mkpasswd: improve help and remove DES support.

Just Say No™ to weak ciphers.
This commit is contained in:
Elizabeth Myers 2016-03-21 09:12:59 -05:00
parent b6979c871a
commit 8522eb3b2b
2 changed files with 47 additions and 152 deletions

View file

@ -3,56 +3,36 @@ mkpasswd.c documentation
This is documentation for the updated mkpasswd.c included with a number This is documentation for the updated mkpasswd.c included with a number
of ircd, irc services, and non-IRC related programs of ircd, irc services, and non-IRC related programs
This version of mkpasswd can create DES, Extended DES, Blowfish, and MD5 This version of mkpasswd can create Blowfish, MD5, SHA256, and SHA512 crypted
passwords, with either randomly generated or user provided salts. passwords, with either randomly generated or user provided salts.
Options: Options:
-x Generate a SHA256 password
-y Generate a SHA512 password
-m Generate an MD5 password -m Generate an MD5 password
-d Generate a DES password
-b Generate a Blowfish password -b Generate a Blowfish password
-e Generate an Extended (BSDi) DES password
-l Specify a length for a random MD5 or Blowfish salt -l Specify a length for a random MD5 or Blowfish salt
-r Specify a number of rounds for a Blowfish or Extended DES password -r Specify a number of rounds for a Blowfish password
Blowfish: no more than 6 recommended, no less than 4 accepted Default 4, no more than 6 recommended
Extended DES: default of 25 -s Specify a salt, up to 16 for MD5, SHA256, and SHA512
-s Specify a salt, 2 alphanumeric characters for DES, up to 16 for MD5, up to 22 for Blowfish
up to 22 for Blowfish, 2 for Extended DES
-p Specify a plaintext password to use -p Specify a plaintext password to use
-? Get brief help -? Get brief help
-h Get extended help -h Get extended help
Without the presence of any parameters, it'll behave like the old mkpasswd, Without the presence of any parameters, it'll generate a SHA512 hash with a
creating a DES password with a randomly generated salt and prompting for randomly generated salt and prompting for the password (without echo).
the password (without echo).
A DES salt is a pair of alphanumeric characters ('.' and '/' are permitted An MD5, SHA256, and SHA512 salt consists of up to 16 alphanumeric characters
as well), such as 'a4' or 'Td'. (plus '.' and '/'), such as 'tGd' or 'J6d4dfG'.
An MD5 salt consists of up to 16 (though most implementations limit you to
8) alphanumeric characters (plus '.' and '/'),
such as 'tGd' or 'J6d4dfG'.
A Blowfish salt consists of up to 22 alphanumeric characters (plus '.' and A Blowfish salt consists of up to 22 alphanumeric characters (plus '.' and
'/'). Blowfish also specifies a number of rounds*, by default 4. '/'). Blowfish also specifies a number of rounds*, by default 4.
Known bugs: Blowfish may not always be available, but MD5, SHA256, and SHA512 are
The encryption algorithms supported depend on your system's crypt() guaranteed to be.
implementation.
The maximum length of an MD5 salt is limited to your systems crypt()
implementation, typically 8.
Supported Platforms (Known and tested): This program should work anywhere Charybdis does; if you find otherwise, file
Linux glibc (DES and MD5) a bug.
FreeBSD 3.x (DES (MD5 maybe))
FreeBSD 4.x (DES, MD5, Blowfish, Extended DES)
Solaris 2.5-2.6 (DES only)
Cygwin 1.1.4 (DES only)
Prior Cygwin with the MD5 libcrypt (MD5 only)
OpenBSD 2.7 (don't link with -lcrypt) (DES, MD5, Blowfish)
Mac OS-X (Darwin) (don't link with -lcrypt) (DES only)
An MMK build script is included, as well as an MD5 crypt() implementation
Other systems probably work, but they haven't been amply tested.
* Blowfish's rounds parameter is a logarithm, not an integer value * Blowfish's rounds parameter is a logarithm, not an integer value

