diff options
author | Lennart Poettering <lennart@poettering.net> | 2019-04-23 18:17:17 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2019-04-29 20:26:38 +0200 |
commit | 3862043310de6e68bdc7ba0c45f2149445c91aa1 (patch) | |
tree | 0820863f95f9db9897698e9a5bcb64afde507dfc /src/firstboot | |
parent | f2c5edbe5a5f601be5fe7c73fa4007a243b1d52e (diff) | |
download | systemd-3862043310de6e68bdc7ba0c45f2149445c91aa1.tar.gz |
firstboot: port to make_salt()
Also, let's use crypt_r() over crypt(). Not because we actually use
threads, but because it's safer and more future proof in general.
Diffstat (limited to 'src/firstboot')
-rw-r--r-- | src/firstboot/firstboot.c | 35 |
1 files changed, 7 insertions, 28 deletions
diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c index c21cf76b93..7d97777b0d 100644 --- a/src/firstboot/firstboot.c +++ b/src/firstboot/firstboot.c @@ -595,12 +595,6 @@ static int write_root_shadow(const char *path, const struct spwd *p) { static int process_root_password(void) { - static const char table[] = - "abcdefghijklmnopqrstuvwxyz" - "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "0123456789" - "./"; - struct spwd item = { .sp_namp = (char*) "root", .sp_min = -1, @@ -610,12 +604,9 @@ static int process_root_password(void) { .sp_expire = -1, .sp_flag = (unsigned long) -1, /* this appears to be what everybody does ... */ }; - + _cleanup_free_ char *salt = NULL; _cleanup_close_ int lock = -1; - char salt[3+16+1+1]; - uint8_t raw[16]; - unsigned i; - char *j; + struct crypt_data cd = {}; const char *etc_shadow; int r; @@ -659,27 +650,15 @@ static int process_root_password(void) { if (!arg_root_password) return 0; - /* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */ - r = genuine_random_bytes(raw, 16, RANDOM_BLOCK); + r = make_salt(&salt); if (r < 0) return log_error_errno(r, "Failed to get salt: %m"); - /* We only bother with SHA512 hashed passwords, the rest is legacy, and we don't do legacy. */ - assert_cc(sizeof(table) == 64 + 1); - j = stpcpy(salt, "$6$"); - for (i = 0; i < 16; i++) - j[i] = table[raw[i] & 63]; - j[i++] = '$'; - j[i] = 0; - errno = 0; - item.sp_pwdp = crypt(arg_root_password, salt); - if (!item.sp_pwdp) { - if (!errno) - errno = EINVAL; - - return log_error_errno(errno, "Failed to encrypt password: %m"); - } + item.sp_pwdp = crypt_r(arg_root_password, salt, &cd); + if (!item.sp_pwdp) + return log_error_errno(errno == 0 ? SYNTHETIC_ERRNO(EINVAL) : errno, + "Failed to encrypt password: %m"); item.sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY); |