|
|
2842b2a |
From 16bd523f85ede9fa9115f80e826f2d803d7e61d4 Mon Sep 17 00:00:00 2001
|
|
|
2842b2a |
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
|
|
|
2842b2a |
Date: Thu, 15 Nov 2018 16:38:05 +0100
|
|
|
2842b2a |
Subject: [PATCH] pam_unix: Add support for (gost-)yescrypt hashing methods.
|
|
|
2842b2a |
|
|
|
2842b2a |
libxcrypt (v4.2 and later) has added support for the yescrypt
|
|
|
2842b2a |
hashing method; gost-yescrypt has been added in v4.3.
|
|
|
2842b2a |
|
|
|
2842b2a |
* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
|
|
|
2842b2a |
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
|
|
|
2842b2a |
* modules/pam_unix/pam_unix_auth.c: Likewise.
|
|
|
2842b2a |
* modules/pam_unix/pam_unix_passwd.c: Likewise.
|
|
|
2842b2a |
* modules/pam_unix/pam_unix_sess.c: Likewise.
|
|
|
2842b2a |
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
|
|
|
2842b2a |
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
|
|
|
2842b2a |
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
|
|
|
2842b2a |
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
|
|
|
2842b2a |
---
|
|
|
2842b2a |
modules/pam_unix/pam_unix.8.xml | 35 +++++++++-
|
|
|
2842b2a |
modules/pam_unix/pam_unix_acct.c | 4 +-
|
|
|
2842b2a |
modules/pam_unix/pam_unix_auth.c | 4 +-
|
|
|
2842b2a |
modules/pam_unix/pam_unix_passwd.c | 12 ++--
|
|
|
2842b2a |
modules/pam_unix/pam_unix_sess.c | 4 +-
|
|
|
2842b2a |
modules/pam_unix/passverify.c | 8 ++-
|
|
|
2842b2a |
modules/pam_unix/passverify.h | 2 +-
|
|
|
2842b2a |
modules/pam_unix/support.c | 33 ++++++----
|
|
|
2842b2a |
modules/pam_unix/support.h | 101 +++++++++++++++--------------
|
|
|
2842b2a |
9 files changed, 128 insertions(+), 75 deletions(-)
|
|
|
2842b2a |
|
|
|
2842b2a |
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
|
|
|
2842b2a |
index 1b318f11..cae2aeaa 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/pam_unix.8.xml
|
|
|
2842b2a |
+++ b/modules/pam_unix/pam_unix.8.xml
|
|
|
2842b2a |
@@ -331,14 +331,45 @@
|
|
|
2842b2a |
</para>
|
|
|
2842b2a |
</listitem>
|
|
|
2842b2a |
</varlistentry>
|
|
|
2842b2a |
+ <varlistentry>
|
|
|
2842b2a |
+ <term>
|
|
|
2842b2a |
+ <option>gost_yescrypt</option>
|
|
|
2842b2a |
+ </term>
|
|
|
2842b2a |
+ <listitem>
|
|
|
2842b2a |
+ <para>
|
|
|
2842b2a |
+ When a user changes their password next,
|
|
|
2842b2a |
+ encrypt it with the gost-yescrypt algorithm. If the
|
|
|
2842b2a |
+ gost-yescrypt algorithm is not known to the <citerefentry>
|
|
|
2842b2a |
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
|
|
2842b2a |
+ </citerefentry> function,
|
|
|
2842b2a |
+ fall back to MD5.
|
|
|
2842b2a |
+ </para>
|
|
|
2842b2a |
+ </listitem>
|
|
|
2842b2a |
+ </varlistentry>
|
|
|
2842b2a |
+ <varlistentry>
|
|
|
2842b2a |
+ <term>
|
|
|
2842b2a |
+ <option>yescrypt</option>
|
|
|
2842b2a |
+ </term>
|
|
|
2842b2a |
+ <listitem>
|
|
|
2842b2a |
+ <para>
|
|
|
2842b2a |
+ When a user changes their password next,
|
|
|
2842b2a |
+ encrypt it with the yescrypt algorithm. If the
|
|
|
2842b2a |
+ yescrypt algorithm is not known to the <citerefentry>
|
|
|
2842b2a |
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
|
|
2842b2a |
+ </citerefentry> function,
|
|
|
2842b2a |
+ fall back to MD5.
