Backport upstream commit preferring bcrypt_b ($2b$) for blowfish

This commit is contained in:
Björn Esser 2018-11-23 10:11:51 +01:00
parent da68a05bc8
commit 6eff6819b8
No known key found for this signature in database
GPG Key ID: F52E98007594C21D
2 changed files with 38 additions and 0 deletions

View File

@ -0,0 +1,34 @@
From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 15 Nov 2018 15:01:57 +0100
Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
Bcrypt hashes used the "$2a$" prefix since 1997.
However, in 2011 an implementation bug was discovered in bcrypt
affecting the handling of characters in passphrases with the 8th
bit set.
Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
for a behavior that exactly matches crypt_blowfish's "$2y$", and
the crypt_blowfish implementation supports it as well since v1.1.
That said new computed bcrypt hashes should use the "$2b$" prefix.
* modules/pam_unix/passverify.c: Use bcrypt b-variant.
---
modules/pam_unix/passverify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 9c1771e2..1f433b3a 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
/* algoid = "$1" */
return crypt_md5_wrapper(password);
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
- algoid = "$2a$";
+ algoid = "$2b$";
} else if (on(UNIX_SHA256_PASS, ctrl)) {
algoid = "$5$";
} else if (on(UNIX_SHA512_PASS, ctrl)) {

View File

@ -46,6 +46,8 @@ Patch34: pam-1.3.1-coverity.patch
Patch35: pam-1.3.1-console-build.patch Patch35: pam-1.3.1-console-build.patch
# https://github.com/linux-pam/linux-pam/commit/a2b72aeb86f297d349bc9e6a8f059fedf97a499a # https://github.com/linux-pam/linux-pam/commit/a2b72aeb86f297d349bc9e6a8f059fedf97a499a
Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
# https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016.patch
Patch37: pam-1.3.1-unix-bcrypt_b.patch
%global _pamlibdir %{_libdir} %global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security %global _moduledir %{_libdir}/security
@ -130,6 +132,7 @@ cp %{SOURCE18} .
%patch34 -p1 -b .coverity %patch34 -p1 -b .coverity
%patch35 -p1 -b .console-build %patch35 -p1 -b .console-build
%patch36 -p1 -b .remove-prototype %patch36 -p1 -b .remove-prototype
%patch37 -p1 -b .bcrypt_b
autoreconf -i autoreconf -i
@ -374,6 +377,7 @@ done
%changelog %changelog
* Fri Nov 23 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-9 * Fri Nov 23 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-9
- Backport upstream commit removing an obsolete prototype - Backport upstream commit removing an obsolete prototype
- Backport upstream commit preferring bcrypt_b ($2b$) for blowfish
* Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8 * Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8
- Use %%ldconfig_scriptlets - Use %%ldconfig_scriptlets