user-util: add generic make_salt() API

2019-04-23 18:17:04 +02:00 · 2019-04-23 18:17:04 +02:00 · f2c5edbe5a
parent 987719d37d
commit f2c5edbe5a
2 changed files with 40 additions and 0 deletions
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@ -22,6 +22,7 @@
 #include "missing.h"
 #include "parse-util.h"
 #include "path-util.h"
+#include "random-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "user-util.h"
@ -870,3 +871,40 @@ int fgetsgent_sane(FILE *stream, struct sgrp **sg) {
        return !!s;
 }
 #endif
+
+int make_salt(char **ret) {
+        static const char table[] =
+                "abcdefghijklmnopqrstuvwxyz"
+                "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                "0123456789"
+                "./";
+
+        uint8_t raw[16];
+        char *salt, *j;
+        size_t i;
+        int r;
+
+        /* This is a bit like crypt_gensalt_ra(), but doesn't require libcrypt, and doesn't do anything but
+         * SHA512, i.e. is legacy-free and minimizes our deps. */
+
+        assert_cc(sizeof(table) == 64U + 1U);
+
+        /* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */
+        r = genuine_random_bytes(raw, sizeof(raw), RANDOM_BLOCK);
+        if (r < 0)
+                return r;
+
+        salt = new(char, 3+sizeof(raw)+1+1);
+        if (!salt)
+                return -ENOMEM;
+
+        /* We only bother with SHA512 hashed passwords, the rest is legacy, and we don't do legacy. */
+        j = stpcpy(salt, "$6$");
+        for (i = 0; i < sizeof(raw); i++)
+                j[i] = table[raw[i] & 63];
+        j[i++] = '$';
+        j[i] = 0;
+
+        *ret = salt;
+        return 0;
+}
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@ -113,3 +113,5 @@ int putgrent_sane(const struct group *gr, FILE *stream);
 int fgetsgent_sane(FILE *stream, struct sgrp **sg);
 int putsgent_sane(const struct sgrp *sg, FILE *stream);
 #endif
+
+int make_salt(char **ret);