|
|
|
2842b2a |
+ </para>
|
|
|
2842b2a |
+ </listitem>
|
|
|
2842b2a |
+ </varlistentry>
|
|
|
2842b2a |
<varlistentry>
|
|
|
2842b2a |
<term>
|
|
|
2842b2a |
<option>rounds=<replaceable>n</replaceable></option>
|
|
|
2842b2a |
</term>
|
|
|
2842b2a |
<listitem>
|
|
|
2842b2a |
<para>
|
|
|
2842b2a |
- Set the optional number of rounds of the SHA256, SHA512
|
|
|
2842b2a |
- and blowfish password hashing algorithms to
|
|
|
2842b2a |
+ Set the optional number of rounds of the SHA256, SHA512,
|
|
|
2842b2a |
+ blowfish, gost-yescrypt, and yescrypt password hashing
|
|
|
2842b2a |
+ algorithms to
|
|
|
2842b2a |
<replaceable>n</replaceable>.
|
|
|
2842b2a |
</para>
|
|
|
2842b2a |
</listitem>
|
|
|
2842b2a |
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
|
|
|
2842b2a |
index fbc84e2f..d8d084ac 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/pam_unix_acct.c
|
|
|
2842b2a |
+++ b/modules/pam_unix/pam_unix_acct.c
|
|
|
2842b2a |
@@ -62,7 +62,7 @@
|
|
|
2842b2a |
#include "support.h"
|
|
|
2842b2a |
#include "passverify.h"
|
|
|
2842b2a |
|
|
|
2842b2a |
-int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
|
|
|
2842b2a |
+int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
|
|
|
2842b2a |
const char *user, int *daysleft)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
int retval=0, child, fds[2];
|
|
|
2842b2a |
@@ -185,7 +185,7 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
|
|
|
2842b2a |
int
|
|
|
2842b2a |
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
- unsigned int ctrl;
|
|
|
2842b2a |
+ unsigned long long ctrl;
|
|
|
2842b2a |
const void *void_uname;
|
|
|
2842b2a |
const char *uname;
|
|
|
2842b2a |
int retval, daysleft;
|
|
|
2842b2a |
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
|
|
|
2842b2a |
index 9d9f709d..905fc66c 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/pam_unix_auth.c
|
|
|
2842b2a |
+++ b/modules/pam_unix/pam_unix_auth.c
|
|
|
2842b2a |
@@ -96,7 +96,7 @@ setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
|
|
|
2842b2a |
int
|
|
|
2842b2a |
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
- unsigned int ctrl;
|
|
|
2842b2a |
+ unsigned long long ctrl;
|
|
|
2842b2a |
int retval, *ret_data = NULL;
|
|
|
2842b2a |
const char *name;
|
|
|
2842b2a |
const char *p;
|
|
|
2842b2a |
@@ -194,7 +194,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags,
|
|
|
2842b2a |
{
|
|
|
2842b2a |
int retval;
|
|
|
2842b2a |
const void *pretval = NULL;
|
|
|
2842b2a |
- unsigned int ctrl;
|
|
|
2842b2a |
+ unsigned long long ctrl;
|
|
|
2842b2a |
|
|
|
2842b2a |
D(("called."));
|
|
|
2842b2a |
|
|
|
2842b2a |
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
|
|
|
2842b2a |
index f2c42513..df4c1233 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/pam_unix_passwd.c
|
|
|
2842b2a |
+++ b/modules/pam_unix/pam_unix_passwd.c
|
|
|
2842b2a |
@@ -138,7 +138,7 @@ __taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf)
|
|
|
2842b2a |
}
|
|
|
2842b2a |
#endif
|
|
|
2842b2a |
|
|
|
2842b2a |
-static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
|
|
|
2842b2a |
+static char *getNISserver(pam_handle_t *pamh, unsigned long long ctrl)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
char *master;
|
|
|
2842b2a |
