mkpasswd: improve help and remove DES support.

Just Say No™ to weak ciphers.
2016-03-21 09:12:59 -05:00 · 2016-03-21 09:12:59 -05:00 · 8522eb3b2b
parent b6979c871a
commit 8522eb3b2b
2 changed files with 47 additions and 152 deletions
--- a/tools/README.mkpasswd
+++ b/tools/README.mkpasswd
@ -3,56 +3,36 @@ mkpasswd.c documentation
 This is documentation for the updated mkpasswd.c included with a number
 of ircd, irc services, and non-IRC related programs

-This version of mkpasswd can create DES, Extended DES, Blowfish, and MD5
+This version of mkpasswd can create Blowfish, MD5, SHA256, and SHA512 crypted
 passwords, with either randomly generated or user provided salts.  

 Options:
+-x Generate a SHA256 password
+-y Generate a SHA512 password
 -m Generate an MD5 password
-d Generate a DES password
 -b Generate a Blowfish password
-e Generate an Extended (BSDi) DES password
 -l Specify a length for a random MD5 or Blowfish salt
-r Specify a number of rounds for a Blowfish or Extended DES password
-   Blowfish: no more than 6 recommended, no less than 4 accepted
-   Extended DES: default of 25
-s Specify a salt, 2 alphanumeric characters for DES, up to 16 for MD5,
-   up to 22 for Blowfish, 2 for Extended DES
+-r Specify a number of rounds for a Blowfish password
+   Default 4, no more than 6 recommended
+-s Specify a salt, up to 16 for MD5, SHA256, and SHA512
+   up to 22 for Blowfish
 -p Specify a plaintext password to use
 -? Get brief help
 -h Get extended help

-Without the presence of any parameters, it'll behave like the old mkpasswd,
-creating a DES password with a randomly generated salt and prompting for
-the password (without echo).
+Without the presence of any parameters, it'll generate a SHA512 hash with a
+randomly generated salt and prompting for the password (without echo).

-A DES salt is a pair of alphanumeric characters ('.' and '/' are permitted
-as well), such as 'a4' or 'Td'.
-
-An MD5 salt consists of up to 16 (though most implementations limit you to
-8) alphanumeric characters (plus '.' and '/'),
-such as 'tGd' or 'J6d4dfG'.
+An MD5, SHA256, and SHA512 salt consists of up to 16 alphanumeric characters
+(plus '.' and '/'), such as 'tGd' or 'J6d4dfG'.

 A Blowfish salt consists of up to 22 alphanumeric characters (plus '.' and
 '/').  Blowfish also specifies a number of rounds*, by default 4.

-Known bugs:
-The encryption algorithms supported depend on your system's crypt()
-  implementation.
-The maximum length of an MD5 salt is limited to your systems crypt()
-  implementation, typically 8.
+Blowfish may not always be available, but MD5, SHA256, and SHA512 are
+guaranteed to be.

-Supported Platforms (Known and tested):
-Linux glibc (DES and MD5)
-FreeBSD 3.x (DES (MD5 maybe))
-FreeBSD 4.x (DES, MD5, Blowfish, Extended DES)
-Solaris 2.5-2.6 (DES only)
-Cygwin 1.1.4 (DES only)
-Prior Cygwin with the MD5 libcrypt (MD5 only)
-OpenBSD 2.7 (don't link with -lcrypt) (DES, MD5, Blowfish)
-Mac OS-X (Darwin) (don't link with -lcrypt) (DES only)
+This program should work anywhere Charybdis does; if you find otherwise, file
+a bug.

