feat: support configurable password encryption algorithms

Added support for configurable password encryption algorithms through
dconfig settings. The system now supports multiple encryption algorithms
including SM3, yescrypt, SHA512, and SHA256. The default algorithm is
set to SM3 but can be changed via configuration.

Key changes include:
1. Added dconfig key for password encryption algorithm selection
2. Implemented algorithm lookup and fallback mechanism in C code
3. Created new function for password encryption with algorithm parameter
4. Added configuration change monitoring to update algorithm dynamically
5. Maintained backward compatibility with existing password encoding

Log: Added configurable password encryption algorithm support

Influence:
1. Test password creation with different algorithm configurations
2. Verify algorithm fallback when configured algorithm fails
3. Test configuration change detection and algorithm switching
4. Verify backward compatibility with existing passwords
5. Test all supported algorithms: SM3, yescrypt, SHA512, SHA256
6. Check system behavior when invalid algorithm is configured

feat: 支持可配置的密码加密算法

通过 dconfig 设置添加了对可配置密码加密算法的支持。系统现在支持多种加密
算法，包括 SM3、yescrypt、SHA512 和 SHA256。默认算法设置为 SM3，但可以通
过配置进行更改。

主要变更包括：
1. 添加了用于密码加密算法选择的 dconfig 键
2. 在 C 代码中实现了算法查找和回退机制
3. 创建了带算法参数的新密码加密函数
4. 添加了配置变更监控以动态更新算法
5. 保持与现有密码编码的向后兼容性

Log: 新增可配置密码加密算法支持
PMS: BUG-346165
Influence:
1. 测试使用不同算法配置的密码创建功能
2. 验证配置算法失败时的回退机制
3. 测试配置变更检测和算法切换功能
4. 验证与现有密码的向后兼容性
5. 测试所有支持的算法：SM3、yescrypt、SHA512、SHA256
6. 检查配置无效算法时的系统行为

Author: fly602

accounts1/manager.go

@@ -60,11 +60,12 @@ type InterfaceConfig struct {
 }
 
 const (
-	dsettingsAppID             = "org.deepin.dde.daemon"
-	dsettingsAccountName       = "org.deepin.dde.daemon.account"
-	dsettingsIsTerminalLocked  = "isTerminalLocked"
-	gsSchemaDdeControlCenter   = "com.deepin.dde.control-center"
-	settingKeyAutoLoginVisable = "auto-login-visable"
+	dsettingsAppID                 = "org.deepin.dde.daemon"
+	dsettingsAccountName           = "org.deepin.dde.daemon.account"
+	dsettingsIsTerminalLocked      = "isTerminalLocked"
+	gsSchemaDdeControlCenter       = "com.deepin.dde.control-center"
+	settingKeyAutoLoginVisable     = "auto-login-visable"
+	keyPasswordEncryptionAlgorithm = "passwordEncryptionAlgorithm"
 )
 
 //go:generate dbusutil-gen -type Manager,User manager.go user.go
@@ -668,6 +669,23 @@ func (m *Manager) checkGroupCanChange(name string) bool {
 	return gid >= 1000
 }
 
+// 从 dconfig 获取 密码加密算法的配置
+func (m *Manager) getDConfigPasswdEncryptionAlgorithm() (string, error) {
+	if m.dsAccount == nil {
+		return "", errors.New("get accounts dconfig failed")
+	}
+	algoVar, err := m.dsAccount.Value(0, keyPasswordEncryptionAlgorithm)
+	if err != nil {
+		return "", fmt.Errorf("get accounts dconfig passwordEncryptionAlgorithm failed, err: %v", err)
+	}
+
+	alg, ok := algoVar.Value().(string)
+	if !ok {
+		return "", errors.New("algoVar.Value() is not string type")
+	}
+	return alg, nil
+}
+
 func (m *Manager) initAccountDSettings() {
 	m.cfgManager = configManager.NewConfigManager(m.sysSigLoop.Conn())
 
@@ -692,6 +710,16 @@ func (m *Manager) initAccountDSettings() {
 	if data, ok := v.Value().(bool); ok {
 		m.IsTerminalLocked = data
 	}
+	users.PasswdAlgoDefault, _ = m.getDConfigPasswdEncryptionAlgorithm()
+	m.dsAccount.InitSignalExt(m.sysSigLoop, true)
+	m.dsAccount.ConnectValueChanged(func(key string) {
+		switch key {
+		case keyPasswordEncryptionAlgorithm:
+			users.PasswdAlgoDefault, _ = m.getDConfigPasswdEncryptionAlgorithm()
+			logger.Warning("password encrypt algo changed:", users.PasswdAlgoDefault)
+		}
+	})
+
 }
 
 const (

accounts1/users/passwd.c

@@ -16,27 +16,78 @@
 #define ERROR_NULLPOINTER -1;
 #define ERROR_NOERROR 0;
 