char *domainname;
|
|
|
2842b2a |
@@ -233,7 +233,7 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
|
|
|
2842b2a |
|
|
|
2842b2a |
#ifdef WITH_SELINUX
|
|
|
2842b2a |
|
|
|
2842b2a |
-static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
|
|
|
2842b2a |
+static int _unix_run_update_binary(pam_handle_t *pamh, unsigned long long ctrl, const char *user,
|
|
|
2842b2a |
const char *fromwhat, const char *towhat, int remember)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
int retval, child, fds[2];
|
|
|
2842b2a |
@@ -388,7 +388,7 @@ static int check_old_password(const char *forwho, const char *newpass)
|
|
|
2842b2a |
|
|
|
2842b2a |
static int _do_setpass(pam_handle_t* pamh, const char *forwho,
|
|
|
2842b2a |
const char *fromwhat,
|
|
|
2842b2a |
- char *towhat, unsigned int ctrl, int remember)
|
|
|
2842b2a |
+ char *towhat, unsigned long long ctrl, int remember)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
struct passwd *pwd = NULL;
|
|
|
2842b2a |
int retval = 0;
|
|
|
2842b2a |
@@ -512,7 +512,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
|
|
|
2842b2a |
return retval;
|
|
|
2842b2a |
}
|
|
|
2842b2a |
|
|
|
2842b2a |
-static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl)
|
|
|
2842b2a |
+static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned long long ctrl)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
struct passwd *pwent = NULL; /* Password and shadow password */
|
|
|
2842b2a |
struct spwd *spent = NULL; /* file entries for the user */
|
|
|
2842b2a |
@@ -542,7 +542,7 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in
|
|
|
2842b2a |
}
|
|
|
2842b2a |
|
|
|
2842b2a |
static int _pam_unix_approve_pass(pam_handle_t * pamh
|
|
|
2842b2a |
- ,unsigned int ctrl
|
|
|
2842b2a |
+ ,unsigned long long ctrl
|
|
|
2842b2a |
,const char *pass_old
|
|
|
2842b2a |
,const char *pass_new,
|
|
|
2842b2a |
int pass_min_len)
|
|
|
2842b2a |
@@ -600,7 +600,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
|
|
|
2842b2a |
int
|
|
|
2842b2a |
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
- unsigned int ctrl, lctrl;
|
|
|
2842b2a |
+ unsigned long long ctrl, lctrl;
|
|
|
2842b2a |
int retval;
|
|
|
2842b2a |
int remember = -1;
|
|
|
2842b2a |
int rounds = 0;
|
|
|
2842b2a |
diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c
|
|
|
2842b2a |
index 03e7dcd9..4b8af530 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/pam_unix_sess.c
|
|
|
2842b2a |
+++ b/modules/pam_unix/pam_unix_sess.c
|
|
|
2842b2a |
@@ -67,7 +67,7 @@ int
|
|
|
2842b2a |
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
char *user_name, *service;
|
|
|
2842b2a |
- unsigned int ctrl;
|
|
|
2842b2a |
+ unsigned long long ctrl;
|
|
|
2842b2a |
int retval;
|
|
|
2842b2a |
const char *login_name;
|
|
|
2842b2a |
|
|
|
2842b2a |
@@ -103,7 +103,7 @@ int
|
|
|
2842b2a |
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
char *user_name, *service;
|
|
|
2842b2a |
- unsigned int ctrl;
|
|
|
2842b2a |
+ unsigned long long ctrl;
|
|
|
2842b2a |
int retval;
|
|
|
2842b2a |
|
|
|
2842b2a |
D(("called."));
|
|
|
2842b2a |
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
|
2842b2a |
index 95dfe528..39e2bfac 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/passverify.c
