SecBSD's official ports repository

net/ocserv/patches/patch-src_ocpasswd_ocpasswd_c

@@ -0,0 +1,68 @@
+Generate blowfish crypts, using the simple crypt_newhash API. OpenBSD doesn't
+support SHA2 ($5$ hashes) and has removed support for MD5 ($1$).
+
+Index: src/ocpasswd/ocpasswd.c
+--- src/ocpasswd/ocpasswd.c.orig
++++ src/ocpasswd/ocpasswd.c
+@@ -26,6 +26,10 @@
+ #ifndef _XOPEN_SOURCE
+ # define _XOPEN_SOURCE
+ #endif
++#ifndef __BSD_VISIBLE
++# define __BSD_VISIBLE
++#endif
++#include <pwd.h>
+ #include <unistd.h>
+ #include <gnutls/gnutls.h>
+ #include <gnutls/crypto.h>	/* for random */
+@@ -52,9 +56,8 @@ static void
+ crypt_int(const char *fpasswd, const char *username, const char *groupname,
+ 	  const char *passwd)
+ {
+-	uint8_t _salt[SALT_SIZE];
+-	char salt[SALT_SIZE+16];
+-	char *p, *cr_passwd;
++	char cr_passwd[_PASSWORD_LEN];
++	char *p;
+ 	char *tmp_passwd;
+ 	unsigned i;
+ 	unsigned fpasswd_len = strlen(fpasswd);
+@@ -67,36 +70,8 @@ crypt_int(const char *fpasswd, const char *username, c
+ 	ssize_t len, l;
+ 	int ret;
+ 
+-	ret = gnutls_rnd(GNUTLS_RND_NONCE, _salt, sizeof(_salt));
+-	if (ret < 0) {
+-		fprintf(stderr, "Error generating nonce: %s\n",
+-			gnutls_strerror(ret));
+-		exit(1);
+-	}
+-
+-#ifdef TRY_SHA2_CRYPT
+-	strcpy(salt, "$5$");
+-#else
+-	strcpy(salt, "$1$");
+-#endif
+-	p = salt + 3;
+-
+-	for (i = 0; i < sizeof(_salt); i++) {
+-		*p = alphabet[_salt[i] % (sizeof(alphabet) - 1)];
+-		p++;
+-	}
+-	*p = '$';
+-	p++;
+-	*p = 0;
+-	p++;
+-
+-	cr_passwd = crypt(passwd, salt);
+-	if (cr_passwd == NULL) { /* try MD5 */
+-		salt[1] = '1';
+-		cr_passwd = crypt(passwd, salt);
+-	}
+-	if (cr_passwd == NULL) {
+-		fprintf(stderr, "Error in crypt().\n");
++	if (crypt_newhash(passwd, "blowfish,a", cr_passwd, sizeof(cr_passwd)) != 0) {
++		fprintf(stderr, "Error in crypt_newhash().\n");
+ 		exit(1);
+ 	}
+