[Pkg-shadow-devel] Linking Shadow to OpenSSL

Alexander Gattin xrgtn at yandex.ru
Mon Aug 25 19:28:30 UTC 2008


On Sat, Aug 23, 2008 at 07:45:10PM -0400, Robert Connolly wrote:
> Sha256/512 was added to Glibc-2.7, and Shadow added
> support for it soon after.  As far as I know, almost
> no one else uses sha256/512 passwords; the only one I
> found was OpenSolaris, and they did it for Glibc
> compatibility. NetBSD has hmac-sha1. Pam-Linux has
> sha1, and bcrypt, but I don't know about 256/512.

thanks for the information, looks like
I'm lagging too far behind the progress :)

> The advantage is that OpenSSL's libcrypto has
> everything Shadow could possibly want from a crypto
> library, and almost everyone already has it
> installed.

But being installed under /usr it's not suitable for
login/su/passwd... Static linking with libcrypto will
add about 2 megabytes (IIRC) to all these binaries.

> > > random sources for salt,

I dismiss all my objections to having random salt. I've
just had a look at crypt(3) and my /etc/shadow to
notice that salt is stored as part of the "encrypted
password" field.

But, as far as I remember, libcrypto doesn't have any
useful and simple API for getting random data (I mean
there's no function like get_random_bytes() which
automatically initializes PRNG by trying /dev/urandom
first on systems that have it, then resorting to
/dev/srandom, /dev/random, seeding off the stack
garbage (like in the mentioned Debian bug), then to
gettimeofday/clock + pid + hash_of_hostname + whatever
else). RAND_poll() was the closest such thing IIRC?

In openssl you need to explicitly seed PRNG from
/dev/urandom, from stack or from time + pid, then you
can call RAND_bytes. Looks like there's not any
advantage versus reading from /dev/urandom directly by
Shadow binaries... Mayby quality of PRNG itself on
systems that do not have any of the /dev/*random?

> The other option is moving libcrypto.so to /lib.

Looks unlikely to happen in Debian.

> Shared and static linking to OpenSSL could be
> ./configure options.

Agreed. I suggest just to try to do this and see how
much will static linking add to shadow binaries.

With best regards,
xrgtn (+380501102966/+380636177128/ICQ:381730053/xrgtn at jabber.kiev.ua)

More information about the Pkg-shadow-devel mailing list