View file

@ -1,14 +1,13 @@
/* simple password generator by Nelson Minar (minar@reed.edu) /* simple password generator by Nelson Minar (minar@reed.edu)
** copyright 1991, all rights reserved. * copyright 1991, all rights reserved.
** You can use this code as long as my name stays with it. * You can use this code as long as my name stays with it.
** *
** md5 patch by W. Campbell <wcampbel@botbay.net> * md5 patch by W. Campbell <wcampbel@botbay.net>
** Modernization, getopt, etc for the Hybrid IRCD team * Modernization, getopt, etc for the Hybrid IRCD team
** by W. Campbell * by W. Campbell
** *
** /dev/random for salt generation added by * /dev/random for salt generation added by
** Aaron Sethman <androsyn@ratbox.org> * Aaron Sethman <androsyn@ratbox.org>
**
*/ */
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
@ -22,20 +21,15 @@
#endif #endif
#define FLAG_MD5 0x00000001 #define FLAG_MD5 0x00000001
#define FLAG_DES 0x00000002 #define FLAG_SALT 0x00000002
#define FLAG_SALT 0x00000004 #define FLAG_PASS 0x00000004
#define FLAG_PASS 0x00000008 #define FLAG_LENGTH 0x00000008
#define FLAG_LENGTH 0x00000010 #define FLAG_BLOWFISH 0x00000010
#define FLAG_BLOWFISH 0x00000020 #define FLAG_ROUNDS 0x00000020
#define FLAG_ROUNDS 0x00000040 #define FLAG_SHA256 0x00000040
#define FLAG_EXT 0x00000080 #define FLAG_SHA512 0x00000080
#define FLAG_SHA256 0x00000100
#define FLAG_SHA512 0x00000200
static char *make_des_salt(void);
static char *make_ext_salt(int);
static char *make_ext_salt_para(int, char *);
static char *make_md5_salt(int); static char *make_md5_salt(int);
static char *make_md5_salt_para(char *); static char *make_md5_salt_para(char *);
static char *make_sha256_salt(int); static char *make_sha256_salt(int);
@ -100,30 +94,22 @@ main(int argc, char *argv[])
char *hashed; char *hashed;
int flag = 0; int flag = 0;
int length = 0; /* Not Set */ int length = 0; /* Not Set */
int rounds = 0; /* Not set, since extended DES needs 25 and blowfish needs int rounds = 0; /* Not set, since blowfish needs 4 by default, a side effect
** 4 by default, a side effect of this being the encryption * of this being the encryption type parameter must be
** type parameter must be specified before the rounds * specified before the rounds parameter.
** parameter.
*/ */
while((c = getopt(argc, argv, "xymdber:h?l:s:p:")) != -1) while((c = getopt(argc, argv, "xymbr:h?l:s:p:")) != -1)
{ {
switch (c) switch (c)
{ {
case 'm': case 'm':
flag |= FLAG_MD5; flag |= FLAG_MD5;
break; break;
case 'd':
flag |= FLAG_DES;
break;
case 'b': case 'b':
flag |= FLAG_BLOWFISH; flag |= FLAG_BLOWFISH;
rounds = 4; rounds = 4;
break; break;
case 'e':
flag |= FLAG_EXT;
rounds = 25;
break;
case 'l': case 'l':
flag |= FLAG_LENGTH; flag |= FLAG_LENGTH;
length = atoi(optarg); length = atoi(optarg);
@ -187,45 +173,6 @@ main(int argc, char *argv[])
else else
salt = make_sha256_salt(length); salt = make_sha256_salt(length);
} }
else if(flag & FLAG_EXT)
{
/* XXX - rounds needs to be done */
if(flag & FLAG_SALT)
{
if((strlen(saltpara) == 4))
{
salt = make_ext_salt_para(rounds, saltpara);
}
else
{
printf("Invalid salt, please enter 4 alphanumeric characters\n");
exit(1);
}
}
else
{
salt = make_ext_salt(rounds);
}
}
else if (flag & FLAG_DES)
{
if(flag & FLAG_SALT)
{
if((strlen(saltpara) == 2))
{
salt = saltpara;
}
else
