diff options
Diffstat (limited to 'modules/pam_timestamp')
-rw-r--r-- | modules/pam_timestamp/Makefile.am | 60 | ||||
-rw-r--r-- | modules/pam_timestamp/Makefile.in | 1349 | ||||
-rw-r--r-- | modules/pam_timestamp/README | 56 | ||||
-rw-r--r-- | modules/pam_timestamp/README.xml | 46 | ||||
-rw-r--r-- | modules/pam_timestamp/hmac_openssl_wrapper.c | 381 | ||||
-rw-r--r-- | modules/pam_timestamp/hmac_openssl_wrapper.h | 57 | ||||
-rw-r--r-- | modules/pam_timestamp/hmacfile.c | 163 | ||||
-rw-r--r-- | modules/pam_timestamp/hmacsha1.c | 295 | ||||
-rw-r--r-- | modules/pam_timestamp/hmacsha1.h | 15 | ||||
-rw-r--r-- | modules/pam_timestamp/pam_timestamp.8 | 135 | ||||
-rw-r--r-- | modules/pam_timestamp/pam_timestamp.8.xml | 208 | ||||
-rw-r--r-- | modules/pam_timestamp/pam_timestamp.c | 873 | ||||
-rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.8 | 133 | ||||
-rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.8.xml | 207 | ||||
-rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.c | 42 | ||||
-rw-r--r-- | modules/pam_timestamp/sha1.c | 253 | ||||
-rw-r--r-- | modules/pam_timestamp/sha1.h | 65 | ||||
-rwxr-xr-x | modules/pam_timestamp/tst-pam_timestamp | 2 |
18 files changed, 4340 insertions, 0 deletions
diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am new file mode 100644 index 0000000..d290b85 --- /dev/null +++ b/modules/pam_timestamp/Makefile.am @@ -0,0 +1,60 @@ +# +# Copyright (c) 2005, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2005, 2008 Red Hat, Inc. +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = $(XMLS) + +if HAVE_DOC +dist_man_MANS = pam_timestamp.8 pam_timestamp_check.8 +endif +XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml +dist_check_SCRIPTS = tst-pam_timestamp +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + +pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) $(CRYPTO_LIBS) +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la +if HAVE_VERSIONING + pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_timestamp.la +sbin_PROGRAMS = pam_timestamp_check + +pam_timestamp_la_SOURCES = pam_timestamp.c +if COND_USE_OPENSSL +pam_timestamp_la_SOURCES += hmac_openssl_wrapper.c +else +pam_timestamp_la_SOURCES += hmacsha1.c sha1.c +endif +pam_timestamp_la_CFLAGS = $(AM_CFLAGS) + +pam_timestamp_check_SOURCES = pam_timestamp_check.c +pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ + +if COND_USE_OPENSSL +hmacfile_SOURCES = hmac_openssl_wrapper.c +else +hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c +endif +hmacfile_LDADD = $(top_builddir)/libpam/libpam.la + +check_PROGRAMS = hmacfile + +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_timestamp/Makefile.in b/modules/pam_timestamp/Makefile.in new file mode 100644 index 0000000..440020b --- /dev/null +++ b/modules/pam_timestamp/Makefile.in @@ -0,0 +1,1349 @@ +# Makefile.in generated by automake 1.16.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2005, 2008 Red Hat, Inc. +# + + + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +sbin_PROGRAMS = pam_timestamp_check$(EXEEXT) +@COND_USE_OPENSSL_TRUE@am__append_2 = hmac_openssl_wrapper.c +@COND_USE_OPENSSL_FALSE@am__append_3 = hmacsha1.c sha1.c +check_PROGRAMS = hmacfile$(EXEEXT) +subdir = modules/pam_timestamp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(noinst_HEADERS) \ + $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_timestamp_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__pam_timestamp_la_SOURCES_DIST = pam_timestamp.c \ + hmac_openssl_wrapper.c hmacsha1.c sha1.c +@COND_USE_OPENSSL_TRUE@am__objects_1 = pam_timestamp_la-hmac_openssl_wrapper.lo +@COND_USE_OPENSSL_FALSE@am__objects_2 = pam_timestamp_la-hmacsha1.lo \ +@COND_USE_OPENSSL_FALSE@ pam_timestamp_la-sha1.lo +am_pam_timestamp_la_OBJECTS = pam_timestamp_la-pam_timestamp.lo \ + $(am__objects_1) $(am__objects_2) +pam_timestamp_la_OBJECTS = $(am_pam_timestamp_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +pam_timestamp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(pam_timestamp_la_CFLAGS) $(CFLAGS) \ + $(pam_timestamp_la_LDFLAGS) $(LDFLAGS) -o $@ +am__hmacfile_SOURCES_DIST = hmacfile.c hmacsha1.c sha1.c \ + hmac_openssl_wrapper.c +@COND_USE_OPENSSL_FALSE@am_hmacfile_OBJECTS = hmacfile.$(OBJEXT) \ +@COND_USE_OPENSSL_FALSE@ hmacsha1.$(OBJEXT) sha1.$(OBJEXT) +@COND_USE_OPENSSL_TRUE@am_hmacfile_OBJECTS = \ +@COND_USE_OPENSSL_TRUE@ hmac_openssl_wrapper.$(OBJEXT) +hmacfile_OBJECTS = $(am_hmacfile_OBJECTS) +hmacfile_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am_pam_timestamp_check_OBJECTS = \ + pam_timestamp_check-pam_timestamp_check.$(OBJEXT) +pam_timestamp_check_OBJECTS = $(am_pam_timestamp_check_OBJECTS) +pam_timestamp_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(pam_timestamp_check_CFLAGS) $(CFLAGS) \ + $(pam_timestamp_check_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/hmac_openssl_wrapper.Po \ + ./$(DEPDIR)/hmacfile.Po ./$(DEPDIR)/hmacsha1.Po \ + ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po \ + ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo \ + ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo \ + ./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo \ + ./$(DEPDIR)/pam_timestamp_la-sha1.Plo ./$(DEPDIR)/sha1.Po +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(pam_timestamp_la_SOURCES) $(hmacfile_SOURCES) \ + $(pam_timestamp_check_SOURCES) +DIST_SOURCES = $(am__pam_timestamp_la_SOURCES_DIST) \ + $(am__hmacfile_SOURCES_DIST) $(pam_timestamp_check_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) +HEADERS = $(noinst_HEADERS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red='[0;31m'; \ + grn='[0;32m'; \ + lgn='[1;32m'; \ + blu='[1;34m'; \ + mgn='[0;35m'; \ + brg='[1m'; \ + std='[m'; \ + fi; \ +} +am__recheck_rx = ^[ ]*:recheck:[ ]* +am__global_test_result_rx = ^[ ]*:global-test-result:[ ]* +am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]* +# A command that, given a newline-separated list of test names on the +# standard input, print the name of the tests that are to be re-run +# upon "make recheck". +am__list_recheck_tests = $(AWK) '{ \ + recheck = 1; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + { \ + if ((getline line2 < ($$0 ".log")) < 0) \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \ + { \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \ + { \ + break; \ + } \ + }; \ + if (recheck) \ + print $$0; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# A command that, given a newline-separated list of test names on the +# standard input, create the global log from their .trs and .log files. +am__create_global_log = $(AWK) ' \ +function fatal(msg) \ +{ \ + print "fatal: making $@: " msg | "cat >&2"; \ + exit 1; \ +} \ +function rst_section(header) \ +{ \ + print header; \ + len = length(header); \ + for (i = 1; i <= len; i = i + 1) \ + printf "="; \ + printf "\n\n"; \ +} \ +{ \ + copy_in_global_log = 1; \ + global_test_result = "RUN"; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".trs"); \ + if (line ~ /$(am__global_test_result_rx)/) \ + { \ + sub("$(am__global_test_result_rx)", "", line); \ + sub("[ ]*$$", "", line); \ + global_test_result = line; \ + } \ + else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \ + copy_in_global_log = 0; \ + }; \ + if (copy_in_global_log) \ + { \ + rst_section(global_test_result ": " $$0); \ + while ((rc = (getline line < ($$0 ".log"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".log"); \ + print line; \ + }; \ + printf "\n"; \ + }; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# Restructured Text title. +am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; } +# Solaris 10 'make', and several other traditional 'make' implementations, +# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it +# by disabling -e (using the XSI extension "set +e") if it's set. +am__sh_e_setup = case $$- in *e*) set +e;; esac +# Default flags passed to test drivers. +am__common_driver_flags = \ + --color-tests "$$am__color_tests" \ + --enable-hard-errors "$$am__enable_hard_errors" \ + --expect-failure "$$am__expect_failure" +# To be inserted before the command running the test. Creates the +# directory for the log if needed. Stores in $dir the directory +# containing $f, in $tst the test, in $log the log. Executes the +# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and +# passes TESTS_ENVIRONMENT. Set up options for the wrapper that +# will run the test scripts (or their associated LOG_COMPILER, if +# thy have one). +am__check_pre = \ +$(am__sh_e_setup); \ +$(am__vpath_adj_setup) $(am__vpath_adj) \ +$(am__tty_colors); \ +srcdir=$(srcdir); export srcdir; \ +case "$@" in \ + */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \ + *) am__odir=.;; \ +esac; \ +test "x$$am__odir" = x"." || test -d "$$am__odir" \ + || $(MKDIR_P) "$$am__odir" || exit $$?; \ +if test -f "./$$f"; then dir=./; \ +elif test -f "$$f"; then dir=; \ +else dir="$(srcdir)/"; fi; \ +tst=$$dir$$f; log='$@'; \ +if test -n '$(DISABLE_HARD_ERRORS)'; then \ + am__enable_hard_errors=no; \ +else \ + am__enable_hard_errors=yes; \ +fi; \ +case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \ + am__expect_failure=yes;; \ + *) \ + am__expect_failure=no;; \ +esac; \ +$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT) +# A shell command to get the names of the tests scripts with any registered +# extension removed (i.e., equivalently, the names of the test logs, with +# the '.log' extension removed). The result is saved in the shell variable +# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly, +# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)", +# since that might cause problem with VPATH rewrites for suffix-less tests. +# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'. +am__set_TESTS_bases = \ + bases='$(TEST_LOGS)'; \ + bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ + bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' +RECHECK_LOGS = $(TEST_LOGS) +AM_RECURSIVE_TARGETS = check recheck +TEST_SUITE_LOG = test-suite.log +TEST_EXTENSIONS = @EXEEXT@ .test +LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS) +am__set_b = \ + case '$@' in \ + */*) \ + case '$*' in \ + */*) b='$*';; \ + *) b=`echo '$@' | sed 's/\.log$$//'`; \ + esac;; \ + *) \ + b='$*';; \ + esac +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) +TEST_LOGS = $(am__test_logs2:.test.log=.log) +TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ + $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +BUILD_CFLAGS = @BUILD_CFLAGS@ +BUILD_CPPFLAGS = @BUILD_CPPFLAGS@ +BUILD_LDFLAGS = @BUILD_LDFLAGS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ +FGREP = @FGREP@ +FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NIS_CFLAGS = @NIS_CFLAGS@ +NIS_LIBS = @NIS_LIBS@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSL_CFLAGS = @NSL_CFLAGS@ +NSL_LIBS = @NSL_LIBS@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ +STRIP = @STRIP@ +TIRPC_CFLAGS = @TIRPC_CFLAGS@ +TIRPC_LIBS = @TIRPC_LIBS@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_timestamp.8 pam_timestamp_check.8 +XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml +dist_check_SCRIPTS = tst-pam_timestamp +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + +pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module \ + $(AM_LDFLAGS) $(CRYPTO_LIBS) $(am__append_1) +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la +securelib_LTLIBRARIES = pam_timestamp.la +pam_timestamp_la_SOURCES = pam_timestamp.c $(am__append_2) \ + $(am__append_3) +pam_timestamp_la_CFLAGS = $(AM_CFLAGS) +pam_timestamp_check_SOURCES = pam_timestamp_check.c +pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ +@COND_USE_OPENSSL_FALSE@hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c +@COND_USE_OPENSSL_TRUE@hmacfile_SOURCES = hmac_openssl_wrapper.c +hmacfile_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +pam_timestamp.la: $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_DEPENDENCIES) $(EXTRA_pam_timestamp_la_DEPENDENCIES) + $(AM_V_CCLD)$(pam_timestamp_la_LINK) -rpath $(securelibdir) $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_LIBADD) $(LIBS) + +hmacfile$(EXEEXT): $(hmacfile_OBJECTS) $(hmacfile_DEPENDENCIES) $(EXTRA_hmacfile_DEPENDENCIES) + @rm -f hmacfile$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(hmacfile_OBJECTS) $(hmacfile_LDADD) $(LIBS) + +pam_timestamp_check$(EXEEXT): $(pam_timestamp_check_OBJECTS) $(pam_timestamp_check_DEPENDENCIES) $(EXTRA_pam_timestamp_check_DEPENDENCIES) + @rm -f pam_timestamp_check$(EXEEXT) + $(AM_V_CCLD)$(pam_timestamp_check_LINK) $(pam_timestamp_check_OBJECTS) $(pam_timestamp_check_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_openssl_wrapper.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacfile.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacsha1.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-sha1.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +pam_timestamp_la-pam_timestamp.lo: pam_timestamp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-pam_timestamp.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-pam_timestamp.Tpo -c -o pam_timestamp_la-pam_timestamp.lo `test -f 'pam_timestamp.c' || echo '$(srcdir)/'`pam_timestamp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_la-pam_timestamp.Tpo $(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pam_timestamp.c' object='pam_timestamp_la-pam_timestamp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-pam_timestamp.lo `test -f 'pam_timestamp.c' || echo '$(srcdir)/'`pam_timestamp.c + +pam_timestamp_la-hmac_openssl_wrapper.lo: hmac_openssl_wrapper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-hmac_openssl_wrapper.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Tpo -c -o pam_timestamp_la-hmac_openssl_wrapper.lo `test -f 'hmac_openssl_wrapper.c' || echo '$(srcdir)/'`hmac_openssl_wrapper.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Tpo $(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hmac_openssl_wrapper.c' object='pam_timestamp_la-hmac_openssl_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-hmac_openssl_wrapper.lo `test -f 'hmac_openssl_wrapper.c' || echo '$(srcdir)/'`hmac_openssl_wrapper.c + +pam_timestamp_la-hmacsha1.lo: hmacsha1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-hmacsha1.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo -c -o pam_timestamp_la-hmacsha1.lo `test -f 'hmacsha1.c' || echo '$(srcdir)/'`hmacsha1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo $(DEPDIR)/pam_timestamp_la-hmacsha1.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hmacsha1.c' object='pam_timestamp_la-hmacsha1.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-hmacsha1.lo `test -f 'hmacsha1.c' || echo '$(srcdir)/'`hmacsha1.c + +pam_timestamp_la-sha1.lo: sha1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-sha1.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-sha1.Tpo -c -o pam_timestamp_la-sha1.lo `test -f 'sha1.c' || echo '$(srcdir)/'`sha1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_la-sha1.Tpo $(DEPDIR)/pam_timestamp_la-sha1.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sha1.c' object='pam_timestamp_la-sha1.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-sha1.lo `test -f 'sha1.c' || echo '$(srcdir)/'`sha1.c + +pam_timestamp_check-pam_timestamp_check.o: pam_timestamp_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -MT pam_timestamp_check-pam_timestamp_check.o -MD -MP -MF $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo -c -o pam_timestamp_check-pam_timestamp_check.o `test -f 'pam_timestamp_check.c' || echo '$(srcdir)/'`pam_timestamp_check.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pam_timestamp_check.c' object='pam_timestamp_check-pam_timestamp_check.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -c -o pam_timestamp_check-pam_timestamp_check.o `test -f 'pam_timestamp_check.c' || echo '$(srcdir)/'`pam_timestamp_check.c + +pam_timestamp_check-pam_timestamp_check.obj: pam_timestamp_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -MT pam_timestamp_check-pam_timestamp_check.obj -MD -MP -MF $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo -c -o pam_timestamp_check-pam_timestamp_check.obj `if test -f 'pam_timestamp_check.c'; then $(CYGPATH_W) 'pam_timestamp_check.c'; else $(CYGPATH_W) '$(srcdir)/pam_timestamp_check.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pam_timestamp_check.c' object='pam_timestamp_check-pam_timestamp_check.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -c -o pam_timestamp_check-pam_timestamp_check.obj `if test -f 'pam_timestamp_check.c'; then $(CYGPATH_W) 'pam_timestamp_check.c'; else $(CYGPATH_W) '$(srcdir)/pam_timestamp_check.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +# Recover from deleted '.trs' file; this should ensure that +# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create +# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells +# to avoid problems with "make -n". +.log.trs: + rm -f $< $@ + $(MAKE) $(AM_MAKEFLAGS) $< + +# Leading 'am--fnord' is there to ensure the list of targets does not +# expand to empty, as could happen e.g. with make check TESTS=''. +am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck) +am--force-recheck: + @: + +$(TEST_SUITE_LOG): $(TEST_LOGS) + @$(am__set_TESTS_bases); \ + am__f_ok () { test -f "$$1" && test -r "$$1"; }; \ + redo_bases=`for i in $$bases; do \ + am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \ + done`; \ + if test -n "$$redo_bases"; then \ + redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \ + redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \ + if $(am__make_dryrun); then :; else \ + rm -f $$redo_logs && rm -f $$redo_results || exit 1; \ + fi; \ + fi; \ + if test -n "$$am__remaking_logs"; then \ + echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ + "recursion detected" >&2; \ + elif test -n "$$redo_logs"; then \ + am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ + fi; \ + if $(am__make_dryrun); then :; else \ + st=0; \ + errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \ + for i in $$redo_bases; do \ + test -f $$i.trs && test -r $$i.trs \ + || { echo "$$errmsg $$i.trs" >&2; st=1; }; \ + test -f $$i.log && test -r $$i.log \ + || { echo "$$errmsg $$i.log" >&2; st=1; }; \ + done; \ + test $$st -eq 0 || exit 1; \ + fi + @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \ + ws='[ ]'; \ + results=`for b in $$bases; do echo $$b.trs; done`; \ + test -n "$$results" || results=/dev/null; \ + all=` grep "^$$ws*:test-result:" $$results | wc -l`; \ + pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \ + fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \ + skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \ + xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \ + xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \ + error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \ + if test `expr $$fail + $$xpass + $$error` -eq 0; then \ + success=true; \ + else \ + success=false; \ + fi; \ + br='==================='; br=$$br$$br$$br$$br; \ + result_count () \ + { \ + if test x"$$1" = x"--maybe-color"; then \ + maybe_colorize=yes; \ + elif test x"$$1" = x"--no-color"; then \ + maybe_colorize=no; \ + else \ + echo "$@: invalid 'result_count' usage" >&2; exit 4; \ + fi; \ + shift; \ + desc=$$1 count=$$2; \ + if test $$maybe_colorize = yes && test $$count -gt 0; then \ + color_start=$$3 color_end=$$std; \ + else \ + color_start= color_end=; \ + fi; \ + echo "$${color_start}# $$desc $$count$${color_end}"; \ + }; \ + create_testsuite_report () \ + { \ + result_count $$1 "TOTAL:" $$all "$$brg"; \ + result_count $$1 "PASS: " $$pass "$$grn"; \ + result_count $$1 "SKIP: " $$skip "$$blu"; \ + result_count $$1 "XFAIL:" $$xfail "$$lgn"; \ + result_count $$1 "FAIL: " $$fail "$$red"; \ + result_count $$1 "XPASS:" $$xpass "$$red"; \ + result_count $$1 "ERROR:" $$error "$$mgn"; \ + }; \ + { \ + echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \ + $(am__rst_title); \ + create_testsuite_report --no-color; \ + echo; \ + echo ".. contents:: :depth: 2"; \ + echo; \ + for b in $$bases; do echo $$b; done \ + | $(am__create_global_log); \ + } >$(TEST_SUITE_LOG).tmp || exit 1; \ + mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \ + if $$success; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ + fi; \ + echo "$${col}$$br$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ + echo "$${col}$$br$${std}"; \ + create_testsuite_report --maybe-color; \ + echo "$$col$$br$$std"; \ + if $$success; then :; else \ + echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \ + if test -n "$(PACKAGE_BUGREPORT)"; then \ + echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \ + fi; \ + echo "$$col$$br$$std"; \ + fi; \ + $$success || exit 1 + +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) + @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list + @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + trs_list=`for i in $$bases; do echo $$i.trs; done`; \ + log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ + exit $$?; +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + bases=`for i in $$bases; do echo $$i; done \ + | $(am__list_recheck_tests)` || exit 1; \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + log_list=`echo $$log_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \ + am__force_recheck=am--force-recheck \ + TEST_LOGS="$$log_list"; \ + exit $$? +tst-pam_timestamp.log: tst-pam_timestamp + @p='tst-pam_timestamp'; \ + b='tst-pam_timestamp'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +hmacfile.log: hmacfile$(EXEEXT) + @p='hmacfile$(EXEEXT)'; \ + b='hmacfile'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +.test.log: + @p='$<'; \ + $(am__set_b); \ + $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +@am__EXEEXT_TRUE@.test$(EXEEXT).log: +@am__EXEEXT_TRUE@ @p='$<'; \ +@am__EXEEXT_TRUE@ $(am__set_b); \ +@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ +@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ +@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ +@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS) + -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs) + -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/hmac_openssl_wrapper.Po + -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacsha1.Po + -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-sha1.Plo + -rm -f ./$(DEPDIR)/sha1.Po + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/hmac_openssl_wrapper.Po + -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacsha1.Po + -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-sha1.Plo + -rm -f ./$(DEPDIR)/sha1.Po + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + recheck tags tags-am uninstall uninstall-am uninstall-man \ + uninstall-man8 uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/modules/pam_timestamp/README b/modules/pam_timestamp/README new file mode 100644 index 0000000..e1ed508 --- /dev/null +++ b/modules/pam_timestamp/README @@ -0,0 +1,56 @@ +pam_timestamp — Authenticate using cached successful authentication attempts + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +In a nutshell, pam_timestamp caches successful authentication attempts, and +allows you to use a recent successful attempt as the basis for authentication. +This is similar mechanism which is used in sudo. + +When an application opens a session using pam_timestamp, a timestamp file is +created in the timestampdir directory for the user. When an application +attempts to authenticate the user, a pam_timestamp will treat a sufficiently +recent timestamp file as grounds for succeeding. + +The default encryption hash is taken from the HMAC_CRYPTO_ALGO variable from / +etc/login.defs. + +OPTIONS + +timestampdir=directory + + Specify an alternate directory where pam_timestamp creates timestamp files. + +timestamp_timeout=number + + How long should pam_timestamp treat timestamp as valid after their last + modification date (in seconds). Default is 300 seconds. + +verbose + + Attempt to inform the user when access is granted. + +debug + + Turns on debugging messages sent to syslog(3). + +NOTES + +Users can get confused when they are not always asked for passwords when +running a given program. Some users reflexively begin typing information before +noticing that it is not being asked for. + +EXAMPLES + +auth sufficient pam_timestamp.so verbose +auth required pam_unix.so + +session required pam_unix.so +session optional pam_timestamp.so + + +AUTHOR + +pam_timestamp was written by Nalin Dahyabhai. + diff --git a/modules/pam_timestamp/README.xml b/modules/pam_timestamp/README.xml new file mode 100644 index 0000000..5b72deb --- /dev/null +++ b/modules/pam_timestamp/README.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_timestamp.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_timestamp-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-notes"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-author"]/*)'/> + </section> + +</article> diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c new file mode 100644 index 0000000..926c2fb --- /dev/null +++ b/modules/pam_timestamp/hmac_openssl_wrapper.c @@ -0,0 +1,381 @@ +/* Wrapper for hmac openssl implementation. + * + * Copyright (c) 2021 Red Hat, Inc. + * Written by Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#ifdef WITH_OPENSSL + +#include <sys/stat.h> +#include <fcntl.h> +#include <syslog.h> +#include <unistd.h> +#include <string.h> +#include <errno.h> +#include <openssl/evp.h> +#include <openssl/params.h> +#include <openssl/core_names.h> + +#include <security/pam_ext.h> +#include <security/pam_modutil.h> + +#include "hmac_openssl_wrapper.h" + +#define LOGIN_DEFS "/etc/login.defs" +#define CRYPTO_KEY "HMAC_CRYPTO_ALGO" +#define DEFAULT_ALGORITHM "SHA512" +#define MAX_HMAC_LENGTH 512 +#define MAX_KEY_LENGTH EVP_MAX_KEY_LENGTH + +static char * +get_crypto_algorithm(pam_handle_t *pamh, int debug){ + char *config_value = NULL; + + config_value = pam_modutil_search_key(pamh, LOGIN_DEFS, CRYPTO_KEY); + + if (config_value == NULL) { + config_value = strdup(DEFAULT_ALGORITHM); + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "Key [%s] not found, falling back to default algorithm [%s]\n", + CRYPTO_KEY, DEFAULT_ALGORITHM); + } + } + + return config_value; +} + +static int +generate_key(pam_handle_t *pamh, char **key, size_t key_size) +{ + int fd = 0; + size_t bytes_read = 0; + char * tmp = NULL; + + fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m"); + return PAM_AUTH_ERR; + } + + tmp = malloc(key_size); + if (!tmp) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + close(fd); + return PAM_AUTH_ERR; + } + + bytes_read = pam_modutil_read(fd, tmp, key_size); + close(fd); + + if (bytes_read < key_size) { + pam_syslog(pamh, LOG_ERR, "Short read on random device"); + free(tmp); + return PAM_AUTH_ERR; + } + + *key = tmp; + + return PAM_SUCCESS; +} + +static int +read_file(pam_handle_t *pamh, int fd, char **text, size_t *text_length) +{ + struct stat st; + size_t bytes_read = 0; + char *tmp = NULL; + + if (fstat(fd, &st) == -1) { + pam_syslog(pamh, LOG_ERR, "Unable to stat file: %m"); + close(fd); + return PAM_AUTH_ERR; + } + + if (st.st_size == 0) { + pam_syslog(pamh, LOG_ERR, "Key file size cannot be 0"); + close(fd); + return PAM_AUTH_ERR; + } + + tmp = malloc(st.st_size); + if (!tmp) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + close(fd); + return PAM_AUTH_ERR; + } + + bytes_read = pam_modutil_read(fd, tmp, st.st_size); + close(fd); + + if (bytes_read < (size_t)st.st_size) { + pam_syslog(pamh, LOG_ERR, "Short read on key file"); + memset(tmp, 0, st.st_size); + free(tmp); + return PAM_AUTH_ERR; + } + + *text = tmp; + *text_length = st.st_size; + + return PAM_SUCCESS; +} + +static int +write_file(pam_handle_t *pamh, const char *file_name, char *text, + size_t text_length, uid_t owner, gid_t group) +{ + int fd = 0; + size_t bytes_written = 0; + + fd = open(file_name, + O_WRONLY | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR); + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, "Unable to open [%s]: %m", file_name); + memset(text, 0, text_length); + free(text); + return PAM_AUTH_ERR; + } + + if (fchown(fd, owner, group) == -1) { + pam_syslog(pamh, LOG_ERR, "Unable to change ownership [%s]: %m", file_name); + memset(text, 0, text_length); + free(text); + close(fd); + return PAM_AUTH_ERR; + } + + bytes_written = pam_modutil_write(fd, text, text_length); + close(fd); + + if (bytes_written < text_length) { + pam_syslog(pamh, LOG_ERR, "Short write on %s", file_name); + free(text); + return PAM_AUTH_ERR; + } + + return PAM_SUCCESS; +} + +static int +key_management(pam_handle_t *pamh, const char *file_name, char **text, + size_t text_length, uid_t owner, gid_t group) +{ + int fd = 0; + + fd = open(file_name, O_RDONLY | O_NOFOLLOW); + if (fd == -1) { + if (errno == ENOENT) { + if (generate_key(pamh, text, text_length)) { + pam_syslog(pamh, LOG_ERR, "Unable to generate key"); + return PAM_AUTH_ERR; + } + + if (write_file(pamh, file_name, *text, text_length, owner, group)) { + pam_syslog(pamh, LOG_ERR, "Unable to write key"); + return PAM_AUTH_ERR; + } + } else { + pam_syslog(pamh, LOG_ERR, "Unable to open %s: %m", file_name); + return PAM_AUTH_ERR; + } + } else { + if (read_file(pamh, fd, text, &text_length)) { + pam_syslog(pamh, LOG_ERR, "Error reading key file %s\n", file_name); + return PAM_AUTH_ERR; + } + } + + return PAM_SUCCESS; +} + +static int +hmac_management(pam_handle_t *pamh, int debug, void **out, size_t *out_length, + char *key, size_t key_length, + const void *text, size_t text_length) +{ + int ret = PAM_AUTH_ERR; + EVP_MAC *evp_mac = NULL; + EVP_MAC_CTX *ctx = NULL; + unsigned char *hmac_message = NULL; + size_t hmac_length; + char *algo = NULL; + OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + algo = get_crypto_algorithm(pamh, debug); + + subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, + algo, + 0); + + evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + if (evp_mac == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation"); + goto done; + } + + ctx = EVP_MAC_CTX_new(evp_mac); + if (ctx == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac context"); + goto done; + } + + ret = EVP_MAC_init(ctx, (const unsigned char *)key, key_length, subalg_param); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context"); + goto done; + } + + ret = EVP_MAC_update(ctx, (const unsigned char *)text, text_length); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to update hmac context"); + goto done; + } + + hmac_message = (unsigned char*)malloc(sizeof(unsigned char) * MAX_HMAC_LENGTH); + if (!hmac_message) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + goto done; + } + + ret = EVP_MAC_final(ctx, hmac_message, &hmac_length, MAX_HMAC_LENGTH); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to calculate hmac message"); + goto done; + } + + *out_length = hmac_length; + *out = malloc(*out_length); + if (*out == NULL) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + goto done; + } + + memcpy(*out, hmac_message, *out_length); + ret = PAM_SUCCESS; + +done: + if (hmac_message != NULL) { + free(hmac_message); + } + if (key != NULL) { + memset(key, 0, key_length); + free(key); + } + if (ctx != NULL) { + EVP_MAC_CTX_free(ctx); + } + if (evp_mac != NULL) { + EVP_MAC_free(evp_mac); + } + free(algo); + + return ret; +} + +int +hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length) +{ + int ret = PAM_AUTH_ERR; + EVP_MAC *evp_mac = NULL; + EVP_MAC_CTX *ctx = NULL; + const unsigned char key[] = "ThisIsJustAKey"; + size_t key_length = MAX_KEY_LENGTH; + char *algo = NULL; + OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + algo = get_crypto_algorithm(pamh, debug); + + subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, + algo, + 0); + + evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + if (evp_mac == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation"); + goto done; + } + + ctx = EVP_MAC_CTX_new(evp_mac); + if (ctx == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac context"); + goto done; + } + + ret = EVP_MAC_init(ctx, key, key_length, subalg_param); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context"); + goto done; + } + + *hmac_length = EVP_MAC_CTX_get_mac_size(ctx); + ret = PAM_SUCCESS; + +done: + if (ctx != NULL) { + EVP_MAC_CTX_free(ctx); + } + if (evp_mac != NULL) { + EVP_MAC_free(evp_mac); + } + free(algo); + + return ret; +} + +int +hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length, + const char *key_file, uid_t owner, gid_t group, + const void *text, size_t text_length) +{ + char *key = NULL; + size_t key_length = MAX_KEY_LENGTH; + + if (key_management(pamh, key_file, &key, key_length, owner, group)) { + return PAM_AUTH_ERR; + } + + if (hmac_management(pamh, debug, mac, mac_length, key, key_length, + text, text_length)) { + return PAM_AUTH_ERR; + } + + return PAM_SUCCESS; +} + +#endif /* WITH_OPENSSL */ diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.h b/modules/pam_timestamp/hmac_openssl_wrapper.h new file mode 100644 index 0000000..cc27c81 --- /dev/null +++ b/modules/pam_timestamp/hmac_openssl_wrapper.h @@ -0,0 +1,57 @@ +/* Wrapper for hmac openssl implementation. + * + * Copyright (c) 2021 Red Hat, Inc. + * Written by Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#ifndef PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H +#define PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H + +#include "config.h" + +#ifdef WITH_OPENSSL + +#include <openssl/hmac.h> +#include <security/pam_modules.h> + +int +hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length); + +int +hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length, + const char *key_file, uid_t owner, gid_t group, + const void *text, size_t text_length); + +#endif /* WITH_OPENSSL */ +#endif /* PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H */ diff --git a/modules/pam_timestamp/hmacfile.c b/modules/pam_timestamp/hmacfile.c new file mode 100644 index 0000000..371f814 --- /dev/null +++ b/modules/pam_timestamp/hmacfile.c @@ -0,0 +1,163 @@ +/* + * Copyright 2003,2004 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pam_inline.h" + +#include <sys/types.h> +#include <sys/stat.h> +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include "hmacsha1.h" + +static void +testvectors(void) +{ + void *hmac; + size_t hmac_len; + size_t i, j; + char hex[3]; + struct vector { + const char *key; + int key_len; + const char *data; + int data_len; + const char *hmac; + } vectors[] = { + { + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20, + "Hi There", 8, + "b617318655057264e28bc0b6fb378c8ef146be00", + }, + +#ifdef HMAC_ALLOW_SHORT_KEYS + { + "Jefe", 4, + "what do ya want for nothing?", 28, + "effcdf6ae5eb2fa2d27416d5f184df9c259a7c79", + }, +#endif + + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20, + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 50, + "125d7342b9ac11cd91a39af48aa17b4f63f175d3", + }, + + { + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 25, + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", + 50, + "4c9007f4026250c6bc8414f9bf50c86c2d7235da", + }, + + { + "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20, + "Test With Truncation", 20, + "4c1a03424b55e07fe7f27be1d58bb9324a9a5a04", + }, + + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", + 80, + "Test Using Larger Than Block-Size Key - Hash Key First", 54, + "aa4ae5e15272d00e95705637ce8a3b55ed402112", + }, + + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", + 80, + "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data", 73, + "e8e99d0f45237d786d6bbaa7965c7808bbff1a91", + }, + }; + for (i = 0; i < PAM_ARRAY_SIZE(vectors); i++) { + hmac = NULL; + hmac_len = 0; + hmac_sha1_generate(&hmac, &hmac_len, + vectors[i].key, vectors[i].key_len, + vectors[i].data, vectors[i].data_len); + if (hmac != NULL) { + unsigned char *hmacc = hmac; + for (j = 0; j < hmac_len; j++) { + snprintf(hex, sizeof(hex), "%02x", + hmacc[j] & 0xff); + if (strncasecmp(hex, + vectors[i].hmac + 2 * j, + 2) != 0) { + printf("Incorrect result for vector %lu\n", + (unsigned long) i + 1); + exit(1); + + } + } + free(hmac); + } else { + printf("Error in vector %lu.\n", + (unsigned long) i + 1); + exit(1); + } + } +} + +int +main(int argc, char **argv) +{ + void *hmac; + size_t maclen; + const char *keyfile; + int i; + size_t j; + + testvectors(); + + keyfile = argv[1]; + for (i = 2; i < argc; i++) { + hmac_sha1_generate_file(NULL, &hmac, &maclen, keyfile, -1, -1, + argv[i], strlen(argv[i])); + if (hmac != NULL) { + unsigned char *hmacc = hmac; + for (j = 0; j < maclen; j++) { + printf("%02x", hmacc[j] & 0xff); + } + printf(" %s\n", argv[i]); + free(hmac); + } + } + return 0; +} diff --git a/modules/pam_timestamp/hmacsha1.c b/modules/pam_timestamp/hmacsha1.c new file mode 100644 index 0000000..45a3cac --- /dev/null +++ b/modules/pam_timestamp/hmacsha1.c @@ -0,0 +1,295 @@ +/* An implementation of HMAC using SHA-1. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/* See RFC 2104 for descriptions. */ +#include "config.h" +#include <sys/types.h> +#include <sys/stat.h> +#include <errno.h> +#include <fcntl.h> +#include <grp.h> +#include <pwd.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <syslog.h> +#include <security/pam_ext.h> +#include "hmacsha1.h" +#include "sha1.h" + +#define MINIMUM_KEY_SIZE SHA1_OUTPUT_SIZE +#define MAXIMUM_KEY_SIZE SHA1_BLOCK_SIZE + +static void +hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, + uid_t owner, gid_t group) +{ + int randfd, keyfd, i; + size_t count; + char *key; + + /* Open the destination file. */ + keyfd = open(filename, + O_WRONLY | O_CREAT | O_EXCL | O_TRUNC, + S_IRUSR | S_IWUSR); + if (keyfd == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot create %s: %m", filename); + return; + } + + + if (fchown(keyfd, owner, group) == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot chown %s: %m", filename); + close(keyfd); + return; + } + + /* Open the random device to get key data. */ + randfd = open("/dev/urandom", O_RDONLY); + if (randfd == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m"); + close(keyfd); + return; + } + + /* Read random data for use as the key. */ + key = malloc(key_size); + count = 0; + if (!key) { + close(keyfd); + close(randfd); + return; + } + while (count < key_size) { + i = read(randfd, key + count, key_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + + close(randfd); + + /* If we didn't get enough, stop here. */ + if (count < key_size) { + pam_syslog(pamh, LOG_ERR, "Short read on random device"); + memset(key, 0, key_size); + free(key); + close(keyfd); + return; + } + + /* Now write the key. */ + count = 0; + while (count < key_size) { + i = write(keyfd, key + count, key_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + memset(key, 0, key_size); + free(key); + close(keyfd); +} + +static void +hmac_key_read(pam_handle_t *pamh, const char *filename, size_t default_key_size, + uid_t owner, gid_t group, + void **key, size_t *key_size) +{ + char *tmp; + int keyfd, i, count; + struct stat st; + + tmp = NULL; + *key = NULL; + *key_size = 0; + + /* Try to open the key file. */ + keyfd = open(filename, O_RDONLY); + if (keyfd == -1) { + /* No such thing? Create it. */ + if (errno == ENOENT) { + hmac_key_create(pamh, filename, default_key_size, + owner, group); + keyfd = open(filename, O_RDONLY); + } else { + pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", filename); + } + if (keyfd == -1) + return; + } + + /* If we failed to open the file, we're done. */ + if (fstat(keyfd, &st) == -1) { + close(keyfd); + return; + } + + /* Read the contents of the file. */ + tmp = malloc(st.st_size); + if (!tmp) { + close(keyfd); + return; + } + + count = 0; + while (count < st.st_size) { + i = read(keyfd, tmp + count, st.st_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + close(keyfd); + + /* Require that we got the expected amount of data. */ + if (count < st.st_size) { + memset(tmp, 0, st.st_size); + free(tmp); + return; + } + + /* Pass the key back. */ + *key = tmp; + *key_size = st.st_size; +} + +static void +xor_block(unsigned char *p, unsigned char byte, size_t length) +{ + size_t i; + for (i = 0; i < length; i++) { + p[i] = p[i] ^ byte; + } +} + +void +hmac_sha1_generate(void **mac, size_t *mac_length, + const void *raw_key, size_t raw_key_size, + const void *text, size_t text_length) +{ + unsigned char key[MAXIMUM_KEY_SIZE], tmp_key[MAXIMUM_KEY_SIZE]; + size_t maximum_key_size = SHA1_BLOCK_SIZE, + minimum_key_size = SHA1_OUTPUT_SIZE; + const unsigned char ipad = 0x36, opad = 0x5c; + struct sha1_context sha1; + unsigned char inner[SHA1_OUTPUT_SIZE], outer[SHA1_OUTPUT_SIZE]; + + *mac = NULL; + *mac_length = 0; + +#ifndef HMAC_ALLOW_SHORT_KEYS + /* If the key is too short, don't bother. */ + if (raw_key_size < minimum_key_size) { + return; + } +#endif + + /* If the key is too long, "compress" it, else copy it and pad it + * out with zero bytes. */ + memset(key, 0, sizeof(key)); + if (raw_key_size > maximum_key_size) { + sha1_init(&sha1); + sha1_update(&sha1, raw_key, raw_key_size); + sha1_output(&sha1, key); + } else { + memmove(key, raw_key, raw_key_size); + } + + /* Generate the inner sum. */ + memcpy(tmp_key, key, sizeof(tmp_key)); + xor_block(tmp_key, ipad, sizeof(tmp_key)); + + sha1_init(&sha1); + sha1_update(&sha1, tmp_key, sizeof(tmp_key)); + sha1_update(&sha1, text, text_length); + sha1_output(&sha1, inner); + + /* Generate