delta/linux-pam-git.git/modules/pam_timestamp, branch master github.com: linux-pam/linux-pam.git pam_timestamp: do not assume PATH_MAX is defined 2023-05-11T05:16:06+00:00 Pino Toscano toscano.pino@tiscali.it 2023-05-08T06:55:42+00:00 cbe0839c89116e9c33f35b3fe185c63493ec34b2 PATH_MAX is optional in POSIX, and not defined on GNU/Hurd; hence, in case it is not defined, define BUFLEN directly to LINE_MAX. 
PATH_MAX is optional in POSIX, and not defined on GNU/Hurd; hence,
in case it is not defined, define BUFLEN directly to LINE_MAX.
pam_timestamp: Only build hmacfile when no openssl 2023-04-20T13:10:06+00:00 Iker Pedrosa ipedrosa@redhat.com 2023-04-13T07:56:50+00:00 4bfb0ce61f7a528287d316b702e4e5d332d95fb7 * modules/pam_timestamp/Makefile.am: Only build hmacfile target when openssl isn't enabled. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> 
* modules/pam_timestamp/Makefile.am: Only build hmacfile target when
openssl isn't enabled.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
pam_timestamp: fix build failure 2023-03-30T10:53:41+00:00 Iker Pedrosa ipedrosa@redhat.com 2023-03-30T10:50:44+00:00 8db48b022bdf8cc37f85b2927639aad67cd54be5 bcba17939e1b1a568cd4a764534cde74d37078cc started using pam_overwrite_n() without providing the definition to this function, which causes a build failure. modules/pam_timestamp/hmac_openssl_wrapper.c: include pam_inline.h Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> 
bcba17939e1b1a568cd4a764534cde74d37078cc started using pam_overwrite_n()
without providing the definition to this function, which causes a build
failure.

modules/pam_timestamp/hmac_openssl_wrapper.c: include pam_inline.h

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
modules: make use of secure memory erasure 2023-02-28T14:13:15+00:00 Christian Göttsche cgzones@googlemail.com 2023-01-30T16:56:58+00:00 bcba17939e1b1a568cd4a764534cde74d37078cc Use empty initialization of structs to minimize the memset() usage, to reduce the amount of calls which are not sensitive. Non trivial changes: - pam_env: * erase environment variables where possible - pam_exec: * erase responce on error * erase auth token - pam_pwhistory: * erase buffers containing old passwords - pam_selinux: skip overwriting data structure consisting of only pointers to insensitive data, which also gets free'd afterwards (so it currently does not protect against double-free or use-after-free on the member pointers) - pam_unix: erase cipher data in more places - pam_userdb: erase password hashes 
Use empty initialization of structs to minimize the memset() usage, to
reduce the amount of calls which are not sensitive.

Non trivial changes:

- pam_env:
  * erase environment variables where possible

- pam_exec:
  * erase responce on error
  * erase auth token

- pam_pwhistory:
  * erase buffers containing old passwords

- pam_selinux: skip overwriting data structure consisting of only
  pointers to insensitive data, which also gets free'd afterwards (so
  it currently does not protect against double-free or use-after-free on
  the member pointers)

- pam_unix: erase cipher data in more places

- pam_userdb: erase password hashes
Y2038: use logind instead of utmp 2023-02-28T06:03:30+00:00 Thorsten Kukuk kukuk@suse.com 2023-02-21T16:00:25+00:00 8a3f0810397c992a1155d815b1dd40b0b8fed59d The struct utmp from glibc uses on many 64bit architectures a 32bit time_t for compatibility with a 32bit userland, which means utmp will not survive the year 2038 (32bit time_t overflow). Use the data from logind instead of utmp. * configure.ac: Add option --enable-logind * modules/pam_issue/Makefile.am: Add CFLAGS/LIBS for logind support * modules/pam_issue/pam_issue.c: Use sd_get_sessions instead of utmp * modules/pam_timestamp/Makefile.am: Add CFLAGS/LIBS for logind support * modules/pam_timestamp/pam_timestamp.c: query logind for login time 
The struct utmp from glibc uses on many 64bit architectures a 32bit
time_t for compatibility with a 32bit userland, which means utmp will
not survive the year 2038 (32bit time_t overflow). Use the data from
logind instead of utmp.