|
|
|
2842b2a |
+++ b/modules/pam_unix/passverify.c
|
|
|
2842b2a |
@@ -387,7 +387,7 @@ crypt_md5_wrapper(const char *pass_new)
|
|
|
2842b2a |
}
|
|
|
2842b2a |
|
|
|
2842b2a |
PAMH_ARG_DECL(char * create_password_hash,
|
|
|
2842b2a |
- const char *password, unsigned int ctrl, int rounds)
|
|
|
2842b2a |
+ const char *password, unsigned long long ctrl, int rounds)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
const char *algoid;
|
|
|
2842b2a |
#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
|
|
|
2842b2a |
@@ -404,6 +404,10 @@ PAMH_ARG_DECL(char * create_password_hash,
|
|
|
2842b2a |
if (on(UNIX_MD5_PASS, ctrl)) {
|
|
|
2842b2a |
/* algoid = "$1" */
|
|
|
2842b2a |
return crypt_md5_wrapper(password);
|
|
|
2842b2a |
+ } else if (on(UNIX_YESCRYPT_PASS, ctrl)) {
|
|
|
2842b2a |
+ algoid = "$y$";
|
|
|
2842b2a |
+ } else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) {
|
|
|
2842b2a |
+ algoid = "$gy$";
|
|
|
2842b2a |
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
|
|
2842b2a |
algoid = "$2b$";
|
|
|
2842b2a |
} else if (on(UNIX_SHA256_PASS, ctrl)) {
|
|
|
2842b2a |
@@ -466,6 +470,8 @@ PAMH_ARG_DECL(char * create_password_hash,
|
|
|
2842b2a |
pam_syslog(pamh, LOG_ERR,
|
|
|
2842b2a |
"Algo %s not supported by the crypto backend, "
|
|
|
2842b2a |
"falling back to MD5\n",
|
|
|
2842b2a |
+ on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" :
|
|
|
2842b2a |
+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
|
|
|
2842b2a |
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
|
|
|
2842b2a |
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
|
|
|
2842b2a |
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
|
|
|
2842b2a |
diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
|
|
|
2842b2a |
index caf7ae8a..086c28ac 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/passverify.h
|
|
|
2842b2a |
+++ b/modules/pam_unix/passverify.h
|
|
|
2842b2a |
@@ -66,7 +66,7 @@ read_passwords(int fd, int npass, char **passwords);
|
|
|
2842b2a |
#endif
|
|
|
2842b2a |
|
|
|
2842b2a |
PAMH_ARG_DECL(char * create_password_hash,
|
|
|
2842b2a |
- const char *password, unsigned int ctrl, int rounds);
|
|
|
2842b2a |
+ const char *password, unsigned long long ctrl, int rounds);
|
|
|
2842b2a |
|
|
|
2842b2a |
PAMH_ARG_DECL(int get_account_info,
|
|
|
2842b2a |
const char *name, struct passwd **pwd, struct spwd **spwdent);
|
|
|
2842b2a |
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
|
|
2842b2a |
index 8cbc4217..6894288d 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/support.c
|
|
|
2842b2a |
+++ b/modules/pam_unix/support.c
|
|
|
2842b2a |
@@ -107,7 +107,7 @@ search_key (const char *key, const char *filename)
|
|
|
2842b2a |
|
|
|
2842b2a |
/* this is a front-end for module-application conversations */
|
|
|
2842b2a |
|
|
|
2842b2a |
-int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
|
|
|
2842b2a |
+int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
|
|
|
2842b2a |
int type, const char *text)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
int retval = PAM_SUCCESS;
|
|
|
2842b2a |
@@ -122,10 +122,11 @@ int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
|
|
|
2842b2a |
* set the control flags for the UNIX module.
