[Pkg-shadow-devel] Bug#495502: shadow: please allow linking Shadow to OpenSSL

Christian Perrier bubulle at debian.org
Mon Aug 18 01:59:18 UTC 2008 

Package: shadow
Severity: wishlist
Tags: patch

----- Forwarded message from Robert Connolly <robert at linuxfromscratch.org> -----

From: Robert Connolly <robert at linuxfromscratch.org>
To: pkg-shadow-devel at lists.alioth.debian.org
Date: Sun, 17 Aug 2008 02:03:30 -0400
Subject: [Pkg-shadow-devel] Linking Shadow to OpenSSL
X-CRM114-Status: Good  ( pR: 64.2989 )

Hello. I started a feature request for this, but maybe it will get more 
feedback here. Attached is a patch to add --with-openssl. So far I got it 
working with DES and MD5. I worked by example, and I didn't find examples of 
using OpenSSL to make sha512 passwords that are compatible. Maybe someone who 
knows what they're doing could help.

There are great advantages to using OpenSSL instead of Libc. We would have a 
more robust choice in algorithms, random sources for salt, maybe hmac, and it 
could pave the way towards AES passwords. Better performance with actively 
maintained (asm) code for algorithms. Better portability.

I don't have the knowledge to finish the SHA patch, but I would like to use 
RAND_pseudo_bytes() for password salt so we can finally start using 
unpredictable (not gettimeofday+getpid) non-alphanumeric salt.

Opinions, help, comments?

robert

This patch adds --with-openssl to Shadow, and currently only supports DES and
MD5.

lib/openssl-md5crypt.c should probably use OpenSSL's EVP_DigestInit.

I made this patch by example, and I have no examples for sha512. I hope that
this patch can be taken over by someone who know what they're doing, so more
algorithms can be added.

This patch is fairly conservative and I believe it is safe to use.

robert @ lfs


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkg-shadow-openssl9.diff
Type: text/x-diff
Size: 9363 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20080818/d252c1bb/attachment.diff 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20080818/d252c1bb/attachment.pgp

More information about the Pkg-shadow-devel mailing list