rpms/pam
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport upstream commit preferring gensalt with autoentropy

Browse Source
This commit is contained in:
Björn Esser 2018-11-23 10:14:03 +01:00
parent 6eff6819b8
commit a0fce7ff9b
No known key found for this signature in database
GPG Key ID: F52E98007594C21D
2 changed files with 99 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
pam-1.3.1-unix-gensalt-autoentropy.patch Normal file
View File

@ -0,0 +1,95 @@
From 05aa693b7db6b818d31e41f0cab1d5fb4f49600e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 15 Nov 2018 15:58:56 +0100
Subject: [PATCH] pam_unix: Prefer a gensalt function, that supports auto
entropy.
* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
---
modules/pam_unix/pam_unix_passwd.c | 2 +-
modules/pam_unix/passverify.c | 13 +++++++++++++
modules/pam_unix/support.c | 7 +++++--
3 files changed, 19 insertions(+), 3 deletions(-)
Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix_passwd.c
+++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
unsigned int ctrl, lctrl;
int retval;
int remember = -1;
- int rounds = -1;
+ int rounds = 0;
int pass_min_len = 0;
/* <DO NOT free() THESE> */
Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c
+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c
@@ -375,7 +375,12 @@ PAMH_ARG_DECL(char * create_password_has
const char *password, unsigned int ctrl, int rounds)
{
const char *algoid;
+#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
+ /* Strings returned by crypt_gensalt_rn will be no longer than this. */
+ char salt[CRYPT_GENSALT_OUTPUT_SIZE];
+#else
char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */
+#endif
char *sp;
#ifdef HAVE_CRYPT_R
struct crypt_data *cdata = NULL;
@@ -406,6 +411,13 @@ PAMH_ARG_DECL(char * create_password_has
return crypted;
}
+#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
+ /*
+ * Any version of libcrypt supporting auto entropy is
+ * guaranteed to have crypt_gensalt_rn().
+ */
+ sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
+#else
#ifdef HAVE_CRYPT_GENSALT_R
if (on(UNIX_BLOWFISH_PASS, ctrl)) {
char entropy[17];
@@ -423,6 +435,7 @@ PAMH_ARG_DECL(char * create_password_has
#ifdef HAVE_CRYPT_GENSALT_R
}
#endif
+#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
#ifdef HAVE_CRYPT_R
sp = NULL;
cdata = malloc(sizeof(*cdata));
Index: Linux-PAM-1.3.1/modules/pam_unix/support.c
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_unix/support.c
+++ Linux-PAM-1.3.1/modules/pam_unix/support.c
@@ -175,6 +175,7 @@ int _set_ctrl(pam_handle_t *pamh, int fl
if (val) {
*rounds = strtol(val, NULL, 10);
+ set(UNIX_ALGO_ROUNDS, ctrl);
free (val);
}
}
@@ -254,11 +255,13 @@ int _set_ctrl(pam_handle_t *pamh, int fl
if (*rounds < 4 || *rounds > 31)
*rounds = 5;
} else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
- if ((*rounds < 1000) || (*rounds == INT_MAX))
+ if ((*rounds < 1000) || (*rounds == INT_MAX)) {
/* don't care about bogus values */
+ *rounds = 0;
unset(UNIX_ALGO_ROUNDS, ctrl);
- if (*rounds >= 10000000)
+ } else if (*rounds >= 10000000) {
*rounds = 9999999;
+ }
}
}

4
pam.spec
View File

@ -48,6 +48,8 @@ Patch35: pam-1.3.1-console-build.patch
Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
# https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016.patch # https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016.patch
Patch37: pam-1.3.1-unix-bcrypt_b.patch Patch37: pam-1.3.1-unix-bcrypt_b.patch
# https://github.com/linux-pam/linux-pam/commit/dce80b3f11b3c3aa137d18f22699809094dd64b6
Patch38: pam-1.3.1-unix-gensalt-autoentropy.patch
%global _pamlibdir %{_libdir} %global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security %global _moduledir %{_libdir}/security
@ -133,6 +135,7 @@ cp %{SOURCE18} .
%patch35 -p1 -b .console-build %patch35 -p1 -b .console-build
%patch36 -p1 -b .remove-prototype %patch36 -p1 -b .remove-prototype
%patch37 -p1 -b .bcrypt_b %patch37 -p1 -b .bcrypt_b
%patch38 -p1 -b .gensalt-autoentropy
autoreconf -i autoreconf -i
@ -378,6 +381,7 @@ done
* Fri Nov 23 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-9 * Fri Nov 23 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-9
- Backport upstream commit removing an obsolete prototype - Backport upstream commit removing an obsolete prototype
- Backport upstream commit preferring bcrypt_b ($2b$) for blowfish - Backport upstream commit preferring bcrypt_b ($2b$) for blowfish
- Backport upstream commit preferring gensalt with autoentropy
* Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8 * Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8
- Use %%ldconfig_scriptlets - Use %%ldconfig_scriptlets