Backport upstream commit preferring bcrypt_b ($2b$) for blowfish

2018-11-23 10:11:51 +01:00 · 2018-11-23 10:11:51 +01:00 · 6eff6819b8
commit 6eff6819b8
parent da68a05bc8
2 changed files with 38 additions and 0 deletions
--- a/pam-1.3.1-unix-bcrypt_b.patch
+++ b/pam-1.3.1-unix-bcrypt_b.patch
@ -0,0 +1,34 @@
+From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Thu, 15 Nov 2018 15:01:57 +0100
+Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
+
+Bcrypt hashes used the "$2a$" prefix since 1997.
+However, in 2011 an implementation bug was discovered in bcrypt
+affecting the handling of characters in passphrases with the 8th
+bit set.
+
+Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
+for a behavior that exactly matches crypt_blowfish's "$2y$", and
+the crypt_blowfish implementation supports it as well since v1.1.
+
+That said new computed bcrypt hashes should use the "$2b$" prefix.
+
+* modules/pam_unix/passverify.c: Use bcrypt b-variant.
+---
+ modules/pam_unix/passverify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 9c1771e2..1f433b3a 100644
+--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
+@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
+ 		/* algoid = "$1" */
+ 		return crypt_md5_wrapper(password);
+ 	} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
+-		algoid = "$2a$";
+		algoid = "$2b$";
+ 	} else if (on(UNIX_SHA256_PASS, ctrl)) {
+ 		algoid = "$5$";
+ 	} else if (on(UNIX_SHA512_PASS, ctrl)) {
--- a/pam.spec
+++ b/pam.spec
@ -46,6 +46,8 @@ Patch34: pam-1.3.1-coverity.patch
 Patch35: pam-1.3.1-console-build.patch
 # https://github.com/linux-pam/linux-pam/commit/a2b72aeb86f297d349bc9e6a8f059fedf97a499a
 Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
+# https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016.patch
+Patch37: pam-1.3.1-unix-bcrypt_b.patch

 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@ -130,6 +132,7 @@ cp %{SOURCE18} .
 %patch34 -p1 -b .coverity
 %patch35 -p1 -b .console-build
 %patch36 -p1 -b .remove-prototype
+%patch37 -p1 -b .bcrypt_b

 autoreconf -i

@ -374,6 +377,7 @@ done
 %changelog
 * Fri Nov 23 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-9
 - Backport upstream commit removing an obsolete prototype
+- Backport upstream commit preferring bcrypt_b ($2b$) for blowfish

 * Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8
 - Use %%ldconfig_scriptlets