deepcrayon/buildroot
deepcrayon/buildroot
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

package/libpam-tacplus: bump to version 1.6.1

Browse source 
- Drop all patches (already in version)
- Update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Fabrice Fontaine 2020-10-31 17:20:10 +01:00 committed by Thomas Petazzoni
parent edb94d770b
commit 064251e292
7 changed files with 3 additions and 989 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
package/libpam-tacplus/0001-libtac-lib-magic.c-fix-build-on-uclibc.patch
View file

@ -1,52 +0,0 @@
From b2af0aca53d696e6dad17d8a0351d233d1dd1200 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Wed, 22 Jan 2020 20:51:59 +0100
Subject: [PATCH] libtac/lib/magic.c: fix build on uclibc
Commit 7e990f9db6d8805d369876f45964df87efad9e08 replaced _GNU_SOURCE by
AC_SYSTEM_EXTENSIONS. This is fine but then config.h must be included
before system includes otherwise build fails with uclibc on:
libtac/lib/magic.c: In function 'magic':
libtac/lib/magic.c:70:11: error: implicit declaration of function 'getrandom' [-Werror=implicit-function-declaration]
ret = getrandom(&num, sizeof(num), GRND_NONBLOCK);
^
Fixes:
- http://autobuild.buildroot.org/results/05c67484136f3bb433ce7fc47b2ce01167048cc2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Upstream status: https://github.com/kravietz/pam_tacplus/pull/137]
---
libtac/lib/magic.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtac/lib/magic.c b/libtac/lib/magic.c
index 9df5e3f..e13a483 100644
--- a/libtac/lib/magic.c
+++ b/libtac/lib/magic.c
@@ -18,6 +18,10 @@
* See `CHANGES' file for revision history.
*/
+#ifdef HAVE_CONFIG_H
+ #include "config.h"
+#endif
+
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
@@ -27,10 +31,6 @@
#include <fcntl.h>
#include <errno.h>
-#ifdef HAVE_CONFIG_H
- #include "config.h"
-#endif
-
#include "magic.h"
#ifdef _MSC_VER
--
2.24.1

