slackware-current/source/a/pam/fedora-patches/pam-1.3.1-unix-yescrypt.patch

480 lines
21 KiB
Diff
Raw Normal View History

Wed Feb 12 05:05:50 UTC 2020 Hey folks! PAM has finally landed in /testing. Some here wanted it to go right into the main tree immediately, and in a more normal development cycle I'd have been inclined to agree (it is -current, after all). But it's probably better for it to appear in /testing first, to make sure we didn't miss any bugs and also to serve as a warning shot that we'll be shaking up the tree pretty good over the next few weeks. I'd like to see this merged into the main tree in a day or two, so any testing is greatly appreciated. Switching to the PAM packages (or reverting from them) is as easy as installing all of them with upgradepkg --install-new, and if reverting then remove the three leftover _pam packages. After reverting, a bit of residue will remain in /etc/pam.d/ and /etc/security/ which can either be manually deleted or simply ignored. While there are many more features available in PAM compared with plain shadow, out of the box about the only noticable change is the use of cracklib and libpwquality to check the quality of a user-supplied password. Hopefully having PAM and krb5 will get us on track to having proper Active Directory integration as well as using code paths that are likely better audited these days. The attack surface *might* be bigger, but it's also a lot better scrutinized. Thanks to Robby Workman and Vincent Batts who did most of the initial heavy lifting on the core PAM packages as a side project for many years. Thanks also to Phantom X whose PAM related SlackBuilds were a valuable reference. And thanks as well to ivandi - I learned a lot from the SlackMATE build scripts and was even occasionally thankful for the amusing ways you would kick my ass on LQ. ;-) You're more than welcome to let us know where we've messed up this time. The binutils and glibc packages in /testing were removed and are off the table for now. I'm not seeing much upside to heading down that rabbit hole at the moment. Next we need to be looking at Xfce 4.14 and Plasma 5.18 LTS and some other things that have been held back since KDE4 couldn't use them. Cheers! :-) a/kernel-generic-5.4.19-x86_64-1.txz: Upgraded. a/kernel-huge-5.4.19-x86_64-1.txz: Upgraded. a/kernel-modules-5.4.19-x86_64-1.txz: Upgraded. a/lvm2-2.03.08-x86_64-1.txz: Upgraded. a/shadow-4.8.1-x86_64-2.txz: Rebuilt. Automatically backup /etc/login.defs and install the new version if incompatible PAM options are detected. d/kernel-headers-5.4.19-x86-1.txz: Upgraded. k/kernel-source-5.4.19-noarch-1.txz: Upgraded. VALIDATE_FS_PARSER y -> n xap/mozilla-thunderbird-68.5.0-x86_64-1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/68.5.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6794 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6797 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6800 (* Security fix *) isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/PAM/ConsoleKit2-1.2.1-x86_64-1_pam.txz: Added. testing/packages/PAM/at-3.2.1-x86_64-1_pam.txz: Added. testing/packages/PAM/cifs-utils-6.10-x86_64-2_pam.txz: Added. testing/packages/PAM/cracklib-2.9.7-x86_64-1_pam.txz: Added. testing/packages/PAM/cups-2.3.1-x86_64-1_pam.txz: Added. testing/packages/PAM/cyrus-sasl-2.1.27-x86_64-2_pam.txz: Added. testing/packages/PAM/dovecot-2.3.9.2-x86_64-1_pam.txz: Added. testing/packages/PAM/gnome-keyring-3.34.0-x86_64-1_pam.txz: Added. testing/packages/PAM/hplip-3.19.12-x86_64-2_pam.txz: Added. testing/packages/PAM/kde-workspace-4.11.22-x86_64-6_pam.txz: Added. testing/packages/PAM/libcap-2.31-x86_64-1_pam.txz: Added. testing/packages/PAM/libcgroup-0.41-x86_64-5_pam.txz: Added. testing/packages/PAM/libpwquality-1.4.2-x86_64-1_pam.txz: Added. testing/packages/PAM/mariadb-10.4.12-x86_64-1_pam.txz: Added. testing/packages/PAM/netatalk-3.1.12-x86_64-2_pam.txz: Added. testing/packages/PAM/netkit-rsh-0.17-x86_64-2_pam.txz: Added. testing/packages/PAM/openssh-8.1p1-x86_64-1_pam.txz: Added. testing/packages/PAM/openvpn-2.4.8-x86_64-1_pam.txz: Added. testing/packages/PAM/pam-1.3.1-x86_64-1_pam.txz: Added. testing/packages/PAM/polkit-0.116-x86_64-1_pam.txz: Added. testing/packages/PAM/popa3d-1.0.3-x86_64-3_pam.txz: Added. testing/packages/PAM/ppp-2.4.7-x86_64-3_pam.txz: Added. testing/packages/PAM/proftpd-1.3.6b-x86_64-1_pam.txz: Added. testing/packages/PAM/samba-4.11.6-x86_64-1_pam.txz: Added. testing/packages/PAM/screen-4.8.0-x86_64-1_pam.txz: Added. testing/packages/PAM/shadow-4.8.1-x86_64-2_pam.txz: Added. testing/packages/PAM/sudo-1.8.31-x86_64-1_pam.txz: Added. testing/packages/PAM/system-config-printer-1.5.12-x86_64-2_pam.txz: Added. testing/packages/PAM/util-linux-2.35.1-x86_64-1_pam.txz: Added. testing/packages/PAM/vsftpd-3.0.3-x86_64-5_pam.txz: Added. testing/packages/PAM/xdm-1.1.11-x86_64-9_pam.txz: Added. testing/packages/PAM/xlockmore-5.62-x86_64-1_pam.txz: Added. testing/packages/PAM/xscreensaver-5.43-x86_64-1_pam.txz: Added. testing/packages/binutils-2.34-x86_64-1.txz: Removed. testing/packages/glibc-2.31-x86_64-1.txz: Removed. testing/packages/glibc-i18n-2.31-x86_64-1.txz: Removed. testing/packages/glibc-profile-2.31-x86_64-1.txz: Removed. testing/packages/glibc-solibs-2.31-x86_64-1.txz: Removed. usb-and-pxe-installers/usbboot.img: Rebuilt.
2020-02-12 06:05:50 +01:00
From 16bd523f85ede9fa9115f80e826f2d803d7e61d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 15 Nov 2018 16:38:05 +0100
Subject: [PATCH] pam_unix: Add support for (gost-)yescrypt hashing methods.
libxcrypt (v4.2 and later) has added support for the yescrypt
hashing method; gost-yescrypt has been added in v4.3.
* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
---
modules/pam_unix/pam_unix.8.xml | 35 +++++++++-
modules/pam_unix/pam_unix_acct.c | 4 +-
modules/pam_unix/pam_unix_auth.c | 4 +-
modules/pam_unix/pam_unix_passwd.c | 12 ++--
modules/pam_unix/pam_unix_sess.c | 4 +-
modules/pam_unix/passverify.c | 8 ++-
modules/pam_unix/passverify.h | 2 +-
modules/pam_unix/support.c | 33 ++++++----
modules/pam_unix/support.h | 101 +++++++++++++++--------------
9 files changed, 128 insertions(+), 75 deletions(-)
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 1b318f11..cae2aeaa 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -331,14 +331,45 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>gost_yescrypt</option>
+ </term>
+ <listitem>
+ <para>
+ When a user changes their password next,
+ encrypt it with the gost-yescrypt algorithm. If the
+ gost-yescrypt algorithm is not known to the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> function,
+ fall back to MD5.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>yescrypt</option>
+ </term>
+ <listitem>
+ <para>
+ When a user changes their password next,
+ encrypt it with the yescrypt algorithm. If the
+ yescrypt algorithm is not known to the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> function,
+ fall back to MD5.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>rounds=<replaceable>n</replaceable></option>
</term>
<listitem>
<para>
- Set the optional number of rounds of the SHA256, SHA512
- and blowfish password hashing algorithms to
+ Set the optional number of rounds of the SHA256, SHA512,
+ blowfish, gost-yescrypt, and yescrypt password hashing
+ algorithms to
<replaceable>n</replaceable>.