the outer sum. */ + memcpy(tmp_key, key, sizeof(tmp_key)); + xor_block(tmp_key, opad, sizeof(tmp_key)); + + sha1_init(&sha1); + sha1_update(&sha1, tmp_key, sizeof(tmp_key)); + sha1_update(&sha1, inner, sizeof(inner)); + sha1_output(&sha1, outer); + + /* We don't need any of the keys any more. */ + memset(key, 0, sizeof(key)); + memset(tmp_key, 0, sizeof(tmp_key)); + + /* Allocate space to store the output. */ + *mac_length = sizeof(outer); + *mac = malloc(*mac_length); + if (*mac == NULL) { + *mac_length = 0; + return; + } + + memcpy(*mac, outer, *mac_length); +} + +void +hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length, + const char *keyfile, uid_t owner, gid_t group, + const void *text, size_t text_length) +{ + void *key; + size_t key_length; + + hmac_key_read(pamh, keyfile, + MAXIMUM_KEY_SIZE, owner, group, + &key, &key_length); + if (key == NULL) { + *mac = NULL; + *mac_length = 0; + return; + } + hmac_sha1_generate(mac, mac_length, + key, key_length, + text, text_length); + memset(key, 0, key_length); + free(key); +} + +size_t +hmac_sha1_size(void) +{ + return SHA1_OUTPUT_SIZE; +} diff --git a/modules/pam_timestamp/hmacsha1.h b/modules/pam_timestamp/hmacsha1.h new file mode 100644 index 0000000..200d1d0 --- /dev/null +++ b/modules/pam_timestamp/hmacsha1.h @@ -0,0 +1,15 @@ +#ifndef pam_timestamp_hmacfile_h +#define pam_timestamp_hmacfile_h + +#include <sys/types.h> +#include <security/pam_modules.h> + +size_t hmac_sha1_size(void); +void hmac_sha1_generate(void **mac, size_t *mac_length, + const void *key, size_t key_length, + const void *text, size_t text_length); +void hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length, + const char *keyfile, uid_t owner, gid_t group, + const void *text, size_t text_length); + +#endif diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8 new file mode 100644 index 0000000..cd8195d --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp.8 @@ -0,0 +1,135 @@ +'\" t +.\" Title: pam_timestamp +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_TIMESTAMP" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_timestamp \- Authenticate using cached successful authentication attempts +.SH "SYNOPSIS" +.HP \w'\fBpam_timestamp\&.so\fR\ 'u +\fBpam_timestamp\&.so\fR [timestampdir=\fIdirectory\fR] [timestamp_timeout=\fInumber\fR] [verbose] [debug] +.SH "DESCRIPTION" +.PP +In a nutshell, +\fIpam_timestamp\fR +caches successful authentication attempts, and allows you to use a recent successful attempt as the basis for authentication\&. This is similar mechanism which is used in +\fBsudo\fR\&. +.PP +When an application opens a session using +\fIpam_timestamp\fR, a timestamp file is created in the +\fItimestampdir\fR +directory for the user\&. When an application attempts to authenticate the user, a +\fIpam_timestamp\fR +will treat a sufficiently recent timestamp file as grounds for succeeding\&. +.PP +The default encryption hash is taken from the +\fBHMAC_CRYPTO_ALGO\fR +variable from +\fI/etc/login\&.defs\fR\&. +.SH "OPTIONS" +.PP +\fBtimestampdir=\fR\fB\fIdirectory\fR\fR +.RS 4 +Specify an alternate directory where +\fIpam_timestamp\fR +creates timestamp files\&. +.RE +.PP +\fBtimestamp_timeout=\fR\fB\fInumber\fR\fR +.RS 4 +How long should +\fIpam_timestamp\fR +treat timestamp as valid after their last modification date (in seconds)\&. Default is 300 seconds\&. +.RE +.PP +\fBverbose\fR +.RS 4 +Attempt to inform the user when access is granted\&. +.RE +.PP +\fBdebug\fR +.RS 4 +Turns on debugging messages sent to +\fBsyslog\fR(3)\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +The +\fBauth\fR +and +\fBsession\fR +module types are provided\&. +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +The module was not able to retrieve the user name or no valid timestamp file was found\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Everything was successful\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Timestamp file could not be created or updated\&. +.RE +.SH "NOTES" +.PP +Users can get confused when they are not always asked for passwords when running a given program\&. Some users reflexively begin typing information before noticing that it is not being asked for\&. +.SH "EXAMPLES" +.sp +.if n \{\ +.RS 4 +.\} +.nf +auth sufficient pam_timestamp\&.so verbose +auth required pam_unix\&.so + +session required pam_unix\&.so +session optional pam_timestamp\&.so + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/var/run/pam_timestamp/\&.\&.\&. +.RS 4 +timestamp files and directories +.RE +.SH "SEE ALSO" +.PP +\fBpam_timestamp_check\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_timestamp was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml new file mode 100644 index 0000000..83e5aea --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -0,0 +1,208 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_timestamp"> + + <refmeta> + <refentrytitle>pam_timestamp</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_timestamp-name"> + <refname>pam_timestamp</refname> + <refpurpose>Authenticate using cached successful authentication attempts</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_timestamp-cmdsynopsis"> + <command>pam_timestamp.so</command> + <arg choice="opt"> + timestampdir=<replaceable>directory</replaceable> + </arg> + <arg choice="opt"> + timestamp_timeout=<replaceable>number</replaceable> + </arg> + <arg choice="opt"> + verbose + </arg> + <arg choice="opt"> + debug + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_timestamp-description"> + + <title>DESCRIPTION</title> + + <para> + In a nutshell, <emphasis>pam_timestamp</emphasis> caches successful +authentication attempts, and allows you to use a recent successful attempt as +the basis for authentication. This is similar mechanism which is used in +<command>sudo</command>. + </para> + <para> + When an application opens a session using <emphasis>pam_timestamp</emphasis>, +a timestamp file is created in the <emphasis>timestampdir</emphasis> directory +for the user. When an application attempts to authenticate the user, a +<emphasis>pam_timestamp</emphasis> will treat a sufficiently recent timestamp +file as grounds for succeeding. + </para> + <para condition="openssl_hmac"> + The default encryption hash is taken from the + <emphasis remap='B'>HMAC_CRYPTO_ALGO</emphasis> variable from + <emphasis>/etc/login.defs</emphasis>. + </para> + </refsect1> + + <refsect1 id="pam_timestamp-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>timestampdir=<replaceable>directory</replaceable></option> + </term> + <listitem> + <para> + Specify an alternate directory where + <emphasis>pam_timestamp</emphasis> creates timestamp files. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>timestamp_timeout=<replaceable>number</replaceable></option> + </term> + <listitem> + <para> + How long should <emphasis>pam_timestamp</emphasis> + treat timestamp as valid after their + last modification date (in seconds). Default is 300 seconds. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>verbose</option> + </term> + <listitem> + <para> + Attempt to inform the user when access is granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turns on debugging messages sent to <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_timestamp-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + The <option>auth</option> and <option>session</option> + module types are provided. + </para> + </refsect1> + + <refsect1 id='pam_timestamp-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The module was not able to retrieve the user name or + no valid timestamp file was found. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successful. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Timestamp file could not be created or updated. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-notes'> + <title>NOTES</title> + <para> + Users can get confused when they are not always asked for passwords when +running a given program. Some users reflexively begin typing information before +noticing that it is not being asked for. + </para> + </refsect1> + + <refsect1 id='pam_timestamp-examples'> + <title>EXAMPLES</title> + <programlisting> +auth sufficient pam_timestamp.so verbose +auth required pam_unix.so + +session required pam_unix.so +session optional pam_timestamp.so + </programlisting> + </refsect1> + + <refsect1 id="pam_timestamp-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/run/pam_timestamp/...</filename></term> + <listitem> + <para>timestamp files and directories</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_timestamp_check</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_timestamp-author'> + <title>AUTHOR</title> + <para> + pam_timestamp was written by Nalin Dahyabhai. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c new file mode 100644 index 0000000..01dd138 --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp.c @@ -0,0 +1,873 @@ +/****************************************************************************** + * A module for Linux-PAM that will cache authentication results, inspired by + * (and implemented with an eye toward being mixable with) sudo. + * + * Copyright (c) 2002 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#include <sys/stat.h> +#include <sys/types.h> +#include <errno.h> +#include <fcntl.h> +#include <limits.h> +#include <pwd.h> +#include <signal.