diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-12-11 14:36:49 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2023-12-11 13:36:49 +0000 |
| commit | bf9ebc84c091f9f2d018aac2f9c2c4c4933e319e (patch) | |
| tree | 18d1d346b56112db642d946145af43f399e717f3 /modules/pam_unix/support.c | |
| parent | d611afcbd52bc13c2455375d5c4fb20839f09f4a (diff) | |
| download | pam-bf9ebc84c091f9f2d018aac2f9c2c4c4933e319e.tar.gz pam-bf9ebc84c091f9f2d018aac2f9c2c4c4933e319e.tar.bz2 pam-bf9ebc84c091f9f2d018aac2f9c2c4c4933e319e.zip | |
pam_unix: use correct number of rounds
It is possible to have a mismatch between ENCRYPT_METHOD in login.defs
and an argument given specifically to pam_unix.so.
If pam_unix.so receives the argument "yescrypt" but ENCRYPT_METHOD is
set to SHA512, then SHA_CRYPT_MAX_ROUNDS is parsed from login.defs and
used as rounds for yescrypt -- except if rounds are specificially
given as an argument to pam_unix.so as well.
Read the correct rounds from login.defs after all arguments are parsed
and no rounds were specified to figure out which one will eventually be
used.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'modules/pam_unix/support.c')
| -rw-r--r-- | modules/pam_unix/support.c | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 287ec5d9..ec9a5725 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -97,22 +97,6 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember, ctrl |= unix_args[j].flag; /* for turning things on */ } free (val); - - /* read number of rounds for crypt algo */ - if (rounds) { - val = NULL; - if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { - val = pam_modutil_search_key(pamh, LOGIN_DEFS, "SHA_CRYPT_MAX_ROUNDS"); - } else if (on(UNIX_YESCRYPT_PASS, ctrl)) { - val = pam_modutil_search_key(pamh, LOGIN_DEFS, "YESCRYPT_COST_FACTOR"); - } - - if (val) { - *rounds = strtol(val, NULL, 10); - set(UNIX_ALGO_ROUNDS, ctrl); - free (val); - } - } } /* now parse the arguments to this module */ @@ -180,6 +164,21 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember, set(UNIX__NONULL, ctrl); } + /* Read number of rounds for sha256, sha512 and yescrypt */ + if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { + val = NULL; + if (on(UNIX_YESCRYPT_PASS, ctrl)) { + val = pam_modutil_search_key(pamh, LOGIN_DEFS, "YESCRYPT_COST_FACTOR"); + } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { + val = pam_modutil_search_key(pamh, LOGIN_DEFS, "SHA_CRYPT_MAX_ROUNDS"); + } + if (val) { + *rounds = strtol(val, NULL, 10); + set(UNIX_ALGO_ROUNDS, ctrl); + free (val); + } + } + /* Set default rounds for blowfish, gost-yescrypt and yescrypt */ if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { if (on(UNIX_BLOWFISH_PASS, ctrl) || |