From 559d19018c9cbfc524582d3e5f1638f86163c519 Mon Sep 17 00:00:00 2001 From: Evan Maddock Date: Sun, 26 Nov 2023 12:52:50 -0500 Subject: [PATCH 1/2] users: Add support for crypt_gensalt for user passwords This attempts to locate the presense of the crypt_gensalt function in the crypto library in use. Many distributions have switched to libxcrypt, which provides this function. This means that Calamares can use the native library implementation instead of generating password salts itself, which, depending on the distro's configuration, may be more secure. If the function can not be found, fallback to the current method of generating password salts. Signed-off-by: Evan Maddock --- src/modules/users/CMakeLists.txt | 14 +++++++++++++- src/modules/users/SetPasswordJob.cpp | 11 ++++++++++- src/modules/users/SetPasswordJob.h | 3 ++- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/src/modules/users/CMakeLists.txt b/src/modules/users/CMakeLists.txt index 2e9e9c5e9..bad5b43a2 100644 --- a/src/modules/users/CMakeLists.txt +++ b/src/modules/users/CMakeLists.txt @@ -6,6 +6,16 @@ find_package(${qtname} ${QT_VERSION} CONFIG REQUIRED Core DBus Network) find_package(Crypt REQUIRED) +# Check for crypt_gensalt +if(Crypt_FOUND) + list(APPEND CMAKE_REQUIRED_LIBRARIES crypt) + include(CheckSymbolExists) + check_symbol_exists(crypt_gensalt crypt.h HAS_CRYPT_GENSALT) + if(HAS_CRYPT_GENSALT) + add_definitions(-DHAVE_CRYPT_GENSALT) + endif() +endif() + # Add optional libraries here set(USER_EXTRA_LIB ${kfname}::CoreAddons @@ -78,7 +88,9 @@ calamares_add_plugin(users SHARED_LIB ) -calamares_add_test(userspasswordtest SOURCES TestPasswordJob.cpp SetPasswordJob.cpp LIBRARIES ${CRYPT_LIBRARIES}) +if(NOT HAS_CRYPT_GENSALT) + calamares_add_test(userspasswordtest SOURCES TestPasswordJob.cpp SetPasswordJob.cpp LIBRARIES ${CRYPT_LIBRARIES}) +endif() calamares_add_test( usersgroupstest diff --git a/src/modules/users/SetPasswordJob.cpp b/src/modules/users/SetPasswordJob.cpp index c296c2a5e..4d326ccf0 100644 --- a/src/modules/users/SetPasswordJob.cpp +++ b/src/modules/users/SetPasswordJob.cpp @@ -44,6 +44,7 @@ SetPasswordJob::prettyStatusMessage() const return tr( "Setting password for user %1." ).arg( m_userName ); } +#ifndef HAVE_CRYPT_GENSALT /// Returns a modular hashing salt for method 6 (SHA512) with a 16 character random salt. QString SetPasswordJob::make_salt( int length ) @@ -67,6 +68,7 @@ SetPasswordJob::make_salt( int length ) salt_string.append( '$' ); return salt_string; } +#endif Calamares::JobResult SetPasswordJob::exec() @@ -90,7 +92,14 @@ SetPasswordJob::exec() return Calamares::JobResult::ok(); } - QString encrypted = QString::fromLatin1( crypt( m_newPassword.toUtf8(), make_salt( 16 ).toUtf8() ) ); + QString salt; +#ifdef HAVE_CRYPT_GENSALT + salt = crypt_gensalt( NULL, 0, NULL, 0 ); +#else + salt = make_salt( 16 ); +#endif + + QString encrypted = QString::fromLatin1( crypt( m_newPassword.toUtf8(), salt.toUtf8() ) ); int ec = Calamares::System::instance()->targetEnvCall( { "usermod", "-p", encrypted, m_userName } ); if ( ec ) diff --git a/src/modules/users/SetPasswordJob.h b/src/modules/users/SetPasswordJob.h index aa75a86e1..75647d48c 100644 --- a/src/modules/users/SetPasswordJob.h +++ b/src/modules/users/SetPasswordJob.h @@ -22,8 +22,9 @@ public: QString prettyName() const override; QString prettyStatusMessage() const override; Calamares::JobResult exec() override; - +#ifndef HAVE_CRYPT_GENSALT static QString make_salt( int length ); +#endif /* HAVE_CRYPT_GENSALT */ private: QString m_userName; From 1b07de6fa741f8183b9684fff4e6664108005f0f Mon Sep 17 00:00:00 2001 From: Evan Maddock <5157277+EbonJaeger@users.noreply.github.com> Date: Mon, 27 Nov 2023 19:02:50 -0500 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Adriaan de Groot --- src/modules/users/CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/modules/users/CMakeLists.txt b/src/modules/users/CMakeLists.txt index bad5b43a2..37bcbb5a5 100644 --- a/src/modules/users/CMakeLists.txt +++ b/src/modules/users/CMakeLists.txt @@ -8,9 +8,11 @@ find_package(Crypt REQUIRED) # Check for crypt_gensalt if(Crypt_FOUND) + set(_old_CRL "${CMAKE_REQUIRED_LIBRARIES}") list(APPEND CMAKE_REQUIRED_LIBRARIES crypt) include(CheckSymbolExists) check_symbol_exists(crypt_gensalt crypt.h HAS_CRYPT_GENSALT) + set(CMAKE_REQUIRED_LIBRARIES "${_old_CRL}") if(HAS_CRYPT_GENSALT) add_definitions(-DHAVE_CRYPT_GENSALT) endif()