summaryrefslogtreecommitdiff
path: root/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
blob: 8ae4abfd85cc549a3acd0902f955c0f732149cb8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
From 05aa693b7db6b818d31e41f0cab1d5fb4f49600e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 15 Nov 2018 15:58:56 +0100
Subject: [PATCH] pam_unix: Prefer a gensalt function, that supports auto
 entropy.

* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
---
 modules/pam_unix/pam_unix_passwd.c |  2 +-
 modules/pam_unix/passverify.c      | 13 +++++++++++++
 modules/pam_unix/support.c         |  7 +++++--
 3 files changed, 19 insertions(+), 3 deletions(-)

Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix_passwd.c
+++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
 	unsigned int ctrl, lctrl;
 	int retval;
 	int remember = -1;
-	int rounds = -1;
+	int rounds = 0;
 	int pass_min_len = 0;
 
 	/* <DO NOT free() THESE> */
Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c
+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c
@@ -375,7 +375,12 @@ PAMH_ARG_DECL(char * create_password_has
 	const char *password, unsigned int ctrl, int rounds)
 {
 	const char *algoid;
+#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
+	/* Strings returned by crypt_gensalt_rn will be no longer than this. */
+	char salt[CRYPT_GENSALT_OUTPUT_SIZE];
+#else
 	char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */
+#endif
 	char *sp;
 #ifdef HAVE_CRYPT_R
 	struct crypt_data *cdata = NULL;
@@ -406,6 +411,13 @@ PAMH_ARG_DECL(char * create_password_has
 		return crypted;
 	}
 
+#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
+	/*
+	 * Any version of libcrypt supporting auto entropy is
+	 * guaranteed to have crypt_gensalt_rn().
+	 */
+	sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
+#else
 #ifdef HAVE_CRYPT_GENSALT_R
 	if (on(UNIX_BLOWFISH_PASS, ctrl)) {
 		char entropy[17];
@@ -423,6 +435,7 @@ PAMH_ARG_DECL(char * create_password_has
 #ifdef HAVE_CRYPT_GENSALT_R
 	}
 #endif
+#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
 #ifdef HAVE_CRYPT_R
 	sp = NULL;
 	cdata = malloc(sizeof(*cdata));
Index: Linux-PAM-1.3.1/modules/pam_unix/support.c
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_unix/support.c
+++ Linux-PAM-1.3.1/modules/pam_unix/support.c
@@ -175,6 +175,7 @@ int _set_ctrl(pam_handle_t *pamh, int fl
 
 	    if (val) {
 	      *rounds = strtol(val, NULL, 10);
+	      set(UNIX_ALGO_ROUNDS, ctrl);
 	      free (val);
 	    }
 	  }
@@ -254,11 +255,13 @@ int _set_ctrl(pam_handle_t *pamh, int fl
 			if (*rounds < 4 || *rounds > 31)
 				*rounds = 5;
 		} else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
-			if ((*rounds < 1000) || (*rounds == INT_MAX))
+			if ((*rounds < 1000) || (*rounds == INT_MAX)) {
 				/* don't care about bogus values */
+				*rounds = 0;
 				unset(UNIX_ALGO_ROUNDS, ctrl);
-			if (*rounds >= 10000000)
+			} else if (*rounds >= 10000000) {
 				*rounds = 9999999;
+			}
 		}
 	}