|
|
|
2842b2a |
*/
|
|
|
2842b2a |
|
|
|
2842b2a |
-int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
|
|
|
2842b2a |
- int *pass_min_len, int argc, const char **argv)
|
|
|
2842b2a |
+unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
|
|
|
2842b2a |
+ int *rounds, int *pass_min_len, int argc,
|
|
|
2842b2a |
+ const char **argv)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
- unsigned int ctrl;
|
|
|
2842b2a |
+ unsigned long long ctrl;
|
|
|
2842b2a |
char *val;
|
|
|
2842b2a |
int j;
|
|
|
2842b2a |
|
|
|
2842b2a |
@@ -243,15 +244,23 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
|
|
|
2842b2a |
set(UNIX__NONULL, ctrl);
|
|
|
2842b2a |
}
|
|
|
2842b2a |
|
|
|
2842b2a |
- /* Set default rounds for blowfish */
|
|
|
2842b2a |
- if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
|
|
|
2842b2a |
- *rounds = 5;
|
|
|
2842b2a |
- set(UNIX_ALGO_ROUNDS, ctrl);
|
|
|
2842b2a |
+ /* Set default rounds for blowfish, gost-yescrypt and yescrypt */
|
|
|
2842b2a |
+ if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
|
|
|
2842b2a |
+ if (on(UNIX_BLOWFISH_PASS, ctrl) ||
|
|
|
2842b2a |
+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
|
|
|
2842b2a |
+ on(UNIX_YESCRYPT_PASS, ctrl)) {
|
|
|
2842b2a |
+ *rounds = 5;
|
|
|
2842b2a |
+ set(UNIX_ALGO_ROUNDS, ctrl);
|
|
|
2842b2a |
+ }
|
|
|
2842b2a |
}
|
|
|
2842b2a |
|
|
|
2842b2a |
/* Enforce sane "rounds" values */
|
|
|
2842b2a |
if (on(UNIX_ALGO_ROUNDS, ctrl)) {
|
|
|
2842b2a |
- if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
|
|
2842b2a |
+ if (on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
|
|
|
2842b2a |
+ on(UNIX_YESCRYPT_PASS, ctrl)) {
|
|
|
2842b2a |
+ if (*rounds < 3 || *rounds > 11)
|
|
|
2842b2a |
+ *rounds = 5;
|
|
|
2842b2a |
+ } else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
|
|
2842b2a |
if (*rounds < 4 || *rounds > 31)
|
|
|
2842b2a |
*rounds = 5;
|
|
|
2842b2a |
} else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
|
|
|
2842b2a |
@@ -532,7 +541,7 @@ int _unix_comesfromsource(pam_handle_t *pamh,
|
|
|
2842b2a |
#include <sys/wait.h>
|
|
|
2842b2a |
|
|
|
2842b2a |
static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
|
|
|
2842b2a |
- unsigned int ctrl, const char *user)
|
|
|
2842b2a |
+ unsigned long long ctrl, const char *user)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
int retval, child, fds[2];
|
|
|
2842b2a |
struct sigaction newsa, oldsa;
|
|
|
2842b2a |
@@ -658,7 +667,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
|
|
|
2842b2a |
*/
|
|
|
2842b2a |
|
|
|
2842b2a |
int
|
|
|
2842b2a |
-_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
|
|
|
2842b2a |
+_unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
struct passwd *pwd = NULL;
|
|
|
2842b2a |
char *salt = NULL;
|
|
|
2842b2a |
@@ -706,7 +715,7 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
|
|
|
2842b2a |
}
|
|
|
2842b2a |
|
|
|
2842b2a |
int _unix_verify_password(pam_handle_t * pamh, const char *name
|
|
|
2842b2a |
- ,const char *p, unsigned int ctrl)
|
|
|
2842b2a |
+ ,const char *p, unsigned long long ctrl)
|
|
|
2842b2a |
{
|
|
|
2842b2a |
struct passwd *pwd = NULL;
|
|
|
2842b2a |
char *salt = NULL;
|
|
|
2842b2a |
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
|
|
|
2842b2a |
index 543e9b9f..e02c05e0 100644
|
|
|
2842b2a |
--- a/modules/pam_unix/support.h
|
|
|
2842b2a |
+++ b/modules/pam_unix/support.h
|
|
|
2842b2a |
@@ -22,8 +22,8 @@
|
|
|
2842b2a |
|
|
|
2842b2a |
typedef struct {
|
|
|
2842b2a |
const char *token;
|
|
|
2842b2a |
- unsigned int mask; /* shall assume 32 bits of flags */
|
|
|
2842b2a |
- unsigned int flag;
|
|
|
2842b2a |
+ unsigned long long mask; /* shall assume 64 bits of flags */
|
|
|
2842b2a |
+ unsigned long long flag;
|
|
|
2842b2a |
unsigned int is_hash_algo;
|
|
|
2842b2a |
} UNIX_Ctrls;
|
|
|
2842b2a |
|
|
|
2842b2a |
@@ -48,7 +48,7 @@ typedef struct {
|
|
|
2842b2a |
|
|
|
2842b2a |
/* the generic mask */
|
|
|
2842b2a |