* configure.ac: Add option --enable-logind
* modules/pam_issue/Makefile.am: Add CFLAGS/LIBS for logind support
* modules/pam_issue/pam_issue.c: Use sd_get_sessions instead of utmp
* modules/pam_timestamp/Makefile.am: Add CFLAGS/LIBS for logind support
* modules/pam_timestamp/pam_timestamp.c: query logind for login time
build: use <vendordir>/security directory for installation if it has been set 2023-02-07T08:00:00+00:00 Stefan Schubert schubi@suse.de 2023-01-26T15:20:07+00:00 96b70abec27356eba17ecc16d1c52e8cfa5c46cd Otherwise the corresponding files are still installed in /etc/security. * configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR. (AM_CONDITIONAL): Add HAVE_VENDORDIR. * modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR. 
Otherwise the corresponding files are still installed in /etc/security.

* configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR.
(AM_CONDITIONAL): Add HAVE_VENDORDIR.
* modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR
if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
doc: Update PAM documentation from DockBook 4 to DocBook 5 2022-12-16T09:31:37+00:00 Stefan Schubert schubi@suse.de 2022-10-25T14:29:41+00:00 cf2fc5ff7b4a8555fda2a5ebe5f6ab0e45c22996 Changed files -------------- Make.xml.rules.in: - Using RNG file instead of DTD file for checking XML files. - Taking the correct stylesheet for README files. doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am: - Using RNG file instead of DTD file for checking XML files. configure.ac: - Adding a new option for selecting RNG check file (-enable-docbook-rng) - Switching stylesheets to docbook 5 - Checking DocBook 5 environment instead of DocBook 4 environment *.xml: Update from DockBook 4 to DocBook 5 
Changed files
--------------

Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.

doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.

configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment

*.xml:
Update from DockBook 4 to DocBook 5
pam_timestamp: replace hmac implementation 2021-06-14T07:02:16+00:00 Iker Pedrosa ipedrosa@redhat.com 2021-03-25T08:43:30+00:00 b3bb13e18a74e9ece825b7de1b81db97ebb107a0 sha1 is no longer recommended as a cryptographic algorithm for authentication. Thus, the idea of this change is to replace the implementation provided by hmacsha1 included in pam_timestamp module by the one in the openssl library. This way, there's no need to maintain the cryptographic algorithm implementation and it can be easily changed with a single configuration change. modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper functions around openssl's hmac implementation. Moreover, manage the key generation and its read and write in a file. Include an option to configure the cryptographic algorithm in login.defs file. modules/pam_timestamp/hmac_openssl_wrapper.h: likewise. modules/pam_timestamp/pam_timestamp.c: replace calls to functions provided by hmacsha1 by functions provided by openssl's wrapper. configure.ac: include openssl dependecy if it is enabled. modules/pam_timestamp/Makefile.am: include new files and openssl library to compilation. ci/install-dependencies.sh: include openssl library to dependencies. NEWS: add new item to next release. Make.xml.rules.in: add stringparam profiling for hmac doc/custom-man.xsl: change import docbook to one with profiling modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to indicate the value in /etc/login.defs that holds the value for the encryption algorithm Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294 
sha1 is no longer recommended as a cryptographic algorithm for
authentication. Thus, the idea of this change is to replace the
implementation provided by hmacsha1 included in pam_timestamp module by
the one in the openssl library. This way, there's no need to maintain
the cryptographic algorithm implementation and it can be easily changed
with a single configuration change.

modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
functions around openssl's hmac implementation. Moreover, manage the key
generation and its read and write in a file. Include an option to
configure the cryptographic algorithm in login.defs file.
modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
modules/pam_timestamp/pam_timestamp.c: replace calls to functions
provided by hmacsha1 by functions provided by openssl's wrapper.
configure.ac: include openssl dependecy if it is enabled.
modules/pam_timestamp/Makefile.am: include new files and openssl library
to compilation.
ci/install-dependencies.sh: include openssl library to dependencies.
NEWS: add new item to next release.
Make.xml.rules.in: add stringparam profiling for hmac
doc/custom-man.xsl: change import docbook to one with profiling
modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
indicate the value in /etc/login.defs that holds the value for the
encryption algorithm