</para>
</listitem>
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index fbc84e2f..d8d084ac 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -62,7 +62,7 @@
#include "support.h"
#include "passverify.h"
-int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
+int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
const char *user, int *daysleft)
{
int retval=0, child, fds[2];
@@ -185,7 +185,7 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- unsigned int ctrl;
+ unsigned long long ctrl;
const void *void_uname;
const char *uname;
int retval, daysleft;
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index 9d9f709d..905fc66c 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -96,7 +96,7 @@ setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- unsigned int ctrl;
+ unsigned long long ctrl;
int retval, *ret_data = NULL;
const char *name;
const char *p;
@@ -194,7 +194,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags,
{
int retval;
const void *pretval = NULL;
- unsigned int ctrl;
+ unsigned long long ctrl;
D(("called."));
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index f2c42513..df4c1233 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -138,7 +138,7 @@ __taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf)
}
#endif
-static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
+static char *getNISserver(pam_handle_t *pamh, unsigned long long ctrl)
{
char *master;
char *domainname;
@@ -233,7 +233,7 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
#ifdef WITH_SELINUX
-static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
+static int _unix_run_update_binary(pam_handle_t *pamh, unsigned long long ctrl, const char *user,
const char *fromwhat, const char *towhat, int remember)
{
int retval, child, fds[2];
@@ -388,7 +388,7 @@ static int check_old_password(const char *forwho, const char *newpass)
static int _do_setpass(pam_handle_t* pamh, const char *forwho,
const char *fromwhat,
- char *towhat, unsigned int ctrl, int remember)
+ char *towhat, unsigned long long ctrl, int remember)
{
struct passwd *pwd = NULL;
int retval = 0;
@@ -512,7 +512,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
return retval;
}
-static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl)
+static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned long long ctrl)
{
struct passwd *pwent = NULL; /* Password and shadow password */
struct spwd *spent = NULL; /* file entries for the user */
@@ -542,7 +542,7 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in
}
static int _pam_unix_approve_pass(pam_handle_t * pamh
- ,unsigned int ctrl
+ ,unsigned long long ctrl
,const char *pass_old
,const char *pass_new,
int pass_min_len)
@@ -600,7 +600,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
int
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- unsigned int ctrl, lctrl;
+ unsigned long long ctrl, lctrl;
int retval;
int remember = -1;
int rounds = 0;
diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c
index 03e7dcd9..4b8af530 100644
--- a/modules/pam_unix/pam_unix_sess.c
+++ b/modules/pam_unix/pam_unix_sess.c
@@ -67,7 +67,7 @@ int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
char *user_name, *service;
- unsigned int ctrl;
+ unsigned long long ctrl;
int retval;
const char *login_name;
@@ -103,7 +103,7 @@ int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
char *user_name, *service;
- unsigned int ctrl;
+ unsigned long long ctrl;
int retval;
D(("called."));
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 95dfe528..39e2bfac 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -387,7 +387,7 @@ crypt_md5_wrapper(const char *pass_new)
}
PAMH_ARG_DECL(char * create_password_hash,
- const char *password, unsigned int ctrl, int rounds)
+ const char *password, unsigned long long ctrl, int rounds)
{
const char *algoid;
#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
@@ -404,6 +404,10 @@ PAMH_ARG_DECL(char * create_password_hash,
if (on(UNIX_MD5_PASS, ctrl)) {
/* algoid = "$1" */
return crypt_md5_wrapper(password);
+ } else if (on(UNIX_YESCRYPT_PASS, ctrl)) {
+ algoid = "$y$";
+ } else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) {
+ algoid = "$gy$";
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
algoid = "$2b$";
} else if (on(UNIX_SHA256_PASS, ctrl)) {
@@ -466,6 +470,8 @@ PAMH_ARG_DECL(char * create_password_hash,
pam_syslog(pamh, LOG_ERR,
"Algo %s not supported by the crypto backend, "
"falling back to MD5\n",
+ on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" :
+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
index caf7ae8a..086c28ac 100644
--- a/modules/pam_unix/passverify.h
+++ b/modules/pam_unix/passverify.h
@@ -66,7 +66,7 @@ read_passwords(int fd, int npass, char **passwords);
#endif
PAMH_ARG_DECL(char * create_password_hash,
- const char *password, unsigned int ctrl, int rounds);
+ const char *password, unsigned long long ctrl, int rounds);
PAMH_ARG_DECL(int get_account_info,
const char *name, struct passwd **pwd, struct spwd **spwdent);
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 8cbc4217..6894288d 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -107,7 +107,7 @@ search_key (const char *key, const char *filename)
/* this is a front-end for module-application conversations */
-int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
+int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
int type, const char *text)
{
int retval = PAM_SUCCESS;
@@ -122,10 +122,11 @@ int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
* set the control flags for the UNIX module.
