unbreak password_hash('blowfish')

originally reported by jiri b.
2017-06-02 17:24:39 +00:00 · 2017-06-02 17:24:39 +00:00 · 217742e070
commit 217742e070
parent 60661e59f0
2 changed files with 31 additions and 2 deletions
--- a/sysutils/ansible/Makefile
+++ b/sysutils/ansible/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.74 2017/04/27 08:42:53 jasper Exp $
+# $OpenBSD: Makefile,v 1.75 2017/06/02 17:24:39 jasper Exp $

 COMMENT =		ssh based config management framework

 MODPY_EGG_VERSION =	2.3.0.0
-REVISION =		0
+REVISION =		1
 DISTNAME =		ansible-${MODPY_EGG_VERSION}

 CATEGORIES =		sysutils
--- a/sysutils/ansible/patches/patch-lib_ansible_plugins_filter_core_py
+++ b/sysutils/ansible/patches/patch-lib_ansible_plugins_filter_core_py
@ -0,0 +1,29 @@
+$OpenBSD: patch-lib_ansible_plugins_filter_core_py,v 1.1 2017/06/02 17:24:39 jasper Exp $
+
+- set bcrypt algorith to '2b'
+- unbreak password_hash('blowfish') which used salt buffer of incorrect
+  length (16 instead of 22).
+
+Index: lib/ansible/plugins/filter/core.py
+--- lib/ansible/plugins/filter/core.py.orig
+++ lib/ansible/plugins/filter/core.py
+@@ -244,13 +244,17 @@ def get_encrypted_password(password, hashtype='sha512'
+     # TODO: find a way to construct dynamically from system
+     cryptmethod= {
+         'md5':      '1',
+-        'blowfish': '2a',
+        'blowfish': '2b',
+         'sha256':   '5',
+         'sha512':   '6',
+     }
+ 
+     if hashtype in cryptmethod:
+-        if salt is None:
+        # For Blowfish, skip generating salt manually because what is generated
+        # below contains incorrectly set padding bits. Also the length used to
+        # be incorrect (16 instead of 22). Besides, Passlib recommends NOT
+        # generating a salt string manually.
+        if salt is None and hashtype is not 'blowfish':
+             r = SystemRandom()
+             if hashtype in ['md5']:
+                 saltsize = 8