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <time.h> +#include <sys/time.h> +#include <unistd.h> +#include <utmp.h> +#include <syslog.h> +#include <paths.h> +#ifdef WITH_OPENSSL +#include "hmac_openssl_wrapper.h" +#else +#include "hmacsha1.h" +#endif /* WITH_OPENSSL */ + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_ext.h> +#include <security/pam_modutil.h> +#include "pam_inline.h" + +/* The default timeout we use is 5 minutes, which matches the sudo default + * for the timestamp_timeout parameter. */ +#define DEFAULT_TIMESTAMP_TIMEOUT (5 * 60) +#define MODULE "pam_timestamp" +#define TIMESTAMPDIR _PATH_VARRUN MODULE +#define TIMESTAMPKEY TIMESTAMPDIR "/_pam_timestamp_key" + +/* Various buffers we use need to be at least as large as either PATH_MAX or + * LINE_MAX, so choose the larger of the two. */ +#if (LINE_MAX > PATH_MAX) +#define BUFLEN LINE_MAX +#else +#define BUFLEN PATH_MAX +#endif + +#define ROOT_USER 0 +#define ROOT_GROUP 0 + +/* Return PAM_SUCCESS if the given directory looks "safe". */ +static int +check_dir_perms(pam_handle_t *pamh, const char *tdir) +{ + char scratch[BUFLEN]; + struct stat st; + int i; + /* Check that the directory is "safe". */ + if ((tdir == NULL) || (strlen(tdir) == 0)) { + return PAM_AUTH_ERR; + } + /* Iterate over the path, checking intermediate directories. */ + memset(scratch, 0, sizeof(scratch)); + for (i = 0; (tdir[i] != '\0') && (i < (int)sizeof(scratch)); i++) { + scratch[i] = tdir[i]; + if ((scratch[i] == '/') || (tdir[i + 1] == '\0')) { + /* We now have the name of a directory in the path, so + * we need to check it. */ + if ((lstat(scratch, &st) == -1) && (errno != ENOENT)) { + pam_syslog(pamh, LOG_ERR, + "unable to read `%s': %m", + scratch); + return PAM_AUTH_ERR; + } + if (!S_ISDIR(st.st_mode)) { + pam_syslog(pamh, LOG_ERR, + "`%s' is not a directory", + scratch); + return PAM_AUTH_ERR; + } + if (S_ISLNK(st.st_mode)) { + pam_syslog(pamh, LOG_ERR, + "`%s' is a symbolic link", + scratch); + return PAM_AUTH_ERR; + } + if (st.st_uid != 0) { + pam_syslog(pamh, LOG_ERR, + "`%s' owner UID != 0", + scratch); + return PAM_AUTH_ERR; + } + if (st.st_gid != 0) { + pam_syslog(pamh, LOG_ERR, + "`%s' owner GID != 0", + scratch); + return PAM_AUTH_ERR; + } + if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { + pam_syslog(pamh, LOG_ERR, + "`%s' permissions are lax", + scratch); + return PAM_AUTH_ERR; + } + } + } + return PAM_SUCCESS; +} + +/* Validate a tty pathname as actually belonging to a tty, and return its base + * name if it's valid. */ +static const char * +check_tty(const char *tty) +{ + /* Check that we're not being set up to take a fall. */ + if ((tty == NULL) || (strlen(tty) == 0)) { + return NULL; + } + /* Pull out the meaningful part of the tty's name. */ + if (strchr(tty, '/') != NULL) { + if (pam_str_skip_prefix(tty, "/dev/") == NULL) { + /* Make sure the device node is actually in /dev/, + * noted by Michal Zalewski. */ + return NULL; + } + tty = strrchr(tty, '/') + 1; + } + /* Make sure the tty wasn't actually a directory (no basename). */ + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { + return NULL; + } + return tty; +} + +/* Determine the right path name for a given user's timestamp. */ +static int +format_timestamp_name(char *path, size_t len, + const char *timestamp_dir, + const char *tty, + const char *ruser, + const char *user) +{ + if (strcmp(ruser, user) == 0) { + return snprintf(path, len, "%s/%s/%s", timestamp_dir, + ruser, tty); + } else { + return snprintf(path, len, "%s/%s/%s:%s", timestamp_dir, + ruser, tty, user); + } +} + +/* Check if a given timestamp date, when compared to a current time, fits + * within the given interval. */ +static int +timestamp_good(time_t then, time_t now, time_t interval) +{ + if (((now >= then) && ((now - then) < interval)) || + ((now < then) && ((then - now) < (2 * interval)))) { + return PAM_SUCCESS; + } + return PAM_AUTH_ERR; +} + +static int +check_login_time(const char *ruser, time_t timestamp) +{ + struct utmp utbuf, *ut; + time_t oldest_login = 0; + + setutent(); + while( +#ifdef HAVE_GETUTENT_R + !getutent_r(&utbuf, &ut) +#else + (ut = getutent()) != NULL +#endif + ) { + if (ut->ut_type != USER_PROCESS) { + continue; + } + if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user)) != 0) { + continue; + } + if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) { + oldest_login = ut->ut_tv.tv_sec; + } + } + endutent(); + if(oldest_login == 0 || timestamp < oldest_login) { + return PAM_AUTH_ERR; + } + return PAM_SUCCESS; +} + +#ifndef PAM_TIMESTAMP_MAIN +static int +get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) +{ + const void *ruser; + struct passwd *pwd; + + if (ruserbuf == NULL || ruserbuflen < 1) + return -2; + /* Get the name of the source user. */ + if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS) { + ruser = NULL; + } + if ((ruser == NULL) || (strlen(ruser) == 0)) { + /* Barring that, use the current RUID. */ + pwd = pam_modutil_getpwuid(pamh, getuid()); + if (pwd != NULL) { + ruser = pwd->pw_name; + } + } else { + /* + * This ruser is used by format_timestamp_name as a component + * of constructed timestamp pathname, so ".", "..", and '/' + * are disallowed to avoid potential path traversal issues. + */ + if (!strcmp(ruser, ".") || + !strcmp(ruser, "..") || + strchr(ruser, '/')) { + ruser = NULL; + } + } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; + return -1; + } + strcpy(ruserbuf, ruser); + return 0; +} + +/* Get the path to the timestamp to use. */ +static int +get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv, + char *path, size_t len) +{ + const char *user, *tty; + const void *void_tty; + const char *tdir = TIMESTAMPDIR; + char ruser[BUFLEN]; + int i, debug = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + } + for (i = 0; i < argc; i++) { + const char *str; + + if ((str = pam_str_skip_prefix(argv[i], "timestampdir=")) != NULL) { + tdir = str; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "storing timestamps in `%s'", + tdir); + } + } + } + i = check_dir_perms(pamh, tdir); + if (i != PAM_SUCCESS) { + return i; + } + /* Get the name of the target user. */ + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user[0] == '\0') { + return PAM_AUTH_ERR; + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "becoming user `%s'", user); + } + /* Get the name of the source user. */ + if (get_ruser(pamh, ruser, sizeof(ruser)) || strlen(ruser) == 0) { + return PAM_AUTH_ERR; + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "currently user `%s'", ruser); + } + /* Get the name of the terminal. */ + if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS) { + tty = NULL; + } else { + tty = void_tty; + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDIN_FILENO); + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDOUT_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDERR_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + /* Match sudo's behavior for this case. */ + tty = "unknown"; + } + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "tty is `%s'", tty); + } + /* Snip off all but the last part of the tty name. */ + tty = check_tty(tty); + if (tty == NULL) { + return PAM_AUTH_ERR; + } + /* Generate the name of the file used to cache auth results. These + * paths should jive with sudo's per-tty naming scheme. */ + if (format_timestamp_name(path, len, tdir, tty, ruser, user) >= (int)len) { + return PAM_AUTH_ERR; + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "using timestamp file `%s'", path); + } + return PAM_SUCCESS; +} + +/* Tell the user that access has been granted. */ +static void +verbose_success(pam_handle_t *pamh, long diff) +{ + pam_info(pamh, _("Access has been granted" + " (last access was %ld seconds ago)."), diff); +} + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct stat st; + time_t interval = DEFAULT_TIMESTAMP_TIMEOUT; + int i, fd, debug = 0, verbose = 0; + char path[BUFLEN], *p, *message, *message_end; + long tmp; + const void *void_service; + const char *service; + time_t now, then; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + } + for (i = 0; i < argc; i++) { + const char *str; + + if ((str = pam_str_skip_prefix(argv[i], "timestamp_timeout=")) != NULL) { + tmp = strtol(str, &p, 0); + if ((p != NULL) && (*p == '\0')) { + interval = tmp; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "setting timeout to %ld" + " seconds", (long)interval); + } + } + } else + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "becoming more verbose"); + } + } + } + + if (flags & PAM_SILENT) { + verbose = 0; + } + + /* Get the name of the timestamp file. */ + if (get_timestamp_name(pamh, argc, argv, + path, sizeof(path)) != PAM_SUCCESS) { + return PAM_AUTH_ERR; + } + + /* Get the name of the service. */ + if (pam_get_item(pamh, PAM_SERVICE, &void_service) != PAM_SUCCESS) { + service = NULL; + } else { + service = void_service; + } + if ((service == NULL) || (strlen(service) == 0)) { + service = "(unknown)"; + } + + /* Open the timestamp file. */ + fd = open(path, O_RDONLY | O_NOFOLLOW); + if (fd == -1) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "cannot open timestamp `%s': %m", + path); + } + return PAM_AUTH_ERR; + } + + if (fstat(fd, &st) == 0) { + int count; + void *mac; + size_t maclen; + char ruser[BUFLEN]; + + /* Check that the file is owned by the superuser. */ + if ((st.st_uid != 0) || (st.st_gid != 0)) { + pam_syslog(pamh, LOG_ERR, "timestamp file `%s' is " + "not owned by root", path); + close(fd); + return PAM_AUTH_ERR; + } + + /* Check that the file is a normal file. */ + if (!(S_ISREG(st.st_mode))) { + pam_syslog(pamh, LOG_ERR, "timestamp file `%s' is " + "not a regular file", path); + close(fd); + return PAM_AUTH_ERR; + } + +#ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { + return PAM_AUTH_ERR; + } +#else + maclen = hmac_sha1_size(); +#endif /* WITH_OPENSSL */ + /* Check that the file is the expected size. */ + if (st.st_size == 0) { + /* Invalid, but may have been created by sudo. */ + close(fd); + return PAM_AUTH_ERR; + } + if (st.st_size != + (off_t)(strlen(path) + 1 + sizeof(then) + maclen)) { + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' " + "appears to be corrupted", path); + close(fd); + return PAM_AUTH_ERR; + } + + /* Read the file contents. */ + message = malloc(st.st_size); + count = 0; + if (!message) { + close(fd); + return PAM_BUF_ERR; + } + while (count < st.st_size) { + i = read(fd, message + count, st.st_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + if (count < st.st_size) { + pam_syslog(pamh, LOG_NOTICE, "error reading timestamp " + "file `%s': %m", path); + close(fd); + free(message); + return PAM_AUTH_ERR; + } + message_end = message + strlen(path) + 1 + sizeof(then); + + /* Regenerate the MAC. */ +#ifdef WITH_OPENSSL + if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, message, message_end - message)) { + close(fd); + free(message); + return PAM_AUTH_ERR; + } +#else + hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, message, message_end - message); +#endif /* WITH_OPENSSL */ + if ((mac == NULL) || + (memcmp(path, message, strlen(path)) != 0) || + (memcmp(mac, message_end, maclen) != 0)) { + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " + "corrupted", path); + close(fd); + free(mac); + free(message); + return