-An MMK build script is included, as well as an MD5 crypt() implementation
-
-Other systems probably work, but they haven't been amply tested.
-
-* Blowfish's rounds parameter is a logarithm, not an integer value
+ * Blowfish's rounds parameter is a logarithm, not an integer value
--- a/tools/mkpasswd.c
+++ b/tools/mkpasswd.c
@ -1,15 +1,14 @@
 /* simple password generator by Nelson Minar (minar@reed.edu)
-** copyright 1991, all rights reserved.
-** You can use this code as long as my name stays with it.
-**
-** md5 patch by W. Campbell <wcampbel@botbay.net>
-** Modernization, getopt, etc for the Hybrid IRCD team
-** by W. Campbell
-**
-** /dev/random for salt generation added by
-** Aaron Sethman <androsyn@ratbox.org>
-**
-*/
+ * copyright 1991, all rights reserved.
+ * You can use this code as long as my name stays with it.
+ *
+ * md5 patch by W. Campbell <wcampbel@botbay.net>
+ * Modernization, getopt, etc for the Hybrid IRCD team
+ * by W. Campbell
+ *
+ * /dev/random for salt generation added by
+ * Aaron Sethman <androsyn@ratbox.org>
+ */
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@ -22,20 +21,15 @@
 #endif

 #define FLAG_MD5      0x00000001
-#define FLAG_DES      0x00000002
-#define FLAG_SALT     0x00000004
-#define FLAG_PASS     0x00000008
-#define FLAG_LENGTH   0x00000010
-#define FLAG_BLOWFISH 0x00000020
-#define FLAG_ROUNDS   0x00000040
-#define FLAG_EXT      0x00000080
-#define FLAG_SHA256   0x00000100
-#define FLAG_SHA512   0x00000200
+#define FLAG_SALT     0x00000002
+#define FLAG_PASS     0x00000004
+#define FLAG_LENGTH   0x00000008
+#define FLAG_BLOWFISH 0x00000010
+#define FLAG_ROUNDS   0x00000020
+#define FLAG_SHA256   0x00000040
+#define FLAG_SHA512   0x00000080


-static char *make_des_salt(void);
-static char *make_ext_salt(int);
-static char *make_ext_salt_para(int, char *);
 static char *make_md5_salt(int);
 static char *make_md5_salt_para(char *);
 static char *make_sha256_salt(int);
@ -100,30 +94,22 @@ main(int argc, char *argv[])
 	char *hashed;
 	int flag = 0;
 	int length = 0;		/* Not Set */
-	int rounds = 0;		/* Not set, since extended DES needs 25 and blowfish needs
-				 ** 4 by default, a side effect of this being the encryption
-				 ** type parameter must be specified before the rounds
-				 ** parameter.
+	int rounds = 0;		/* Not set, since blowfish needs 4 by default, a side effect
+				 * of this being the encryption type parameter must be
+				 * specified before the rounds  parameter.
 				 */

-	while((c = getopt(argc, argv, "xymdber:h?l:s:p:")) != -1)
+	while((c = getopt(argc, argv, "xymbr:h?l:s:p:")) != -1)
 	{
 		switch (c)
 		{
 		case 'm':
 			flag |= FLAG_MD5;
 			break;
-		case 'd':
-			flag |= FLAG_DES;
-			break;
 		case 'b':
 			flag |= FLAG_BLOWFISH;
 			rounds = 4;
 			break;
-		case 'e':
-			flag |= FLAG_EXT;
-			rounds = 25;
-			break;
 		case 'l':
 			flag |= FLAG_LENGTH;
 			length = atoi(optarg);
@ -187,45 +173,6 @@ main(int argc, char *argv[])
 		else
 			salt = make_sha256_salt(length);
 	}
-	else if(flag & FLAG_EXT)
-	{
-		/* XXX - rounds needs to be done */
-		if(flag & FLAG_SALT)
-		{
-			if((strlen(saltpara) == 4))
-			{
-				salt = make_ext_salt_para(rounds, saltpara);
-			}
-			else
-			{
-				printf("Invalid salt, please enter 4 alphanumeric characters\n");
-				exit(1);
-			}
-		}
-		else
-		{
-			salt = make_ext_salt(rounds);
-		}
-	}
-	else if (flag & FLAG_DES)
-	{
-		if(flag & FLAG_SALT)
-		{
-			if((strlen(saltpara) == 2))
-			{
-				salt = saltpara;
-			}
-			else
-			{
-				printf("Invalid salt, please enter 2 alphanumeric characters\n");
-				exit(1);
-			}
-		}
-		else
-		{
-			salt = make_des_salt();
-		}
-	}
 	else
 	{
 		if(length == 0)
@ -262,15 +209,6 @@ main(int argc, char *argv[])
 	return 0;
 }