-char *mkpasswd(const char *words) {
-    unsigned long seed[2];
-    char salt[] = "$6$........";
-    const char *const seedchars = "./0123456789ABCDEFGHIJKLMNOPQRST"
-                                  "UVWXYZabcdefghijklmnopqrstuvwxyz";
+#ifndef CRYPT_GENSALT_OUTPUT_SIZE
+#define CRYPT_GENSALT_OUTPUT_SIZE 192
+#endif
+
+typedef struct {
+    const char *name;
+    const char *prefix;
+} PasswordAlgorithm;
+
+static const PasswordAlgorithm SUPPORTED_ALGORITHMS[] = {
+    {"sm3",      "$sm3$"},
+    {"yescrypt", "$y$"},
+    {"sha512",   "$6$"},
+    {"sha256",   "$5$"},
+    {NULL,       NULL}
+};
+
+#define DEFAULT_ALGORITHM 0
+
+static char *try_encrypt_password(const char *words, const char *prefix) {
+    char output[CRYPT_GENSALT_OUTPUT_SIZE];
+    char *setting;
+    char *password;
+
+    setting = crypt_gensalt_rn(prefix, 0, NULL, 0, output, sizeof(output));
+    if (setting == NULL || setting[0] == '*') {
+        return NULL;
+    }
+
+    password = crypt(words, setting);
+    if (password == NULL || password[0] == '*') {
+        return NULL;
+    }
+
+    return password;
+}
+
+char *mkpasswd_with_algo(const char *words, const char *algo) {
     char *password;
     int i;
+    const PasswordAlgorithm *selected_algo = NULL;
+
+    if (algo != NULL && algo[0] != '\0') {
+        for (i = 0; SUPPORTED_ALGORITHMS[i].name != NULL; i++) {
+            if (strcmp(algo, SUPPORTED_ALGORITHMS[i].name) == 0) {
+                selected_algo = &SUPPORTED_ALGORITHMS[i];
+                break;
+            }
+        }
+    }
 
-    // Generate a (not very) random seed. You should do it better than this...
-    seed[0] = time(NULL);
-    seed[1] = getpid() ^ (seed[0] >> 14 & 0x30000);
+    if (selected_algo == NULL) {
+        selected_algo = &SUPPORTED_ALGORITHMS[DEFAULT_ALGORITHM];
+    }
 
-    // Turn it into printable characters from `seedchars'.
-    for (i = 0; i < 8; i++) {
-        salt[3 + i] = seedchars[(seed[i / 5] >> (i % 5) * 6) & 0x3f];
+    password = try_encrypt_password(words, selected_algo->prefix);
+    if (password != NULL) {
+        return password;
     }
 
-    // DES Encrypt
-    password = crypt(words, salt);
+    for (i = 0; SUPPORTED_ALGORITHMS[i].name != NULL; i++) {
+        if (&SUPPORTED_ALGORITHMS[i] == selected_algo) {
+            continue;
+        }
 
-    return password;
+        password = try_encrypt_password(words, SUPPORTED_ALGORITHMS[i].prefix);
+        if (password != NULL) {
+            return password;
+        }
+    }
+
+    return NULL;
 }
 
 int lock_shadow_file() {

accounts1/users/passwd.go

@@ -32,11 +32,25 @@ var (
 	wLocker sync.Mutex
 )
 
+var PasswdAlgoDefault = "sm3"
+
 func EncodePasswd(words string) string {
+	return CryptUserPassword(words, PasswdAlgoDefault)
+}
+
+func CryptUserPassword(words string, algo string) string {
 	cwords := C.CString(words)
 	defer C.free(unsafe.Pointer(cwords))
 
-	return C.GoString(C.mkpasswd(cwords))
+	calgo := C.CString(algo)
+	defer C.free(unsafe.Pointer(calgo))
+
+	result := C.mkpasswd_with_algo(cwords, calgo)
+	if result == nil {
+		return ""
+	}
+
+	return C.GoString(result)
 }
 
 func ExistPwUid(uid uint32) int {

accounts1/users/passwd.h

@@ -5,7 +5,12 @@
 #ifndef __PASSWORD_H__
 #define __PASSWORD_H__
 
-char *mkpasswd(const char *words);
+#define PASSWD_ALGO_SHA512   "sha512"
+#define PASSWD_ALGO_SHA256   "sha256"
+#define PASSWD_ALGO_YESCRYPT "yescrypt"
+#define PASSWD_ALGO_SM3      "sm3"
+
+char *mkpasswd_with_algo(const char *words, const char *algo);
 
 int lock_shadow_file();
 int unlock_shadow_file();

misc/dsg-configs/org.deepin.dde.daemon.account.json

@@ -21,6 +21,16 @@
       "description": "Whether to allow local unlocking of the terminal",
       "permissions": "readwrite",
       "visibility": "private"
+    },
+    "passwordEncryptionAlgorithm": {
+      "value": "sm3",
+      "serial": 0,
+      "flags": ["global"],
+      "name": "passwordEncryptionAlgorithm",
+      "name[zh_CN]": "密码加密算法",
+      "description": "Password encryption algorithm (sha512, sha256, yescrypt, sm3(default))",
+      "permissions": "readonly",
+      "visibility": "private"
     }
   }
 }