||
Unless a global default has been specified or
|
||||
.Fn crypt_set_format
|
||||
has not set the format to something else, it will be used.
|
||||
Otherwise, the best algorithm is used, which is currently
|
||||
has set the format to something else, the best algorithm is used
|
||||
which is currently
|
||||
.\"
|
||||
.\" NOTICE: Also make sure to update this
|
||||
.\"
|
||||
@ -216,6 +213,12 @@ The
|
||||
.Fn crypt_set_format
|
||||
function sets the default encoding format according to the supplied
|
||||
.Fa string .
|
||||
.Pp
|
||||
The global default format can be set using the
|
||||
.Pa /etc/auth.conf
|
||||
file using the
|
||||
.Ql crypt_format
|
||||
property.
|
||||
.Sh RETURN VALUES
|
||||
.Pp
|
||||
.Fn crypt
|
||||
@ -230,8 +233,10 @@ Otherwise, a value of 0 is returned.
|
||||
.Sh SEE ALSO
|
||||
.Xr login 1 ,
|
||||
.Xr passwd 1 ,
|
||||
.Xr auth_getval 3 ,
|
||||
.Xr cipher 3 ,
|
||||
.Xr getpass 3 ,
|
||||
.Xr auth.conf 5 ,
|
||||
.Xr passwd 5 ,
|
||||
.Sh BUGS
|
||||
The
|
||||
|
@ -28,10 +28,13 @@
|
||||
*/
|
||||
|
||||
#if defined(LIBC_SCCS) && !defined(lint)
|
||||
static char rcsid[] = "$FreeBSD$";
|
||||
static const char rcsid[] =
|
||||
"$FreeBSD$";
|
||||
#endif /* LIBC_SCCS and not lint */
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
#include <libutil.h>
|
||||
#include "crypt.h"
|
||||
|
||||
static const struct {
|
||||
@ -39,36 +42,62 @@ static const struct {
|
||||
char *(*const func)(const char *, const char *);
|
||||
const char *const magic;
|
||||
} crypt_types[] = {
|
||||
#ifdef NONEXPORTABLE_CRYPT
|
||||
{
|
||||
"md5",
|
||||
crypt_md5,
|
||||
"$1$"
|
||||
},
|
||||
#ifdef HAS_DES
|
||||
{
|
||||
"des",
|
||||
crypt_des,
|
||||
NULL
|
||||
},
|
||||
#endif
|
||||
{
|
||||
"md5",
|
||||
crypt_md5,
|
||||
"$1$"
|
||||
},
|
||||
{
|
||||
NULL,
|
||||
NULL
|
||||
}
|
||||
};
|
||||
|
||||
static int crypt_type = 0;
|
||||
static int crypt_type = -1;
|
||||
|
||||
static void
|
||||
crypt_setdefault(void)
|
||||
{
|
||||
char *def;
|
||||
int i;
|
||||
|
||||
if (crypt_type != -1)
|
||||
return;
|
||||
def = auth_getval("crypt_default");
|
||||
if (def == NULL) {
|
||||
crypt_type = 0;
|
||||
return;
|
||||
}
|
||||
for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) {
|
||||
if (strcmp(def, crypt_types[i].name) == 0) {
|
||||
crypt_type = i;
|
||||
return;
|
||||
}
|
||||
}
|
||||
crypt_type = 0;
|
||||
}
|
||||
|
||||
const char *
|
||||
crypt_get_format(void) {
|
||||
crypt_get_format(void)
|
||||
{
|
||||
|
||||
crypt_setdefault();
|
||||
return (crypt_types[crypt_type].name);
|
||||
}
|
||||
|
||||
int
|
||||
crypt_set_format(char *type) {
|
||||
crypt_set_format(char *type)
|
||||
{
|
||||
int i;
|
||||
|
||||
crypt_setdefault();
|
||||
for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) {
|
||||
if (strcmp(type, crypt_types[i].name) == 0) {
|
||||
crypt_type = i;
|
||||
@ -83,6 +112,7 @@ crypt(char *passwd, char *salt)
|
||||
{
|
||||
int i;
|
||||
|
||||
crypt_setdefault();
|
||||
for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) {
|
||||
if (crypt_types[i].magic != NULL && strncmp(salt,
|
||||
crypt_types[i].magic, strlen(crypt_types[i].magic)) == 0)
|
||||
|
@ -436,15 +436,6 @@ release.5:
|
||||
fi \
|
||||
done \
|
||||
|
||||
# Create symlinks for the MD5-based crypt lib, too. The
|
||||
# automatically created links still point to the DES stuff,
|
||||
# which went into its own distribution.
|
||||
for i in ${RD}/trees/bin/usr/lib/libscrypt* ; do \
|
||||
c=`echo $$i | sed -e 's/libscrypt/libcrypt/'` ; \
|
||||
rm -f $$c ; \
|
||||
ln -s `basename $$i` $$c ; \
|
||||
done
|
||||
|
||||
# Remove all the directories we don't need.
|
||||
-cd ${RD}/trees && \
|
||||
find ${OTHER_DISTS} ${COMPAT_DISTS} ${CRYPTO_DISTS} -depth -type d -print | xargs rmdir
|
||||
|
@ -1,73 +0,0 @@
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
SHLIB_MAJOR= 2
|
||||
LIB= descrypt
|
||||
|
||||
LCRYPTBASE= libcrypt
|
||||
LSCRYPTBASE= lib${LIB}
|
||||
|
||||
LCRYPTSO= ${LCRYPTBASE}.so.${SHLIB_MAJOR}
|
||||
LSCRYPTSO= ${LSCRYPTBASE}.so.${SHLIB_MAJOR}
|
||||
|
||||
.if ${OBJFORMAT} == elf
|
||||
SONAME= ${LCRYPTSO}
|
||||
.endif
|
||||
|
||||
.PATH: ${.CURDIR}/../../../lib/libmd ${.CURDIR}/../../../lib/libcrypt
|
||||
SRCS= crypt.c crypt-md5.c misc.c
|
||||
STATICSRCS= md5c.c
|
||||
STATICOBJS= ${STATICSRCS:S/.c/.o/g}
|
||||
SRCS+= crypt-des.c
|
||||
MAN3= crypt.3
|
||||
MLINKS= crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
|
||||
CFLAGS+= -I${.CURDIR}/../../../lib/libmd
|
||||
CFLAGS+= -I${.CURDIR}/../../../lib/libcrypt
|
||||
CFLAGS+= -DNONEXPORTABLE_CRYPT
|
||||
CFLAGS+= -DLIBC_SCCS -Wall
|
||||
PRECIOUSLIB= yes
|
||||
|
||||
# Include this early to pick up the definitions of SHLIB_MAJOR and
|
||||
# SHLIB_MINOR which are used in the existence tests.
|
||||
.include "${.CURDIR}/../../../lib/Makefile.inc"
|
||||
|
||||
# We only install the links if they do not already exist.
|
||||
# This may have to be revised
|
||||
.if !exists(${DESTDIR}${LIBDIR}/${LCRYPTBASE}.a)
|
||||
SYMLINKS+= ${LSCRYPTBASE}.a ${LIBDIR}/${LCRYPTBASE}.a
|
||||
.endif
|
||||
.if !defined(NOPROFILE) && !exists(${DESTDIR}${LIBDIR}/${LCRYPTBASE}_p.a)
|
||||
SYMLINKS+= ${LSCRYPTBASE}_p.a ${LIBDIR}/${LCRYPTBASE}_p.a
|
||||
.endif
|
||||
.if !defined(NOPIC) && !exists(${DESTDIR}${SHLIBDIR}/${LCRYPTSO})
|
||||
SYMLINKS+= ${LSCRYPTSO} ${SHLIBDIR}/${LCRYPTSO}
|
||||
.endif
|
||||
.if !defined(NOPIC) && ${OBJFORMAT} == elf && \
|
||||
!exists(${DESTDIR}${SHLIBDIR}/${LCRYPTBASE}.so)
|
||||
SYMLINKS+= ${LSCRYPTBASE}.so ${SHLIBDIR}/${LCRYPTBASE}.so
|
||||
.endif
|
||||
|
||||
.include <bsd.lib.mk>
|
||||
|
||||
afterinstall:
|
||||
.if !defined(NODESCRYPTLINKS)
|
||||
.if !defined(NOPIC)
|
||||
@cd ${DESTDIR}${SHLIBDIR}; \
|
||||
rm -f ${LCRYPTSO}; \
|
||||
ln -sf ${LSCRYPTSO} ${LCRYPTSO};
|
||||
.endif
|
||||
.if !defined(NOPIC) && ${OBJFORMAT} == elf
|
||||
@cd ${DESTDIR}${SHLIBDIR}; \
|
||||
rm -f ${LCRYPTBASE}.so; \
|
||||
ln -sf ${LSCRYPTBASE}.so libcrypt.so
|
||||
.endif
|
||||
@cd ${DESTDIR}${LIBDIR}; \
|
||||
rm -f ${LCRYPTBASE}.a; \
|
||||
ln -sf ${LSCRYPTBASE}.a libcrypt.a
|
||||
.if !defined(NOPROFILE)
|
||||
@cd ${DESTDIR}${LIBDIR}; \
|
||||
rm -f ${LCRYPTBASE}_p.a; \
|
||||
ln -sf ${LSCRYPTBASE}_p.a libcrypt_p.a
|
||||
.endif
|
||||
.endif
|
Loading…
Reference in New Issue
Block a user