PAM_AUTH_ERR; + } + free(mac); + memmove(&then, message + strlen(path) + 1, sizeof(then)); + free(message); + + /* Check oldest login against timestamp */ + if (get_ruser(pamh, ruser, sizeof(ruser))) + { + close(fd); + return PAM_AUTH_ERR; + } + if (check_login_time(ruser, then) != PAM_SUCCESS) + { + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " + "older than oldest login, disallowing " + "access to %s for user %s", + path, service, ruser); + close(fd); + return PAM_AUTH_ERR; + } + + /* Compare the dates. */ + now = time(NULL); + if (timestamp_good(then, now, interval) == PAM_SUCCESS) { + close(fd); + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " + "only %ld seconds old, allowing access to %s " + "for user %s", path, (long) (now - st.st_mtime), + service, ruser); + if (verbose) { + verbose_success(pamh, now - st.st_mtime); + } + return PAM_SUCCESS; + } else { + close(fd); + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' has " + "unacceptable age (%ld seconds), disallowing " + "access to %s for user %s", + path, (long) (now - st.st_mtime), + service, ruser); + return PAM_AUTH_ERR; + } + } + close(fd); + + /* Fail by default. */ + return PAM_AUTH_ERR; +} + +int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) +{ + char path[BUFLEN], subdir[BUFLEN], *text, *p; + void *mac; + size_t maclen; + time_t now; + int fd, i, debug = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + } + + /* Get the name of the timestamp file. */ + if (get_timestamp_name(pamh, argc, argv, + path, sizeof(path)) != PAM_SUCCESS) { + return PAM_SESSION_ERR; + } + + /* Create the directory for the timestamp file if it doesn't already + * exist. */ + for (i = 1; i < (int) sizeof(path) && path[i] != '\0'; i++) { + if (path[i] == '/') { + /* Attempt to create the directory. */ + memcpy(subdir, path, i); + subdir[i] = '\0'; + if (mkdir(subdir, 0700) == 0) { + /* Attempt to set the owner to the superuser. */ + if (lchown(subdir, 0, 0) != 0) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "error setting permissions on `%s': %m", + subdir); + } + return PAM_SESSION_ERR; + } + } else { + if (errno != EEXIST) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "error creating directory `%s': %m", + subdir); + } + return PAM_SESSION_ERR; + } + } + } + } + +#ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { + return PAM_SESSION_ERR; + } +#else + maclen = hmac_sha1_size(); +#endif /* WITH_OPENSSL */ + + /* Generate the message. */ + text = malloc(strlen(path) + 1 + sizeof(now) + maclen); + if (text == NULL) { + pam_syslog(pamh, LOG_CRIT, "unable to allocate memory: %m"); + return PAM_SESSION_ERR; + } + p = text; + + strcpy(text, path); + p += strlen(path) + 1; + + now = time(NULL); + memmove(p, &now, sizeof(now)); + p += sizeof(now); + + /* Generate the MAC and append it to the plaintext. */ +#ifdef WITH_OPENSSL + if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, text, p - text)) { + free(text); + return PAM_SESSION_ERR; + } +#else + hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, text, p - text); + if (mac == NULL) { + pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m"); + free(text); + return PAM_SESSION_ERR; + } +#endif /* WITH_OPENSSL */ + memmove(p, mac, maclen); + p += maclen; + free(mac); + + /* Open the file. */ + fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, "unable to open `%s': %m", path); + free(text); + return PAM_SESSION_ERR; + } + + /* Attempt to set the owner to the superuser. */ + if (fchown(fd, 0, 0) != 0) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "error setting ownership of `%s': %m", + path); + } + close(fd); + free(text); + return PAM_SESSION_ERR; + } + + + /* Write the timestamp to the file. */ + if (write(fd, text, p - text) != p - text) { + pam_syslog(pamh, LOG_ERR, "unable to write to `%s': %m", path); + close(fd); + free(text); + return PAM_SESSION_ERR; + } + + /* Close the file and return successfully. */ + close(fd); + free(text); + pam_syslog(pamh, LOG_DEBUG, "updated timestamp file `%s'", path); + return PAM_SUCCESS; +} + +int +pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +#else /* PAM_TIMESTAMP_MAIN */ + +#define USAGE "Usage: %s [[-k] | [-d]] [target user]\n" +#define CHECK_INTERVAL 7 + +int +main(int argc, char **argv) +{ + int i, retval = 0, dflag = 0, kflag = 0; + const char *target_user = NULL, *user = NULL, *tty = NULL; + struct passwd *pwd; + struct timeval tv; + fd_set write_fds; + char path[BUFLEN]; + struct stat st; + + /* Check that there's nothing funny going on with stdio. */ + if ((fstat(STDIN_FILENO, &st) == -1) || + (fstat(STDOUT_FILENO, &st) == -1) || + (fstat(STDERR_FILENO, &st) == -1)) { + /* Appropriate the "no controlling tty" error code. */ + return 3; + } + + /* Parse arguments. */ + while ((i = getopt(argc, argv, "dk")) != -1) { + switch (i) { + case 'd': + dflag++; + break; + case 'k': + kflag++; + break; + default: + fprintf(stderr, USAGE, argv[0]); + return 1; + break; + } + } + + /* Bail if both -k and -d are given together. */ + if ((kflag + dflag) > 1) { + fprintf(stderr, USAGE, argv[0]); + return 1; + } + + /* Check that we're setuid. */ + if (geteuid() != 0) { + fprintf(stderr, "%s must be setuid root\n", + argv[0]); + retval = 2; + } + + /* Check that we have a controlling tty. */ + tty = ttyname(STDIN_FILENO); + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDOUT_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDERR_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = "unknown"; + } + + /* Get the name of the invoking (requesting) user. */ + pwd = getpwuid(getuid()); + if (pwd == NULL) { + retval = 4; + } + + /* Get the name of the target user. */ + user = strdup(pwd->pw_name); + if (user == NULL) { + retval = 4; + } else { + target_user = (optind < argc) ? argv[optind] : user; + if ((strchr(target_user, '.') != NULL) || + (strchr(target_user, '/') != NULL) || + (strchr(target_user, '%') != NULL)) { + fprintf(stderr, "unknown user: %s\n", + target_user); + retval = 4; + } + } + + /* Sanity check the tty to make sure we should be checking + * for timestamps which pertain to it. */ + if (retval == 0) { + tty = check_tty(tty); + if (tty == NULL) { + fprintf(stderr, "invalid tty\n"); + retval = 6; + } + } + + do { + /* Sanity check the timestamp directory itself. */ + if (retval == 0) { + if (check_dir_perms(NULL, TIMESTAMPDIR) != PAM_SUCCESS) { + retval = 5; + } + } + + if (retval == 0) { + /* Generate the name of the timestamp file. */ + format_timestamp_name(path, sizeof(path), TIMESTAMPDIR, + tty, user, target_user); + } + + if (retval == 0) { + if (kflag) { + /* Remove the timestamp. */ + if (lstat(path, &st) != -1) { + retval = unlink(path); + } + } else { + /* Check the timestamp. */ + if (lstat(path, &st) != -1) { + /* Check oldest login against timestamp */ + if (check_login_time(user, st.st_mtime) != PAM_SUCCESS) { + retval = 7; + } else if (timestamp_good(st.st_mtime, time(NULL), + DEFAULT_TIMESTAMP_TIMEOUT) != PAM_SUCCESS) { + retval = 7; + } + } else { + retval = 7; + } + } + } + + if (dflag > 0) { + struct timeval now; + /* Send the would-be-returned value to our parent. */ + signal(SIGPIPE, SIG_DFL); + fprintf(stdout, "%d\n", retval); + fflush(stdout); + /* Wait. */ + gettimeofday(&now, NULL); + tv.tv_sec = CHECK_INTERVAL; + /* round the sleep time to get woken up on a whole second */ + tv.tv_usec = 1000000 - now.tv_usec; + if (now.tv_usec < 500000) + tv.tv_sec--; + FD_ZERO(&write_fds); + FD_SET(STDOUT_FILENO, &write_fds); + select(STDOUT_FILENO + 1, + NULL, NULL, &write_fds, + &tv); + retval = 0; + } + } while (dflag > 0); + + return retval; +} + +#endif diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8 new file mode 100644 index 0000000..a037375 --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp_check.8 @@ -0,0 +1,133 @@ +'\" t +.\" Title: pam_timestamp_check +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_TIMESTAMP_CHECK" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_timestamp_check \- Check to see if the default timestamp is valid +.SH "SYNOPSIS" +.HP \w'\fBpam_timestamp_check\fR\ 'u +\fBpam_timestamp_check\fR [\-k] [\-d] [\fItarget_user\fR] +.SH "DESCRIPTION" +.PP +With no arguments +\fBpam_timestamp_check\fR +will check to see if the default timestamp is valid, or optionally remove it\&. +.SH "OPTIONS" +.PP +\fB\-k\fR +.RS 4 +Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\*(Aqs +\fI\-k\fR +option\&. +.RE +.PP +\fB\-d\fR +.RS 4 +Instead of returning validity using an exit status, loop indefinitely, polling regularly and printing the status on standard output\&. +.RE +.PP +\fB\fItarget_user\fR\fR +.RS 4 +By default +\fBpam_timestamp_check\fR +checks or removes timestamps generated by +\fIpam_timestamp\fR +when the user authenticates as herself\&. When the user authenticates as a different user, the name of the timestamp file changes to accommodate this\&. +\fItarget_user\fR +allows one to specify this user name\&. +.RE +.SH "RETURN VALUES" +.PP +0 +.RS 4 +The timestamp is valid\&. +.RE +.PP +2 +.RS 4 +The binary is not setuid root\&. +.RE +.PP +3 +.RS 4 +Invalid invocation\&. +.RE +.PP +4 +.RS 4 +User is unknown\&. +.RE +.PP +5 +.RS 4 +Permissions error\&. +.RE +.PP +6 +.RS 4 +Invalid controlling tty\&. +.RE +.PP +7 +.RS 4 +Timestamp is not valid\&. +.RE +.SH "NOTES" +.PP +Users can get confused when they are not always asked for passwords when running a given program\&. Some users reflexively begin typing information before noticing that it is not being asked for\&. +.SH "EXAMPLES" +.sp +.if n \{\ +.RS 4 +.\} +.nf +auth sufficient pam_timestamp\&.so verbose +auth required pam_unix\&.so + +session required pam_unix\&.so +session optional pam_timestamp\&.so + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/var/run/sudo/\&.\&.