From owner-freebsd-security@FreeBSD.ORG Tue Feb 10 12:27:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0F2C0405; Tue, 10 Feb 2015 12:27:21 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.181]) by mx1.freebsd.org (Postfix) with ESMTP id 9B9E465B; Tue, 10 Feb 2015 12:27:20 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnsOAPOG1lRFpa1E/2dsb2JhbABbghVxAVFaAYMBrSYBAQEBAQEGg2iOVROFaAMCgQ9EAQEBAQEBfIQ2FR4iATUCBQ0BCAsCCwMCAQIBJzEBBwEBiCkNuCWVcQEBAQcCAR+BIYRjh2eBREkZAQOCUoFCBYongxGBY4NQg1eDU4RyimuBRSKEDCAxAQGBAQEHF4EgAQEB X-IPAS-Result: AnsOAPOG1lRFpa1E/2dsb2JhbABbghVxAVFaAYMBrSYBAQEBAQEGg2iOVROFaAMCgQ9EAQEBAQEBfIQ2FR4iATUCBQ0BCAsCCwMCAQIBJzEBBwEBiCkNuCWVcQEBAQcCAR+BIYRjh2eBREkZAQOCUoFCBYongxGBY4NQg1eDU4RyimuBRSKEDCAxAQGBAQEHF4EgAQEB X-IronPort-AV: E=Sophos;i="5.09,536,1418101200"; d="scan'208";a="110104683" Received: from 69-165-173-68.dsl.teksavvy.com (HELO porter.razorfever.net) ([69.165.173.68]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 10 Feb 2015 07:26:11 -0500 Received: from [127.0.0.1] (localhost [127.0.0.1]) by porter.razorfever.net (8.14.4/8.14.4) with ESMTP id t1ACQ7mh075976; Tue, 10 Feb 2015 07:26:08 -0500 (EST) (envelope-from 482254ac@razorfever.net) Message-ID: <54D9F8DF.7070904@razorfever.net> Date: Tue, 10 Feb 2015 07:26:07 -0500 From: "Derek (freebsd lists)" <482254ac@razorfever.net> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Subject: [patch] libcrypt & friends - modular crypt format support in /etc/login.conf Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: delphij@FreeBSD.org, John-Mark Gurney , "A.J. Kehoe IV \(Nanoman\)" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 12:27:21 -0000 Hello! I've been working on this for a while, and I've produced a patch that does a few things with the base system: 1. allows modular crypt to be specified as passwd_format in /etc/login.conf - this allows setting the algorithm *and rounds*, i.e. $2b$10$ for users of varying classes. - this will allow any future algorithms and parameters supported by crypt(3) to be supported by the tools around login.conf 2. introduces a new api, crypt_makesalt which will generate an appropriate salt for any algorithm selected 3. updates userland to use this API, and removes totally the {crypt_set_format, login_setcryptfmt, login_getcryptfmt} APIs 4. switches crypt algorithms to use thread-local storage, so the good old global crypt buffer is thread-local 5. includes a bunch of new test vectors for libcrypt ATF tests There are references to previous discussions/patches/etc here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518 http://docs.freebsd.org/cgi/getmsg.cgi?fetch=168499+0+/usr/local/www/db/text/2013/freebsd-current/20131006.freebsd-current http://docs.freebsd.org/cgi/getmsg.cgi?fetch=361757+0+/usr/local/www/db/text/2014/freebsd-current/20140112.freebsd-current And most recent discussion here: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1751919+0+archive/2014/freebsd-current/20140716.freebsd-current Anyways, I've put a bunch of work into this, and am anxious to actually get this accepted into -HEAD. What more can I do at this point? A patch against current is in the original PR/"bug": https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518 Thanks, Derek