From ad2be28d4d273a83e020084925dbefdf2914f89a Mon Sep 17 00:00:00 2001 From: des Date: Thu, 16 Oct 2014 21:39:04 +0000 Subject: [PATCH] MFH (r272830): change the hardcoded default back to DES MFH (r272833): remove last vestige of MD5 password hashes Approved by: re (gjb) git-svn-id: svn://svn.freebsd.org/base/releng/10.1@273187 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- lib/libcrypt/crypt.c | 17 ++++++++++------- usr.sbin/pw/pw_user.c | 4 ++-- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/lib/libcrypt/crypt.c b/lib/libcrypt/crypt.c index c3ca4c225..623809e5a 100644 --- a/lib/libcrypt/crypt.c +++ b/lib/libcrypt/crypt.c @@ -37,24 +37,26 @@ __FBSDID("$FreeBSD$"); #include "crypt.h" /* - * List of supported crypt(3) formats. The first element in the list will - * be the default. + * List of supported crypt(3) formats. + * + * The default algorithm is the last entry in the list (second-to-last + * array element since the last is a sentinel). The reason for placing + * the default last rather than first is that DES needs to be at the + * bottom for the algorithm guessing logic in crypt(3) to work correctly, + * and it needs to be the default for backward compatibility. */ static const struct crypt_format { const char *const name; char *(*const func)(const char *, const char *); const char *const magic; } crypt_formats[] = { - /* default format */ - { "sha512", crypt_sha512, "$6$" }, - - /* other supported formats */ { "md5", crypt_md5, "$1$" }, #ifdef HAS_BLOWFISH { "blf", crypt_blowfish, "$2" }, #endif { "nth", crypt_nthash, "$3$" }, { "sha256", crypt_sha256, "$5$" }, + { "sha512", crypt_sha512, "$6$" }, #ifdef HAS_DES { "des", crypt_des, "_" }, #endif @@ -63,7 +65,8 @@ static const struct crypt_format { { NULL, NULL, NULL } }; -static const struct crypt_format *crypt_format = &crypt_formats[0]; +static const struct crypt_format *crypt_format = + &crypt_formats[(sizeof crypt_formats / sizeof *crypt_formats) - 2]; #define DES_SALT_ALPHABET \ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" diff --git a/usr.sbin/pw/pw_user.c b/usr.sbin/pw/pw_user.c index 36c5d9df5..efb29016b 100644 --- a/usr.sbin/pw/pw_user.c +++ b/usr.sbin/pw/pw_user.c @@ -615,7 +615,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) pwd->pw_dir = pw_homepolicy(cnf, args, pwd->pw_name); pwd->pw_shell = pw_shellpolicy(cnf, args, NULL); lc = login_getpwclass(pwd); - if (lc == NULL || login_setcryptfmt(lc, "md5", NULL) == NULL) + if (lc == NULL || login_setcryptfmt(lc, "sha512", NULL) == NULL) warn("setting crypt(3) format"); login_close(lc); pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name); @@ -690,7 +690,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) } else { lc = login_getpwclass(pwd); if (lc == NULL || - login_setcryptfmt(lc, "md5", NULL) == NULL) + login_setcryptfmt(lc, "sha512", NULL) == NULL) warn("setting crypt(3) format"); login_close(lc); pwd->pw_passwd = pw_pwcrypt(line); -- 2.45.0