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
Remove deprecated pam_tally and pam_tally2 modules 2020-10-29T08:00:00+00:00 Dmitry V. Levin ldv@altlinux.org 2020-10-29T08:00:00+00:00 709e37b7e131d35b0ec30d31f858bc6917dd2b2e * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-tally --enable-tally2. * configure.ac: Remove --enable-tally and --enable-tally2 options. (AM_CONDITIONAL): Remove COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2. (AC_CONFIG_FILES): Remove modules/pam_tally/Makefile and modules/pam_tally2/Makefile. * doc/sag/pam_tally.xml: Remove. * doc/sag/pam_tally2.xml: Likewise. * doc/sag/Linux-PAM_SAG.xml: Do not include pam_tally.xml and pam_tally2.xml. * modules/Makefile.am (MAYBE_PAM_TALLY, MAYBE_PAM_TALLY2): Remove. (SUBDIRS): Remove MAYBE_PAM_TALLY and MAYBE_PAM_TALLY2. * modules/pam_tally/.gitignore: Remove. * modules/pam_tally/Makefile.am: Likewise. * modules/pam_tally/README.xml: Likewise. * modules/pam_tally/faillog.h: Likewise. * modules/pam_tally/pam_tally.8.xml: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally/pam_tally_app.c: Likewise. * modules/pam_tally/tst-pam_tally: Likewise. * modules/pam_tally2/.gitignore: Likewise. * modules/pam_tally2/Makefile.am: Likewise. * modules/pam_tally2/README.xml: Likewise. * modules/pam_tally2/pam_tally2.8.xml: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_tally2/pam_tally2_app.c: Likewise. * modules/pam_tally2/tallylog.h: Likewise. * modules/pam_tally2/tst-pam_tally2: Likewise. * modules/pam_timestamp/pam_timestamp_check.8.xml: Fix typo by replacing pam_tally with pam_timestamp. * po/POTFILES.in: Remove ./modules/pam_tally/pam_tally_app.c, ./modules/pam_tally/pam_tally.c, ./modules/pam_tally2/pam_tally2_app.c, and ./modules/pam_tally2/pam_tally2.c. * NEWS: Document this change. 
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
--enable-tally --enable-tally2.
* configure.ac: Remove --enable-tally and --enable-tally2 options.
(AM_CONDITIONAL): Remove COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
(AC_CONFIG_FILES): Remove modules/pam_tally/Makefile and
modules/pam_tally2/Makefile.
* doc/sag/pam_tally.xml: Remove.
* doc/sag/pam_tally2.xml: Likewise.
* doc/sag/Linux-PAM_SAG.xml: Do not include pam_tally.xml and
pam_tally2.xml.
* modules/Makefile.am (MAYBE_PAM_TALLY, MAYBE_PAM_TALLY2): Remove.
(SUBDIRS): Remove MAYBE_PAM_TALLY and MAYBE_PAM_TALLY2.
* modules/pam_tally/.gitignore: Remove.
* modules/pam_tally/Makefile.am: Likewise.
* modules/pam_tally/README.xml: Likewise.
* modules/pam_tally/faillog.h: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally/pam_tally_app.c: Likewise.
* modules/pam_tally/tst-pam_tally: Likewise.
* modules/pam_tally2/.gitignore: Likewise.
* modules/pam_tally2/Makefile.am: Likewise.
* modules/pam_tally2/README.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_tally2/pam_tally2_app.c: Likewise.
* modules/pam_tally2/tallylog.h: Likewise.
* modules/pam_tally2/tst-pam_tally2: Likewise.
* modules/pam_timestamp/pam_timestamp_check.8.xml: Fix typo by replacing
pam_tally with pam_timestamp.
* po/POTFILES.in: Remove ./modules/pam_tally/pam_tally_app.c,
./modules/pam_tally/pam_tally.c, ./modules/pam_tally2/pam_tally2_app.c,
and ./modules/pam_tally2/pam_tally2.c.
* NEWS: Document this change.
build: rename PIE_* AC_SUBST variables to EXE_* 2020-08-07T18:00:00+00:00 Dmitry V. Levin ldv@altlinux.org 2020-08-07T18:00:00+00:00 c0b3c9fa05424f9606b0c348e0052bfb3bda3fa9 There are going to be other options added to CFLAGS and LDFLAGS of executables made along with modules. * configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of PIE_CFLAGS and PIE_LDFLAGS. All users updated. 
There are going to be other options added to CFLAGS and LDFLAGS
of executables made along with modules.

* configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from
PIE_CFLAGS and PIE_LDFLAGS, respectively.  AC_SUBST them instead of
PIE_CFLAGS and PIE_LDFLAGS.  All users updated.