From bf9ebc84c091f9f2d018aac2f9c2c4c4933e319e Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Mon, 11 Dec 2023 14:36:49 +0100 Subject: pam_unix: use correct number of rounds It is possible to have a mismatch between ENCRYPT_METHOD in login.defs and an argument given specifically to pam_unix.so. If pam_unix.so receives the argument "yescrypt" but ENCRYPT_METHOD is set to SHA512, then SHA_CRYPT_MAX_ROUNDS is parsed from login.defs and used as rounds for yescrypt -- except if rounds are specificially given as an argument to pam_unix.so as well. Read the correct rounds from login.defs after all arguments are parsed and no rounds were specified to figure out which one will eventually be used. Signed-off-by: Tobias Stoeckmann --- modules/pam_unix/support.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) (limited to 'modules/pam_unix/support.c') diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 287ec5d9..ec9a5725 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -97,22 +97,6 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember, ctrl |= unix_args[j].flag; /* for turning things on */ } free (val); - - /* read number of rounds for crypt algo */ - if (rounds) { - val = NULL; - if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { - val = pam_modutil_search_key(pamh, LOGIN_DEFS, "SHA_CRYPT_MAX_ROUNDS"); - } else if (on(UNIX_YESCRYPT_PASS, ctrl)) { - val = pam_modutil_search_key(pamh, LOGIN_DEFS, "YESCRYPT_COST_FACTOR"); - } - - if (val) { - *rounds = strtol(val, NULL, 10); - set(UNIX_ALGO_ROUNDS, ctrl); - free (val); - } - } } /* now parse the arguments to this module */ @@ -180,6 +164,21 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember, set(UNIX__NONULL, ctrl); } + /* Read number of rounds for sha256, sha512 and yescrypt */ + if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { + val = NULL; + if (on(UNIX_YESCRYPT_PASS, ctrl)) { + val = pam_modutil_search_key(pamh, LOGIN_DEFS, "YESCRYPT_COST_FACTOR"); + } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { + val = pam_modutil_search_key(pamh, LOGIN_DEFS, "SHA_CRYPT_MAX_ROUNDS"); + } + if (val) { + *rounds = strtol(val, NULL, 10); + set(UNIX_ALGO_ROUNDS, ctrl); + free (val); + } + } + /* Set default rounds for blowfish, gost-yescrypt and yescrypt */ if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { if (on(UNIX_BLOWFISH_PASS, ctrl) || -- cgit v1.2.3