|
|
|
2842b2a |
-#define _ALL_ON_ (~0U)
|
|
|
2842b2a |
+#define _ALL_ON_ (~0ULL)
|
|
|
2842b2a |
|
|
|
2842b2a |
/* end of macro definitions definitions for the control flags */
|
|
|
2842b2a |
|
|
|
2842b2a |
@@ -98,47 +98,51 @@ typedef struct {
|
|
|
2842b2a |
#define UNIX_QUIET 28 /* Don't print informational messages */
|
|
|
2842b2a |
#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
|
|
|
2842b2a |
#define UNIX_DES 30 /* DES, default */
|
|
|
2842b2a |
+#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
|
|
|
2842b2a |
+#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
|
|
|
2842b2a |
/* -------------- */
|
|
|
2842b2a |
-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
|
|
|
2842b2a |
+#define UNIX_CTRLS_ 33 /* number of ctrl arguments defined */
|
|
|
2842b2a |
|
|
|
2842b2a |
-#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
|
|
|
2842b2a |
+#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
|
|
|
2842b2a |
|
|
|
2842b2a |
static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
|
|
|
2842b2a |
{
|
|
|
2842b2a |
-/* symbol token name ctrl mask ctrl *
|
|
|
2842b2a |
- * ----------------------- ------------------- --------------------- -------- */
|
|
|
2842b2a |
-
|
|
|
2842b2a |
-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
|
|
|
2842b2a |
-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
|
|
|
2842b2a |
-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
|
|
|
2842b2a |
-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
|
|
|
2842b2a |
-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
|
|
|
2842b2a |
-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
|
|
|
2842b2a |
-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
|
|
|
2842b2a |
-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
|
|
|
2842b2a |
-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
|
|
|
2842b2a |
-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
|
|
|
2842b2a |
-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
|
|
|
2842b2a |
-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
|
|
|
2842b2a |
-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
|
|
|
2842b2a |
-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
|
|
|
2842b2a |
-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
|
|
|
2842b2a |
-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
|
|
|
2842b2a |
-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
|
|
|
2842b2a |
-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
|
|
|
2842b2a |
-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
|
|
|
2842b2a |
-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
|
|
|
2842b2a |
-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
|
|
|
2842b2a |
-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
|
|
|
2842b2a |
-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
|
|
|
2842b2a |
-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
|
|
|
2842b2a |
-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
|
|
|
2842b2a |
-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
|
|
|
2842b2a |
-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
|
|
|
2842b2a |
-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
|
|
|
2842b2a |
-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
|
|
|
2842b2a |
-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
|
|
|
2842b2a |
-/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
|
|
|
2842b2a |
+/* symbol token name ctrl mask ctrl *
|
|
|
2842b2a |
+ * --------------------------- -------------------- ------------------------- ---------------- */
|
|
|
2842b2a |
+
|
|
|
2842b2a |
+/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
|
|
|
2842b2a |
+/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
|
|
|
2842b2a |
+/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
|
|
|
2842b2a |
+/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
|
|
|
2842b2a |
+/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