653
package/libpam-tacplus/0002-Drop-u_char-and-u_short.patch
View file

@ -1,653 +0,0 @@
From b6ec2208640456a9422a74b4f39a50ddb65e4970 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Sat, 25 Jan 2020 10:42:20 +0100
Subject: [PATCH] Drop u_char and u_short
Replace u_char and u_short by unsigned char and unsigned short to fix
build on musl
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/kravietz/pam_tacplus/commit/b6ec2208640456a9422a74b4f39a50ddb65e4970]
---
libtac/include/libtac.h | 8 ++--
libtac/include/tacplus.h | 88 ++++++++++++++++++++--------------------
libtac/lib/acct_r.c | 4 +-
libtac/lib/acct_s.c | 20 ++++-----
libtac/lib/attrib.c | 6 +--
libtac/lib/authen_r.c | 2 +-
libtac/lib/authen_s.c | 14 +++----
libtac/lib/author_r.c | 22 +++++-----
libtac/lib/author_s.c | 18 ++++----
libtac/lib/cont_s.c | 4 +-
libtac/lib/crypt.c | 10 ++---
libtac/lib/header.c | 2 +-
12 files changed, 99 insertions(+), 99 deletions(-)
diff --git a/libtac/include/libtac.h b/libtac/include/libtac.h
index 4922bf7..d8c7289 100644
--- a/libtac/include/libtac.h
+++ b/libtac/include/libtac.h
@@ -96,7 +96,7 @@ typedef unsigned int u_int32_t;
struct tac_attrib {
char *attr;
- u_char attr_len;
+ unsigned char attr_len;
struct tac_attrib *next;
};
@@ -169,12 +169,12 @@ int tac_connect_single(const struct addrinfo *, const char *, struct addrinfo *,
char *tac_ntop(const struct sockaddr *);
int tac_authen_send(int, const char *, const char *, const char *, const char *,
- u_char);
+ unsigned char);
int tac_authen_read(int, struct areply *);
int tac_cont_send_seq(int, const char *, int);
#define tac_cont_send(fd, pass) tac_cont_send_seq((fd), (pass), 3)
-HDR *_tac_req_header(u_char, int);
-void _tac_crypt(u_char *, const HDR *);
+HDR *_tac_req_header(unsigned char, int);
+void _tac_crypt(unsigned char *, const HDR *);
void tac_add_attrib(struct tac_attrib **, char *, char *);
void tac_free_attrib(struct tac_attrib **);
char *tac_acct_flag2str(int);
diff --git a/libtac/include/tacplus.h b/libtac/include/tacplus.h
index 90d7c8b..2ac8848 100644
--- a/libtac/include/tacplus.h
+++ b/libtac/include/tacplus.h
@@ -24,7 +24,7 @@
/* All tacacs+ packets have the same header format */
struct tac_plus_pak_hdr {
- u_char version;
+ unsigned char version;
#define TAC_PLUS_MAJOR_VER_MASK 0xf0
#define TAC_PLUS_MAJOR_VER 0xc0
@@ -35,14 +35,14 @@ struct tac_plus_pak_hdr {
#define TAC_PLUS_MINOR_VER_1 0x01
#define TAC_PLUS_VER_1 (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_1)
- u_char type;
+ unsigned char type;
#define TAC_PLUS_AUTHEN 0x01
#define TAC_PLUS_AUTHOR 0x02
#define TAC_PLUS_ACCT 0x03
- u_char seq_no; /* packet sequence number */
- u_char encryption; /* packet is encrypted or cleartext */
+ unsigned char seq_no; /* packet sequence number */
+ unsigned char encryption; /* packet is encrypted or cleartext */
#define TAC_PLUS_ENCRYPTED_FLAG 0x00 /* packet is encrypted */
#define TAC_PLUS_UNENCRYPTED_FLAG 0x01 /* packet is unencrypted */
@@ -59,21 +59,21 @@ typedef struct tac_plus_pak_hdr HDR;
/* Authentication packet NAS sends to us */
struct authen_start {
- u_char action;
+ unsigned char action;
#define TAC_PLUS_AUTHEN_LOGIN 0x01
#define TAC_PLUS_AUTHEN_CHPASS 0x02
#define TAC_PLUS_AUTHEN_SENDPASS 0x03 /* deprecated */
#define TAC_PLUS_AUTHEN_SENDAUTH 0x04
- u_char priv_lvl;
+ unsigned char priv_lvl;
#define TAC_PLUS_PRIV_LVL_MIN 0x00
#define TAC_PLUS_PRIV_LVL_MAX 0x0f
#define TAC_PLUS_PRIV_LVL_USER 0x01
#define TAC_PLUS_PRIV_LVL_ROOT 0x0f
- u_char authen_type;
+ unsigned char authen_type;
