slackware-current/source/a/pam/fedora-patches/pam-1.3.1-unix-yescrypt.patch
Patrick J Volkerding ffef56590d Mon May 18 19:17:21 UTC 2020
Greetings! After three months in /testing, the PAM merge into the main tree
is now complete. When updating, be sure to install the new pam, cracklib, and
libpwquality packages or you may find yourself locked out of your machine.
Otherwise, these changes should be completely transparent and you shouldn't
notice any obvious operational differences. Be careful if you make any changes
in /etc/pam.d/ - leaving an extra console logged in while testing PAM config
changes is a recommended standard procedure. Thanks again to Robby Workman,
Vincent Batts, Phantom X, and ivandi for help implementing this. It's not
done yet and there will be more fine-tuning of the config files, but now we
can move on to build some other updates. Enjoy!
a/cracklib-2.9.7-x86_64-1.txz:  Added.
a/kernel-firmware-20200517_f8d32e4-noarch-1.txz:  Upgraded.
a/libcgroup-0.41-x86_64-7.txz:  Rebuilt.
  Rebuilt to add PAM support.
a/libpwquality-1.4.2-x86_64-1.txz:  Added.
a/lilo-24.2-x86_64-9.txz:  Rebuilt.
  Enable the "compact" option by default.
  liloconfig: correctly set the root partition.
a/pam-1.3.1-x86_64-1.txz:  Added.
a/shadow-4.8.1-x86_64-7.txz:  Rebuilt.
  Rebuilt to add PAM support.
a/utempter-1.2.0-x86_64-1.txz:  Upgraded.
a/util-linux-2.35.1-x86_64-6.txz:  Rebuilt.
  Rebuilt to add PAM support.
a/xfsprogs-5.6.0-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
ap/at-3.2.1-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/cups-2.3.3-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/hplip-3.20.5-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/mariadb-10.4.13-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/screen-4.8.0-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/soma-3.3.0-noarch-1.txz:  Upgraded.
  Thanks to David Woodfall.
ap/sqlite-3.31.1-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
ap/sudo-1.9.0-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
ap/vim-8.2.0788-x86_64-1.txz:  Upgraded.
d/bison-3.6.2-x86_64-1.txz:  Upgraded.
d/meson-0.54.2-x86_64-1.txz:  Upgraded.
d/python-setuptools-46.4.0-x86_64-1.txz:  Upgraded.
d/vala-0.48.6-x86_64-1.txz:  Upgraded.
kde/calligra-2.9.11-x86_64-36.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
kde/kde-workspace-4.11.22-x86_64-7.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/ConsoleKit2-1.2.1-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/boost-1.73.0-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/gnome-keyring-3.36.0-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/harfbuzz-2.6.6-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/icu4c-67.1-x86_64-1.txz:  Upgraded.
  Shared library .so-version bump.
l/imagemagick-7.0.10_13-x86_64-1.txz:  Upgraded.
l/libcap-2.34-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/libical-3.0.8-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/libuv-1.38.0-x86_64-1.txz:  Upgraded.
l/libvisio-0.1.7-x86_64-3.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/polkit-0.116-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/qt-4.8.7-x86_64-16.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/qt5-5.13.2-x86_64-4.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/qt5-webkit-5.212.0_alpha4-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/raptor2-2.0.15-x86_64-9.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
l/system-config-printer-1.5.12-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
l/vte-0.60.2-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
n/cifs-utils-6.10-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/cyrus-sasl-2.1.27-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/dovecot-2.3.10.1-x86_64-1.txz:  Upgraded.
  Rebuilt to add PAM support.
  Compiled against icu4c-67.1.
  This update fixes several denial-of-service vulnerabilities.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967
  (* Security fix *)
n/mutt-1.14.1-x86_64-1.txz:  Upgraded.
n/netatalk-3.1.12-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/netkit-rsh-0.17-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/nss-pam-ldapd-0.9.11-x86_64-1.txz:  Added.
n/openssh-8.2p1-x86_64-3.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/openvpn-2.4.9-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/pam-krb5-4.9-x86_64-1.txz:  Added.
n/php-7.4.6-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
n/popa3d-1.0.3-x86_64-4.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/postfix-3.5.2-x86_64-1.txz:  Upgraded.