-static char *
-make_des_salt()
-{
-	static char salt[3];
-	generate_random_salt(salt, 2);
-	salt[2] = '\0';
-	return salt;
-}
-
 char *
 int_to_base64(int value)
 {
@ -289,26 +227,6 @@ int_to_base64(int value)
 	return buf;
 }

-char *
-make_ext_salt(int rounds)
-{
-	static char salt[10];
-
-	sprintf(salt, "_%s", int_to_base64(rounds));
-	generate_random_salt(&salt[5], 4);
-	salt[9] = '\0';
-	return salt;
-}
-
-char *
-make_ext_salt_para(int rounds, char *saltpara)
-{
-	static char salt[10];
-
-	sprintf(salt, "_%s%s", int_to_base64(rounds), saltpara);
-	return salt;
-}
-
 char *
 make_md5_salt_para(char *saltpara)
 {
@ -499,19 +417,16 @@ generate_random_salt(char *salt, int length)
 void
 full_usage()
 {
-	printf("mkpasswd [-m|-d|-b|-e] [-l saltlength] [-r rounds] [-s salt] [-p plaintext]\n");
+	printf("mkpasswd [-m|-b|-x|-y] [-l saltlength] [-r rounds] [-s salt] [-p plaintext]\n");
 	printf("-x Generate a SHA256 password\n");
 	printf("-y Generate a SHA512 password\n");
 	printf("-m Generate an MD5 password\n");
-	printf("-d Generate a DES password\n");
 	printf("-b Generate a Blowfish password\n");
-	printf("-e Generate an Extended DES password\n");
 	printf("-l Specify a length for a random MD5 or Blowfish salt\n");
-	printf("-r Specify a number of rounds for a Blowfish or Extended DES password\n");
-	printf("   Blowfish:  default 4, no more than 6 recommended\n");
-	printf("   Extended DES:  default 25\n");
-	printf("-s Specify a salt, 2 alphanumeric characters for DES, up to 16 for MD5,\n");
-	printf("   up to 22 for Blowfish, and 4 for Extended DES\n");
+	printf("-r Specify a number of rounds for a Blowfish password\n");
+	printf("   Default 4, no more than 6 recommended\n");
+	printf("-s Specify a salt, up to 16 for MD5, SHA256, and SHA512\n");
+	printf("   up to 22 for Blowfish\n");
 	printf("-p Specify a plaintext password to use\n");
 	printf("Example: mkpasswd -m -s 3dr -p test\n");
 	exit(0);
@ -521,11 +436,11 @@ void
 brief_usage()
 {
 	printf("mkpasswd - password hash generator\n");
-	printf("Standard DES:  mkpasswd [-d] [-s salt] [-p plaintext]\n");
-	printf("Extended DES:  mkpasswd -e [-r rounds] [-s salt] [-p plaintext]\n");
-	printf("         MD5:  mkpasswd -m [-l saltlength] [-s salt] [-p plaintext]\n");
-	printf("    Blowfish:  mkpasswd -b [-r rounds] [-l saltlength] [-s salt]\n");
-	printf("                           [-p plaintext]\n");
+	printf("  SHA512:  mkpasswd [-y] [-l saltlength] [-s salt] [-p plaintext]\n");
+	printf("  SHA256:  mkpasswd -x [-l saltlength] [-s salt] [-p plaintext]\n");
+	printf("     MD5:  mkpasswd -m [-l saltlength] [-s salt] [-p plaintext]\n");
+	printf("Blowfish:  mkpasswd -b [-r rounds] [-l saltlength] [-s salt]\n");
+	printf("                       [-p plaintext]\n");
 	printf("Use -h for full usage\n");
 	exit(0);
 }