{
printf("Invalid salt, please enter 2 alphanumeric characters\n");
exit(1);
}
}
else
{
salt = make_des_salt();
}
}
else else
{ {
if(length == 0) if(length == 0)
@ -262,15 +209,6 @@ main(int argc, char *argv[])
return 0; return 0;
} }
static char *
make_des_salt()
{
static char salt[3];
generate_random_salt(salt, 2);
salt[2] = '\0';
return salt;
}
char * char *
int_to_base64(int value) int_to_base64(int value)
{ {
@ -289,26 +227,6 @@ int_to_base64(int value)
return buf; return buf;
} }
char *
make_ext_salt(int rounds)
{
static char salt[10];
sprintf(salt, "_%s", int_to_base64(rounds));
generate_random_salt(&salt[5], 4);
salt[9] = '\0';
return salt;
}
char *
make_ext_salt_para(int rounds, char *saltpara)
{
static char salt[10];
sprintf(salt, "_%s%s", int_to_base64(rounds), saltpara);
return salt;
}
char * char *
make_md5_salt_para(char *saltpara) make_md5_salt_para(char *saltpara)
{ {
@ -499,19 +417,16 @@ generate_random_salt(char *salt, int length)
void void
full_usage() full_usage()
{ {
printf("mkpasswd [-m|-d|-b|-e] [-l saltlength] [-r rounds] [-s salt] [-p plaintext]\n"); printf("mkpasswd [-m|-b|-x|-y] [-l saltlength] [-r rounds] [-s salt] [-p plaintext]\n");
printf("-x Generate a SHA256 password\n"); printf("-x Generate a SHA256 password\n");
printf("-y Generate a SHA512 password\n"); printf("-y Generate a SHA512 password\n");
printf("-m Generate an MD5 password\n"); printf("-m Generate an MD5 password\n");
printf("-d Generate a DES password\n");
printf("-b Generate a Blowfish password\n"); printf("-b Generate a Blowfish password\n");
printf("-e Generate an Extended DES password\n");
printf("-l Specify a length for a random MD5 or Blowfish salt\n"); printf("-l Specify a length for a random MD5 or Blowfish salt\n");
printf("-r Specify a number of rounds for a Blowfish or Extended DES password\n"); printf("-r Specify a number of rounds for a Blowfish password\n");
printf(" Blowfish: default 4, no more than 6 recommended\n"); printf(" Default 4, no more than 6 recommended\n");
printf(" Extended DES: default 25\n"); printf("-s Specify a salt, up to 16 for MD5, SHA256, and SHA512\n");
printf("-s Specify a salt, 2 alphanumeric characters for DES, up to 16 for MD5,\n"); printf(" up to 22 for Blowfish\n");
printf(" up to 22 for Blowfish, and 4 for Extended DES\n");
printf("-p Specify a plaintext password to use\n"); printf("-p Specify a plaintext password to use\n");
printf("Example: mkpasswd -m -s 3dr -p test\n"); printf("Example: mkpasswd -m -s 3dr -p test\n");
exit(0); exit(0);
@ -521,8 +436,8 @@ void
brief_usage() brief_usage()
{ {
printf("mkpasswd - password hash generator\n"); printf("mkpasswd - password hash generator\n");
printf("Standard DES: mkpasswd [-d] [-s salt] [-p plaintext]\n"); printf(" SHA512: mkpasswd [-y] [-l saltlength] [-s salt] [-p plaintext]\n");
printf("Extended DES: mkpasswd -e [-r rounds] [-s salt] [-p plaintext]\n"); printf(" SHA256: mkpasswd -x [-l saltlength] [-s salt] [-p plaintext]\n");
printf(" MD5: mkpasswd -m [-l saltlength] [-s salt] [-p plaintext]\n"); printf(" MD5: mkpasswd -m [-l saltlength] [-s salt] [-p plaintext]\n");
printf("Blowfish: mkpasswd -b [-r rounds] [-l saltlength] [-s salt]\n"); printf("Blowfish: mkpasswd -b [-r rounds] [-l saltlength] [-s salt]\n");
printf(" [-p plaintext]\n"); printf(" [-p plaintext]\n");