  Compiled against icu4c-67.1.
n/ppp-2.4.8-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/proftpd-1.3.6c-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
n/samba-4.12.2-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
  Recompiled against icu4c-67.1.
n/tin-2.4.4-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
n/vsftpd-3.0.3-x86_64-6.txz:  Rebuilt.
  Rebuilt to add PAM support.
t/texlive-2019.190626-x86_64-4.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
x/vulkan-sdk-1.2.135.0-x86_64-1.txz:  Upgraded.
x/xdm-1.1.11-x86_64-10.txz:  Rebuilt.
  Rebuilt to add PAM support.
x/xisxwayland-1-x86_64-1.txz:  Added.
xap/sane-1.0.30-x86_64-1.txz:  Upgraded.
  This update fixes several security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864
  (* Security fix *)
xap/vim-gvim-8.2.0788-x86_64-1.txz:  Upgraded.
xap/xlockmore-5.63-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
xap/xscreensaver-5.44-x86_64-2.txz:  Rebuilt.
  Rebuilt to add PAM support.
extra/brltty/brltty-6.1-x86_64-2.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
extra/pure-alsa-system/qt5-5.13.2-x86_64-4_alsa.txz:  Rebuilt.
  Recompiled against icu4c-67.1.
isolinux/initrd.img:  Rebuilt.
  Added PAM libraries, security modules, and config files.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
  Added PAM libraries, security modules, and config files.
2020-05-18 23:25:14 +02:00

479 lines
21 KiB
Diff

From 16bd523f85ede9fa9115f80e826f2d803d7e61d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 15 Nov 2018 16:38:05 +0100
Subject: [PATCH] pam_unix: Add support for (gost-)yescrypt hashing methods.
libxcrypt (v4.2 and later) has added support for the yescrypt
hashing method; gost-yescrypt has been added in v4.3.
* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
---
modules/pam_unix/pam_unix.8.xml | 35 +++++++++-
modules/pam_unix/pam_unix_acct.c | 4 +-
modules/pam_unix/pam_unix_auth.c | 4 +-
modules/pam_unix/pam_unix_passwd.c | 12 ++--
modules/pam_unix/pam_unix_sess.c | 4 +-
modules/pam_unix/passverify.c | 8 ++-
modules/pam_unix/passverify.h | 2 +-
modules/pam_unix/support.c | 33 ++++++----
modules/pam_unix/support.h | 101 +++++++++++++++--------------
9 files changed, 128 insertions(+), 75 deletions(-)
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 1b318f11..cae2aeaa 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -331,14 +331,45 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>gost_yescrypt</option>
+ </term>
+ <listitem>
+ <para>
+ When a user changes their password next,
+ encrypt it with the gost-yescrypt algorithm. If the
+ gost-yescrypt algorithm is not known to the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> function,
+ fall back to MD5.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>yescrypt</option>
+ </term>
+ <listitem>
+ <para>
+ When a user changes their password next,
+ encrypt it with the yescrypt algorithm. If the
+ yescrypt algorithm is not known to the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> function,
+ fall back to MD5.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>rounds=<replaceable>n</replaceable></option>
</term>
<listitem>
<para>
- Set the optional number of rounds of the SHA256, SHA512
- and blowfish password hashing algorithms to
+ Set the optional number of rounds of the SHA256, SHA512,
+ blowfish, gost-yescrypt, and yescrypt password hashing
+ algorithms to
<replaceable>n</replaceable>.