\&. +.RS 4 +timestamp files and directories +.RE +.SH "SEE ALSO" +.PP +\fBpam_timestamp_check\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_timestamp was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml new file mode 100644 index 0000000..3a65d7e --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp_check.8.xml @@ -0,0 +1,207 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_timestamp_check"> + + <refmeta> + <refentrytitle>pam_timestamp_check</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_timestamp_check-name"> + <refname>pam_timestamp_check</refname> + <refpurpose>Check to see if the default timestamp is valid</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_timestamp_check-cmdsynopsis"> + <command>pam_timestamp_check</command> + <arg choice="opt"> + -k + </arg> + <arg choice="opt"> + -d + </arg> + <arg choice="opt"> + <replaceable>target_user</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_timestamp_check-description"> + + <title>DESCRIPTION</title> + + <para> + With no arguments <command>pam_timestamp_check</command> will check to +see if the default timestamp is valid, or optionally remove it. + </para> + </refsect1> + + <refsect1 id="pam_timestamp_check-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>-k</option> + </term> + <listitem> + <para> + Instead of checking the validity of a timestamp, remove it. + This is analogous to sudo's <emphasis>-k</emphasis> option. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-d</option> + </term> + <listitem> + <para> + Instead of returning validity using an exit status, + loop indefinitely, polling regularly and printing the status on + standard output. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option><replaceable>target_user</replaceable></option> + </term> + <listitem> + <para> + By default <command>pam_timestamp_check</command> checks or removes + timestamps generated by <emphasis>pam_timestamp</emphasis> when + the user authenticates as herself. When the user authenticates as a + different user, the name of the timestamp file changes to + accommodate this. <replaceable>target_user</replaceable> allows + one to specify this user name. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp_check-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>0</term> + <listitem> + <para> + The timestamp is valid. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>2</term> + <listitem> + <para> + The binary is not setuid root. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>3</term> + <listitem> + <para> + Invalid invocation. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>4</term> + <listitem> + <para> + User is unknown. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>5</term> + <listitem> + <para> + Permissions error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>6</term> + <listitem> + <para> + Invalid controlling tty. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>7</term> + <listitem> + <para> + Timestamp is not valid. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-notes'> + <title>NOTES</title> + <para> + Users can get confused when they are not always asked for passwords when +running a given program. Some users reflexively begin typing information before +noticing that it is not being asked for. + </para> + </refsect1> + + <refsect1 id='pam_timestamp-examples'> + <title>EXAMPLES</title> + <programlisting> +auth sufficient pam_timestamp.so verbose +auth required pam_unix.so + +session required pam_unix.so +session optional pam_timestamp.so + </programlisting> + </refsect1> + + <refsect1 id="pam_timestamp-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/run/sudo/...</filename></term> + <listitem> + <para>timestamp files and directories</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_timestamp_check</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_timestamp-author'> + <title>AUTHOR</title> + <para> + pam_timestamp was written by Nalin Dahyabhai. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_timestamp/pam_timestamp_check.c b/modules/pam_timestamp/pam_timestamp_check.c new file mode 100644 index 0000000..52b5a95 --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp_check.c @@ -0,0 +1,42 @@ +/****************************************************************************** + * A module for Linux-PAM that will cache authentication results, inspired by + * (and implemented with an eye toward being mixable with) sudo. + * + * Copyright (c) 2002 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#define PAM_TIMESTAMP_MAIN 1 +#include "pam_timestamp.c" diff --git a/modules/pam_timestamp/sha1.c b/modules/pam_timestamp/sha1.c new file mode 100644 index 0000000..d713aed --- /dev/null +++ b/modules/pam_timestamp/sha1.c @@ -0,0 +1,253 @@ +/* Yet another SHA-1 implementation. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/* See http://www.itl.nist.gov/fipspubs/fip180-1.htm for descriptions. */ + +#include <sys/types.h> +#include <sys/stat.h> +#include <netinet/in.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <endian.h> +#include <unistd.h> +#include "sha1.h" + +static unsigned char +padding[SHA1_BLOCK_SIZE] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, +}; + +static uint32_t +F(uint32_t b, uint32_t c, uint32_t d) +{ + return (b & c) | ((~b) & d); +} + +static uint32_t +G(uint32_t b, uint32_t c, uint32_t d) +{ + return b ^ c ^ d; +} + +static uint32_t +H(uint32_t b, uint32_t c, uint32_t d) +{ + return (b & c) | (b & d) | (c & d); +} + +static uint32_t +RL(uint32_t n, uint32_t s) +{ + return (n << s) | (n >> (32 - s)); +} + +static uint32_t +sha1_round(uint32_t (*FUNC)(uint32_t, uint32_t, uint32_t), + uint32_t a, uint32_t b, uint32_t c, uint32_t d, uint32_t e, + uint32_t i, uint32_t n) +{ + return RL(a, 5) + FUNC(b, c, d) + e + i + n; +} + +void +sha1_init(struct sha1_context *ctx) +{ + memset(ctx, 0, sizeof(*ctx)); + ctx->a = 0x67452301; + ctx->b = 0xefcdab89; + ctx->c = 0x98badcfe; + ctx->d = 0x10325476; + ctx->e = 0xc3d2e1f0; +} + +static void +sha1_process(struct sha1_context *ctx, uint32_t buffer[SHA1_BLOCK_SIZE / 4]) +{ + uint32_t a, b, c, d, e, temp; + uint32_t data[80]; + int i; + + for (i = 0; i < 16; i++) { + data[i] = htonl(buffer[i]); + } + for (i = 16; i < 80; i++) { + data[i] = RL(data[i - 3] ^ data[i - 8] ^ data[i - 14] ^ data[i - 16], 1); + } + + a = ctx->a; + b = ctx->b; + c = ctx->c; + d = ctx->d; + e = ctx->e; + + for (i = 0; i < 20; i++) { + temp = sha1_round(F, a, b, c, d, e, data[i], 0x5a827999); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + for (i = 20; i < 40; i++) { + temp = sha1_round(G, a, b, c, d, e, data[i], 0x6ed9eba1); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + for (i = 40; i < 60; i++) { + temp = sha1_round(H, a, b, c, d, e, data[i], 0x8f1bbcdc); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + for (i = 60; i < 80; i++) { + temp = sha1_round(G, a, b, c, d, e, data[i], 0xca62c1d6); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + + ctx->a += a; + ctx->b += b; + ctx->c += c; + ctx->d += d; + ctx->e += e; + + memset(buffer, 0, sizeof(buffer[0]) * SHA1_BLOCK_SIZE / 4); + memset(data, 0, sizeof(data)); +} + +void +sha1_update(struct sha1_context *ctx, const unsigned char *data, size_t length) +{ + size_t i = 0, l = length, c, t; + uint32_t count = 0; + + /* Process any pending + data blocks. */ + while (l + ctx->pending_count >= SHA1_BLOCK_SIZE) { + c = ctx->pending_count; + t = SHA1_BLOCK_SIZE - c; + memcpy(ctx->pending.c + c, &data[i], t); + sha1_process(ctx, ctx->pending.i); + i += t; + l -= t; + ctx->pending_count = 0; + } + + /* Save what's left of the data block as a pending data block. */ + c = ctx->pending_count; + memcpy(ctx->pending.c + c, &data[i], l); + ctx->pending_count += l; + + /* Update the message length. */ + ctx->count += length; + + /* Update our internal counts. */ + if (length != 0) { + count = ctx->counts[0]; + ctx->counts[0] += length; + if (count >= ctx->counts[0]) { + ctx->counts[1]++; + } + } +} + +size_t +sha1_output(struct sha1_context *ctx, unsigned char *out) +{ + struct sha1_context ctx2; + + /* Output the sum. */ + if (out != NULL) { + uint32_t c; + memcpy(&ctx2, ctx, sizeof(ctx2)); + + /* Pad this block. */ + c = ctx2.pending_count; + memcpy(ctx2.pending.c + c, + padding, SHA1_BLOCK_SIZE - c); + + /* Do we need to process two blocks now? */ + if (c >= (SHA1_BLOCK_SIZE - (sizeof(uint32_t) * 2))) { + /* Process this block. */ + sha1_process(&ctx2, ctx2.pending.i); + /* Set up another block. */ + ctx2.pending_count = 0; + memset(ctx2.pending.c, 0, SHA1_BLOCK_SIZE); + ctx2.pending.c[0] = + (c == SHA1_BLOCK_SIZE) ? 0x80 : 0; + } + + /* Process the final block. */ + ctx2.counts[1] <<= 3; + if (ctx2.counts[0] >> 29) { + ctx2.counts[1] |= + (ctx2.counts[0] >> 29); + } + ctx2.counts[0] <<= 3; + ctx2.counts[0] = htonl(ctx2.counts[0]); + ctx2.counts[1] = htonl(ctx2.counts[1]); + memcpy(ctx2.pending.c + 56, + &ctx2.counts[1], sizeof(uint32_t)); + memcpy(ctx2.pending.c + 60, + &ctx2.counts[0], sizeof(uint32_t)); + sha1_process(&ctx2, ctx2.pending.i); + + /* Output the data. */ + out[ 3] = (ctx2.a >> 0) & 0xff; + out[ 2] = (ctx2.a >> 8) & 0xff; + out[ 1] = (ctx2.a >> 16) & 0xff; + out[ 0] = (ctx2.a >> 24) & 0xff; + + out[ 7] = (ctx2.b >> 0) & 0xff; + out[ 6] = (ctx2.b >> 8) & 0xff; + out[ 5] = (ctx2.b >> 16) & 0xff; + out[ 4] = (ctx2.b >> 24) & 0xff; + + out[11] = (ctx2.c >> 0) & 0xff; + out[10] = (ctx2.c >> 8) & 0xff; + out[ 9] = (ctx2.c >> 16) & 0xff; + out[ 8] = (ctx2.c >> 24) & 0xff; + + out[15] = (ctx2.d >> 0) & 0xff; + out[14] = (ctx2.d >> 8) & 0xff; + out[13] = (ctx2.d >> 16) & 0xff; + out[12] = (ctx2.d >> 24) & 0xff; + + out[19] = (ctx2.e >> 0) & 0xff; + out[18] = (ctx2.e >> 8) & 0xff; + out[17] = (ctx2.e >> 16) & 0xff; + out[16] = (ctx2.e >> 24) & 0xff; + } + + return SHA1_OUTPUT_SIZE; +} diff --git a/modules/pam_timestamp/sha1.h b/modules/pam_timestamp/sha1.h new file mode 100644 index 0000000..69f432e --- /dev/null +++ b/modules/pam_timestamp/sha1.h @@ -0,0 +1,65 @@ +/* Yet another SHA-1 implementation. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#ifndef pam_timestamp_sha1_h +#define pam_timestamp_sha1_h + +#include <stdint.h> +#include <sys/types.h> +#include "pam_cc_compat.h" + +#define SHA1_BLOCK_SIZE 64 + +struct sha1_context { + size_t count; + union { + unsigned char c[SHA1_BLOCK_SIZE]; + uint32_t i[SHA1_BLOCK_SIZE / sizeof(uint32_t)]; + } pending; + uint32_t counts[2]; + size_t pending_count; + uint32_t a, b, c, d, e; +}; + +#define SHA1_OUTPUT_SIZE 20 + +void sha1_init(struct sha1_context *ctx); +void sha1_update(struct sha1_context *ctx, + const unsigned char *data, size_t length); +size_t sha1_output(struct sha1_context *ctx, unsigned char *out); + +#endif diff --git a/modules/pam_timestamp/tst-pam_timestamp b/modules/pam_timestamp/tst-pam_timestamp new file mode 100755 index 0000000..1d425b8 --- /dev/null +++ b/modules/pam_timestamp/tst-pam_timestamp @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_timestamp.so |