|
|
|
2842b2a |
+/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
|
|
|
2842b2a |
+/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
|
|
|
2842b2a |
+/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
|
|
|
2842b2a |
+/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
|
|
|
2842b2a |
+/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
|
|
|
2842b2a |
+/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
|
|
|
2842b2a |
+/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
|
|
|
2842b2a |
+/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
|
|
|
2842b2a |
+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
|
|
|
2842b2a |
+/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
|
|
|
2842b2a |
+/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
|
|
|
2842b2a |
+/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
|
|
|
2842b2a |
+/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
|
|
|
2842b2a |
+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
|
|
|
2842b2a |
+/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
|
|
|
2842b2a |
+/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
|
|
|
2842b2a |
+/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
|
|
|
2842b2a |
+/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
|
|
|
2842b2a |
+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
|
|
|
2842b2a |
+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
|
|
|
2842b2a |
+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
|
|
|
2842b2a |
+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
|
|
|
2842b2a |
+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
|
|
|
2842b2a |
+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
|
|
|
2842b2a |
+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
|
|
|
2842b2a |
+/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
|
|
|
2842b2a |
+/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
|
|
|
2842b2a |
+/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
|
|
|
2842b2a |
};
|
|
|
2842b2a |
|
|
|
2842b2a |
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
|
|
|
2842b2a |
@@ -151,20 +155,23 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
|
|
|
2842b2a |
_pam_drop(xx); \
|
|
|
2842b2a |
}
|
|
|
2842b2a |
|
|
|
2842b2a |
-extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
|
|
|
2842b2a |
- ,int type, const char *text);
|
|
|
2842b2a |
-extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds,
|
|
|
2842b2a |
- int *pass_min_len, int argc, const char **argv);
|
|
|
2842b2a |
+extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
|
|
|
2842b2a |
+ int type, const char *text);
|
|
|
2842b2a |
+extern unsigned long long _set_ctrl(pam_handle_t * pamh, int flags,
|
|
|
2842b2a |
+ int *remember, int *rounds,
|
|
|
2842b2a |
+ int *pass_min_len,
|
|
|
2842b2a |
+ int argc, const char **argv);
|
|
|
2842b2a |
extern int _unix_getpwnam (pam_handle_t *pamh,
|
|
|
2842b2a |
const char *name, int files, int nis,
|
|
|
2842b2a |
struct passwd **ret);
|
|
|
2842b2a |
extern int _unix_comesfromsource (pam_handle_t *pamh,
|
|
|
2842b2a |
const char *name, int files, int nis);
|
|
|
2842b2a |
-extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl,
|
|
|
2842b2a |
+extern int _unix_blankpasswd(pam_handle_t *pamh, unsigned long long ctrl,
|
|
|
2842b2a |
const char *name);
|
|
|
2842b2a |
-extern int _unix_verify_password(pam_handle_t * pamh, const char *name
|
|
|
2842b2a |
- ,const char *p, unsigned int ctrl);
|
|
|
2842b2a |
+extern int _unix_verify_password(pam_handle_t * pamh, const char *name,
|
|
|
2842b2a |
+ const char *p, unsigned long long ctrl);
|
|
|
2842b2a |
|
|
|
2842b2a |
extern int _unix_run_verify_binary(pam_handle_t *pamh,
|
|
|
2842b2a |
- unsigned int ctrl, const char *user, int *daysleft);
|
|
|
2842b2a |
+ unsigned long long ctrl,
|
|
|
2842b2a |
+ const char *user, int *daysleft);
|
|
|
2842b2a |
#endif /* _PAM_UNIX_SUPPORT_H */
|