</para>
</listitem>
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index fbc84e2f..d8d084ac 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -62,7 +62,7 @@
#include "support.h"
#include "passverify.h"
-int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
+int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
const char *user, int *daysleft)
{
int retval=0, child, fds[2];
@@ -185,7 +185,7 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- unsigned int ctrl;
+ unsigned long long ctrl;
const void *void_uname;
const char *uname;
int retval, daysleft;
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index 9d9f709d..905fc66c 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -96,7 +96,7 @@ setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- unsigned int ctrl;
+ unsigned long long ctrl;
int retval, *ret_data = NULL;
const char *name;
const char *p;
@@ -194,7 +194,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags,
{
int retval;
const void *pretval = NULL;
- unsigned int ctrl;
+ unsigned long long ctrl;
D(("called."));
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index f2c42513..df4c1233 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -138,7 +138,7 @@ __taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf)
}
#endif
-static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
+static char *getNISserver(pam_handle_t *pamh, unsigned long long ctrl)
{
char *master;
char *domainname;
@@ -233,7 +233,7 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
#ifdef WITH_SELINUX
-static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
+static int _unix_run_update_binary(pam_handle_t *pamh, unsigned long long ctrl, const char *user,
const char *fromwhat, const char *towhat, int remember)
{
int retval, child, fds[2];
@@ -388,7 +388,7 @@ static int check_old_password(const char *forwho, const char *newpass)
static int _do_setpass(pam_handle_t* pamh, const char *forwho,
const char *fromwhat,
- char *towhat, unsigned int ctrl, int remember)
+ char *towhat, unsigned long long ctrl, int remember)
{
struct passwd *pwd = NULL;
int retval = 0;
@@ -512,7 +512,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
return retval;
}
-static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl)
+static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned long long ctrl)
{
struct passwd *pwent = NULL; /* Password and shadow password */
struct spwd *spent = NULL; /* file entries for the user */
@@ -542,7 +542,7 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in
}
static int _pam_unix_approve_pass(pam_handle_t * pamh
- ,unsigned int ctrl
+ ,unsigned long long ctrl
,const char *pass_old
,const char *pass_new,
int pass_min_len)
@@ -600,7 +600,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
int
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- unsigned int ctrl, lctrl;
+ unsigned long long ctrl, lctrl;
int retval;
int remember = -1;
int rounds = 0;
diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c
index 03e7dcd9..4b8af530 100644
--- a/modules/pam_unix/pam_unix_sess.c
+++ b/modules/pam_unix/pam_unix_sess.c
@@ -67,7 +67,7 @@ int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
char *user_name, *service;
- unsigned int ctrl;
+ unsigned long long ctrl;
int retval;
const char *login_name;
@@ -103,7 +103,7 @@ int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
char *user_name, *service;
- unsigned int ctrl;
+ unsigned long long ctrl;
int retval;
D(("called."));
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 95dfe528..39e2bfac 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -387,7 +387,7 @@ crypt_md5_wrapper(const char *pass_new)
}
PAMH_ARG_DECL(char * create_password_hash,
- const char *password, unsigned int ctrl, int rounds)
+ const char *password, unsigned long long ctrl, int rounds)
{
const char *algoid;
#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
@@ -404,6 +404,10 @@ PAMH_ARG_DECL(char * create_password_hash,
if (on(UNIX_MD5_PASS, ctrl)) {
/* algoid = "$1" */
return crypt_md5_wrapper(password);
+ } else if (on(UNIX_YESCRYPT_PASS, ctrl)) {
+ algoid = "$y$";
+ } else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) {
+ algoid = "$gy$";
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
algoid = "$2b$";
} else if (on(UNIX_SHA256_PASS, ctrl)) {
@@ -466,6 +470,8 @@ PAMH_ARG_DECL(char * create_password_hash,
pam_syslog(pamh, LOG_ERR,
"Algo %s not supported by the crypto backend, "
"falling back to MD5\n",
+ on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" :
+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
index caf7ae8a..086c28ac 100644
--- a/modules/pam_unix/passverify.h
+++ b/modules/pam_unix/passverify.h
@@ -66,7 +66,7 @@ read_passwords(int fd, int npass, char **passwords);
#endif
PAMH_ARG_DECL(char * create_password_hash,
- const char *password, unsigned int ctrl, int rounds);
+ const char *password, unsigned long long ctrl, int rounds);
PAMH_ARG_DECL(int get_account_info,
const char *name, struct passwd **pwd, struct spwd **spwdent);
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 8cbc4217..6894288d 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -107,7 +107,7 @@ search_key (const char *key, const char *filename)
/* this is a front-end for module-application conversations */
-int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
+int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
int type, const char *text)
{
int retval = PAM_SUCCESS;
@@ -122,10 +122,11 @@ int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
* set the control flags for the UNIX module.
