diff options
| author | Iker Pedrosa <ipedrosa@redhat.com> | 2021-03-25 09:43:30 +0100 |
|---|---|---|
| committer | Tomáš Mráz <tm@t8m.info> | 2021-06-14 09:02:16 +0200 |
| commit | b3bb13e18a74e9ece825b7de1b81db97ebb107a0 (patch) | |
| tree | b7f5f2da9310169c210ab204ff2c72d815d6fe6f /modules/pam_timestamp/pam_timestamp.c | |
| parent | f668b437910af0e1472e9bbfa78897df52f57a78 (diff) | |
| download | pam-b3bb13e18a74e9ece825b7de1b81db97ebb107a0.tar.gz pam-b3bb13e18a74e9ece825b7de1b81db97ebb107a0.tar.bz2 pam-b3bb13e18a74e9ece825b7de1b81db97ebb107a0.zip | |
pam_timestamp: replace hmac implementation
sha1 is no longer recommended as a cryptographic algorithm for
authentication. Thus, the idea of this change is to replace the
implementation provided by hmacsha1 included in pam_timestamp module by
the one in the openssl library. This way, there's no need to maintain
the cryptographic algorithm implementation and it can be easily changed
with a single configuration change.
modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
functions around openssl's hmac implementation. Moreover, manage the key
generation and its read and write in a file. Include an option to
configure the cryptographic algorithm in login.defs file.
modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
modules/pam_timestamp/pam_timestamp.c: replace calls to functions
provided by hmacsha1 by functions provided by openssl's wrapper.
configure.ac: include openssl dependecy if it is enabled.
modules/pam_timestamp/Makefile.am: include new files and openssl library
to compilation.
ci/install-dependencies.sh: include openssl library to dependencies.
NEWS: add new item to next release.
Make.xml.rules.in: add stringparam profiling for hmac
doc/custom-man.xsl: change import docbook to one with profiling
modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
indicate the value in /etc/login.defs that holds the value for the
encryption algorithm
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
Diffstat (limited to 'modules/pam_timestamp/pam_timestamp.c')
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.c | 53 |
1 files changed, 45 insertions, 8 deletions
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index 30be883c..01dd1385 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -56,7 +56,11 @@ #include <utmp.h> #include <syslog.h> #include <paths.h> +#ifdef WITH_OPENSSL +#include "hmac_openssl_wrapper.h" +#else #include "hmacsha1.h" +#endif /* WITH_OPENSSL */ #include <security/pam_modules.h> #include <security/_pam_macros.h> @@ -79,6 +83,9 @@ #define BUFLEN PATH_MAX #endif +#define ROOT_USER 0 +#define ROOT_GROUP 0 + /* Return PAM_SUCCESS if the given directory looks "safe". */ static int check_dir_perms(pam_handle_t *pamh, const char *tdir) @@ -449,6 +456,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_AUTH_ERR; } +#ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { + return PAM_AUTH_ERR; + } +#else + maclen = hmac_sha1_size(); +#endif /* WITH_OPENSSL */ /* Check that the file is the expected size. */ if (st.st_size == 0) { /* Invalid, but may have been created by sudo. */ @@ -456,7 +470,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_AUTH_ERR; } if (st.st_size != - (off_t)(strlen(path) + 1 + sizeof(then) + hmac_sha1_size())) { + (off_t)(strlen(path) + 1 + sizeof(then) + maclen)) { pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' " "appears to be corrupted", path); close(fd); @@ -487,8 +501,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) message_end = message + strlen(path) + 1 + sizeof(then); /* Regenerate the MAC. */ - hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, 0, 0, - message, message_end - message); +#ifdef WITH_OPENSSL + if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, message, message_end - message)) { + close(fd); + free(message); + return PAM_AUTH_ERR; + } +#else + hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, message, message_end - message); +#endif /* WITH_OPENSSL */ if ((mac == NULL) || (memcmp(path, message, strlen(path)) != 0) || (memcmp(mac, message_end, maclen) != 0)) { @@ -605,8 +628,16 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * } } +#ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { + return PAM_SESSION_ERR; + } +#else + maclen = hmac_sha1_size(); +#endif /* WITH_OPENSSL */ + /* Generate the message. */ - text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size()); + text = malloc(strlen(path) + 1 + sizeof(now) + maclen); if (text == NULL) { pam_syslog(pamh, LOG_CRIT, "unable to allocate memory: %m"); return PAM_SESSION_ERR; @@ -621,15 +652,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * p += sizeof(now); /* Generate the MAC and append it to the plaintext. */ - hmac_sha1_generate_file(pamh, &mac, &maclen, - TIMESTAMPKEY, - 0, 0, - text, p - text); +#ifdef WITH_OPENSSL + if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, text, p - text)) { + free(text); + return PAM_SESSION_ERR; + } +#else + hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, text, p - text); if (mac == NULL) { pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m"); free(text); return PAM_SESSION_ERR; } +#endif /* WITH_OPENSSL */ memmove(p, mac, maclen); p += maclen; free(mac); |