*/
-int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
- int *pass_min_len, int argc, const char **argv)
+unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
+ int *rounds, int *pass_min_len, int argc,
+ const char **argv)
{
- unsigned int ctrl;
+ unsigned long long ctrl;
char *val;
int j;
@@ -243,15 +244,23 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
set(UNIX__NONULL, ctrl);
}
- /* Set default rounds for blowfish */
- if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
- *rounds = 5;
- set(UNIX_ALGO_ROUNDS, ctrl);
+ /* Set default rounds for blowfish, gost-yescrypt and yescrypt */
+ if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
+ if (on(UNIX_BLOWFISH_PASS, ctrl) ||
+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
+ on(UNIX_YESCRYPT_PASS, ctrl)) {
+ *rounds = 5;
+ set(UNIX_ALGO_ROUNDS, ctrl);
+ }
}
/* Enforce sane "rounds" values */
if (on(UNIX_ALGO_ROUNDS, ctrl)) {
- if (on(UNIX_BLOWFISH_PASS, ctrl)) {
+ if (on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
+ on(UNIX_YESCRYPT_PASS, ctrl)) {
+ if (*rounds < 3 || *rounds > 11)
+ *rounds = 5;
+ } else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
if (*rounds < 4 || *rounds > 31)
*rounds = 5;
} else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
@@ -532,7 +541,7 @@ int _unix_comesfromsource(pam_handle_t *pamh,
#include <sys/wait.h>
static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
- unsigned int ctrl, const char *user)
+ unsigned long long ctrl, const char *user)
{
int retval, child, fds[2];
struct sigaction newsa, oldsa;
@@ -658,7 +667,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
*/
int
-_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
+_unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name)
{
struct passwd *pwd = NULL;
char *salt = NULL;
@@ -706,7 +715,7 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
}
int _unix_verify_password(pam_handle_t * pamh, const char *name
- ,const char *p, unsigned int ctrl)
+ ,const char *p, unsigned long long ctrl)
{
struct passwd *pwd = NULL;
char *salt = NULL;
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 543e9b9f..e02c05e0 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -22,8 +22,8 @@
typedef struct {
const char *token;
- unsigned int mask; /* shall assume 32 bits of flags */
- unsigned int flag;
+ unsigned long long mask; /* shall assume 64 bits of flags */
+ unsigned long long flag;
unsigned int is_hash_algo;
} UNIX_Ctrls;
@@ -48,7 +48,7 @@ typedef struct {
/* the generic mask */
-#define _ALL_ON_ (~0U)
+#define _ALL_ON_ (~0ULL)
/* end of macro definitions definitions for the control flags */
@@ -98,47 +98,51 @@ typedef struct {
#define UNIX_QUIET 28 /* Don't print informational messages */
#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
#define UNIX_DES 30 /* DES, default */
+#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
+#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
/* -------------- */
-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 33 /* number of ctrl arguments defined */
-#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
{
-/* symbol token name ctrl mask ctrl *
- * ----------------------- ------------------- --------------------- -------- */
-
-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
-/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
+/* symbol token name ctrl mask ctrl *
+ * --------------------------- -------------------- ------------------------- ---------------- */
+
+/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
+/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
+/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
+/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
+/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
+/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
+/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
+/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
+/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
+/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
+/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
+/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
+/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
+/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
+/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
+/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
+/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
+/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
+/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
+/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
+/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
+/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
+/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
+/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
@@ -151,20 +155,23 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
_pam_drop(xx); \
}
-extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
- ,int type, const char *text);
-extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds,
- int *pass_min_len, int argc, const char **argv);
+extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
+ int type, const char *text);
+extern unsigned long long _set_ctrl(pam_handle_t * pamh, int flags,
+ int *remember, int *rounds,
+ int *pass_min_len,
+ int argc, const char **argv);
extern int _unix_getpwnam (pam_handle_t *pamh,
const char *name, int files, int nis,
struct passwd **ret);
extern int _unix_comesfromsource (pam_handle_t *pamh,
const char *name, int files, int nis);
-extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl,
+extern int _unix_blankpasswd(pam_handle_t *pamh, unsigned long long ctrl,
const char *name);
-extern int _unix_verify_password(pam_handle_t * pamh, const char *name
- ,const char *p, unsigned int ctrl);
+extern int _unix_verify_password(pam_handle_t * pamh, const char *name,
+ const char *p, unsigned long long ctrl);
extern int _unix_run_verify_binary(pam_handle_t *pamh,
- unsigned int ctrl, const char *user, int *daysleft);
+ unsigned long long ctrl,
+ const char *user, int *daysleft);
#endif /* _PAM_UNIX_SUPPORT_H */