*/
-int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
- int *pass_min_len, int argc, const char **argv)
+unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
+ int *rounds, int *pass_min_len, int argc,
+ const char **argv)
{
- unsigned int ctrl;
+ unsigned long long ctrl;
char *val;
int j;
@@ -243,15 +244,23 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
set(UNIX__NONULL, ctrl);
}
- /* Set default rounds for blowfish */
- if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
- *rounds = 5;
- set(UNIX_ALGO_ROUNDS, ctrl);
+ /* Set default rounds for blowfish, gost-yescrypt and yescrypt */
+ if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
+ if (on(UNIX_BLOWFISH_PASS, ctrl) ||
+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
+ on(UNIX_YESCRYPT_PASS, ctrl)) {
+ *rounds = 5;
+ set(UNIX_ALGO_ROUNDS, ctrl);
+ }
}
/* Enforce sane "rounds" values */
if (on(UNIX_ALGO_ROUNDS, ctrl)) {
- if (on(UNIX_BLOWFISH_PASS, ctrl)) {
+ if (on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
+ on(UNIX_YESCRYPT_PASS, ctrl)) {
+ if (*rounds < 3 || *rounds > 11)
+ *rounds = 5;
+ } else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
if (*rounds < 4 || *rounds > 31)
*rounds = 5;
} else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
@@ -532,7 +541,7 @@ int _unix_comesfromsource(pam_handle_t *pamh,
#include <sys/wait.h>
static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
- unsigned int ctrl, const char *user)
+ unsigned long long ctrl, const char *user)
{
int retval, child, fds[2];
struct sigaction newsa, oldsa;
@@ -658,7 +667,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
*/
int
-_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
+_unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name)
{
struct passwd *pwd = NULL;
char *salt = NULL;
@@ -706,7 +715,7 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
}
int _unix_verify_password(pam_handle_t * pamh, const char *name
- ,const char *p, unsigned int ctrl)
+ ,const char *p, unsigned long long ctrl)
{
struct passwd *pwd = NULL;
char *salt = NULL;
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 543e9b9f..e02c05e0 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -22,8 +22,8 @@
typedef struct {
const char *token;
- unsigned int mask; /* shall assume 32 bits of flags */
- unsigned int flag;
+ unsigned long long mask; /* shall assume 64 bits of flags */
+ unsigned long long flag;
unsigned int is_hash_algo;
} UNIX_Ctrls;
@@ -48,7 +48,7 @@ typedef struct {
/* the generic mask */
-#define _ALL_ON_ (~0U)
+#define _ALL_ON_ (~0ULL)
/* end of macro definitions definitions for the control flags */
@@ -98,47 +98,51 @@ typedef struct {
#define UNIX_QUIET 28 /* Don't print informational messages */
#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
#define UNIX_DES 30 /* DES, default */
+#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
+#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
/* -------------- */
-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 33 /* number of ctrl arguments defined */
-#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
{
-/* symbol token name ctrl mask ctrl *
- * ----------------------- ------------------- --------------------- -------- */
-
-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
-/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
+/* symbol token name ctrl mask ctrl *
+ * --------------------------- -------------------- ------------------------- ---------------- */
+
+/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
+/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
+/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
+/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
+/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
+/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
+/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
+/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
+/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
+/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
+/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
+/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
+/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
+/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
+/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
+/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
+/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
+/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
+/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
+/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
+/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
+/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
+/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
+/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
@@ -151,20 +155,23 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
_pam_drop(xx); \
}
-extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
- ,int type, const char *text);
-extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds,
- int *pass_min_len, int argc, const char **argv);
+extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
+ int type, const char *text);
+extern unsigned long long _set_ctrl(pam_handle_t * pamh, int flags,
+ int *remember, int *rounds,
+ int *pass_min_len,
+ int argc, const char **argv);
extern int _unix_getpwnam (pam_handle_t *pamh,
const char *name, int files, int nis,
struct passwd **ret);
extern int _unix_comesfromsource (pam_handle_t *pamh,
const char *name, int files, int nis);
-extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl,
+extern int _unix_blankpasswd(pam_handle_t *pamh, unsigned long long ctrl,
const char *name);
-extern int _unix_verify_password(pam_handle_t * pamh, const char *name
- ,const char *p, unsigned int ctrl);
+extern int _unix_verify_password(pam_handle_t * pamh, const char *name,
+ const char *p, unsigned long long ctrl);
extern int _unix_run_verify_binary(pam_handle_t *pamh,
- unsigned int ctrl, const char *user, int *daysleft);
+ unsigned long long ctrl,
+ const char *user, int *daysleft);
#endif /* _PAM_UNIX_SUPPORT_H */