main/acf-core: backport password salt support and acfpasswd tool

1 files changed, 89 insertions, 0 deletions

diff --git a/main/acf-core/0001-authenticator-use-salt-and-sha-512-encryption.patch b/main/acf-core/0001-authenticator-use-salt-and-sha-512-encryption.patch
new file mode 100644
index 0000000000..5c38cc38ab
--- /dev/null
+++ b/main/acf-core/0001-authenticator-use-salt-and-sha-512-encryption.patch
@@ -0,0 +1,89 @@
+From eb4221096cc581a41f64d7d6b99e8d5be0d470b0 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Thu, 27 Oct 2011 18:52:11 +0200
+Subject: [PATCH 1/2] authenticator: use salt and sha-512 encryption
+
+---
+ lib/authenticator.lua |   45 +++++++++++++++++++++++++++++++++++++++++++--
+ 1 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/lib/authenticator.lua b/lib/authenticator.lua
+index 724b854..f3af4e3 100644
+--- a/lib/authenticator.lua
++++ b/lib/authenticator.lua
+@@ -6,6 +6,8 @@ module (..., package.seeall)
+ require("modelfunctions")
+ require("format")
+ require("md5")
++require("posix")
++require("session")
+ 
+ -- This is the sub-authenticator
+ -- In the future, this will be set based upon configuration
+@@ -61,6 +63,45 @@ local get_id = function(self, userid)
+ 	return authstruct[userid]
+ end
+ 
++-- verify a plaintextword against a hash
++-- returns:
++--	true if password matches or
++--	false if password does not match
++local verify_password = function(plaintext, pwhash)
++	--[[ 
++	from man crypt(3):
++
++	If  salt is a character string starting with the characters "$id$" fol-
++	lowed by a string terminated by "$":
++
++              $id$salt$encrypted
++
++	then instead of using the DES machine,  id  identifies  the  encryption
++	method  used  and  this  then  determines  how the rest of the password
++	string is interpreted.  The following values of id are supported:
++
++              ID  | Method
++              ---------------------------------------------------------
++              1   | MD5
++              2a  | Blowfish (not in mainline glibc; added in some
++                  | Linux distributions)
++              5   | SHA-256 (since glibc 2.7)
++              6   | SHA-512 (since glibc 2.7)
++	]]--
++	local algo_salt, hash = string.match(pwhash, "^(%$%d%$[a-zA-Z0-9./]+%$)(.*)")
++	if algo_salt ~= nil and hash ~= nil then
++		return (pwhash == posix.crypt(plaintext, algo_salt))
++	end
++	-- fall back to old style md5 checksum
++	return (pwhash == md5.sumhexa(plaintext))	
++end
++
++-- generate a salt string
++local mksalt = function()
++	-- use sha-512 algorithm (no 6)
++	return "$6$"..session.random_hash(96).."$"
++end
++
+ --- public methods
+ 
+ -- This function returns true or false, and
+@@ -75,7 +116,7 @@ authenticate = function(self, userid, password)
+ 		
+ 		if not id then
+ 			errtxt = "Userid not found"
+-		elseif id.password ~= md5.sumhexa(password) then
++		elseif not verify_password(password, id.password) then
+ 			errtxt = "Invalid password"
+ 		end
+ 	end
+@@ -110,7 +151,7 @@ write_userinfo = function(self, userinfo)
+ 	-- Username, password, roles, skin, home are allowed to not exist, just leave the same
+ 	id.userid = userinfo.userid
+ 	if userinfo.username then id.username = userinfo.username end
+-	if userinfo.password then id.password = md5.sumhexa(userinfo.password) end
++	if userinfo.password then id.password = posix.crypt(userinfo.password, mksalt()) end
+ 	if userinfo.roles then id.roles = table.concat(userinfo.roles, ",") end
+ 	if userinfo.skin then id.skin = userinfo.skin end
+ 	if userinfo.home then id.home = userinfo.home end
+-- 
+1.7.8.2
+