From b3bb13e18a74e9ece825b7de1b81db97ebb107a0 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Thu, 25 Mar 2021 09:43:30 +0100 Subject: pam_timestamp: replace hmac implementation sha1 is no longer recommended as a cryptographic algorithm for authentication. Thus, the idea of this change is to replace the implementation provided by hmacsha1 included in pam_timestamp module by the one in the openssl library. This way, there's no need to maintain the cryptographic algorithm implementation and it can be easily changed with a single configuration change. modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper functions around openssl's hmac implementation. Moreover, manage the key generation and its read and write in a file. Include an option to configure the cryptographic algorithm in login.defs file. modules/pam_timestamp/hmac_openssl_wrapper.h: likewise. modules/pam_timestamp/pam_timestamp.c: replace calls to functions provided by hmacsha1 by functions provided by openssl's wrapper. configure.ac: include openssl dependecy if it is enabled. modules/pam_timestamp/Makefile.am: include new files and openssl library to compilation. ci/install-dependencies.sh: include openssl library to dependencies. NEWS: add new item to next release. Make.xml.rules.in: add stringparam profiling for hmac doc/custom-man.xsl: change import docbook to one with profiling modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to indicate the value in /etc/login.defs that holds the value for the encryption algorithm Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294 --- NEWS | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 2d49ec39..f4d11303 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,10 @@ Linux-PAM NEWS -- history of user-visible changes. +Release next +* pam_timestamp: change hmac algorithm to call openssl instead of the bundled + sha1 implementation if selected. Add option to select the hash + algorithm to use with HMAC. + Release 1.5.1 * pam_unix: fixed CVE-2020-27780 - authentication bypass when a user doesn't exist and root password is blank -- cgit v1.2.3