#define TAC_PLUS_AUTHEN_TYPE_ASCII 0x01
#define TAC_PLUS_AUTHEN_TYPE_PAP 0x02
@@ -81,7 +81,7 @@ struct authen_start {
#define TAC_PLUS_AUTHEN_TYPE_ARAP 0x04
#define TAC_PLUS_AUTHEN_TYPE_MSCHAP 0x05
- u_char service;
+ unsigned char service;
#define TAC_PLUS_AUTHEN_SVC_NONE 0x00
#define TAC_PLUS_AUTHEN_SVC_LOGIN 0x01
@@ -94,19 +94,19 @@ struct authen_start {
#define TAC_PLUS_AUTHEN_SVC_NASI 0x08
#define TAC_PLUS_AUTHEN_SVC_FWPROXY 0x09
- u_char user_len;
- u_char port_len;
- u_char r_addr_len;
- u_char data_len;
+ unsigned char user_len;
+ unsigned char port_len;
+ unsigned char r_addr_len;
+ unsigned char data_len;
};
#define TAC_AUTHEN_START_FIXED_FIELDS_SIZE 8
/* Authentication continue packet NAS sends to us */
struct authen_cont {
- u_short user_msg_len;
- u_short user_data_len;
- u_char flags;
+ unsigned short user_msg_len;
+ unsigned short user_data_len;
+ unsigned char flags;
#define TAC_PLUS_CONTINUE_FLAG_ABORT 0x01
@@ -116,7 +116,7 @@ struct authen_cont {
/* Authentication reply packet we send to NAS */
struct authen_reply {
- u_char status;
+ unsigned char status;
#define TAC_PLUS_AUTHEN_STATUS_PASS 0x01
#define TAC_PLUS_AUTHEN_STATUS_FAIL 0x02
@@ -127,12 +127,12 @@ struct authen_reply {
#define TAC_PLUS_AUTHEN_STATUS_ERROR 0x07
#define TAC_PLUS_AUTHEN_STATUS_FOLLOW 0x21
- u_char flags;
+ unsigned char flags;
#define TAC_PLUS_AUTHEN_FLAG_NOECHO 0x01
- u_short msg_len;
- u_short data_len;
+ unsigned short msg_len;
+ unsigned short data_len;
};
#define TAC_AUTHEN_REPLY_FIXED_FIELDS_SIZE 6
@@ -158,29 +158,29 @@ struct authen_reply {
#define AUTHEN_METH_RCMD TAC_PLUS_AUTHEN_METH_RCMD
struct acct {
- u_char flags;
+ unsigned char flags;
#define TAC_PLUS_ACCT_FLAG_MORE 0x01
#define TAC_PLUS_ACCT_FLAG_START 0x02
#define TAC_PLUS_ACCT_FLAG_STOP 0x04
#define TAC_PLUS_ACCT_FLAG_WATCHDOG 0x08
- u_char authen_method;
- u_char priv_lvl;
- u_char authen_type;
- u_char authen_service;
- u_char user_len;
- u_char port_len;
- u_char r_addr_len;
- u_char arg_cnt; /* the number of cmd args */
+ unsigned char authen_method;
+ unsigned char priv_lvl;
+ unsigned char authen_type;
+ unsigned char authen_service;
+ unsigned char user_len;
+ unsigned char port_len;
+ unsigned char r_addr_len;
+ unsigned char arg_cnt; /* the number of cmd args */
};
#define TAC_ACCT_REQ_FIXED_FIELDS_SIZE 9
struct acct_reply {
- u_short msg_len;
- u_short data_len;
- u_char status;
+ unsigned short msg_len;
+ unsigned short data_len;
+ unsigned char status;
#define TAC_PLUS_ACCT_STATUS_SUCCESS 0x1
#define TAC_PLUS_ACCT_STATUS_ERROR 0x2
@@ -192,25 +192,25 @@ struct acct_reply {
/* An authorization request packet */
struct author {
- u_char authen_method;
- u_char priv_lvl;
- u_char authen_type;
- u_char service;
-
- u_char user_len;
- u_char port_len;
- u_char r_addr_len;
- u_char arg_cnt; /* the number of args */
+ unsigned char authen_method;
+ unsigned char priv_lvl;
+ unsigned char authen_type;
+ unsigned char service;
+
+ unsigned char user_len;
+ unsigned char port_len;
+ unsigned char r_addr_len;
+ unsigned char arg_cnt; /* the number of args */
};
#define TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE 8
/* An authorization reply packet */
struct author_reply {
- u_char status;
- u_char arg_cnt;
- u_short msg_len;
- u_short data_len;
+ unsigned char status;
+ unsigned char arg_cnt;
+ unsigned short msg_len;
+ unsigned short data_len;
#define TAC_PLUS_AUTHOR_STATUS_PASS_ADD 0x01
#define TAC_PLUS_AUTHOR_STATUS_PASS_REPL 0x02
diff --git a/libtac/lib/acct_r.c b/libtac/lib/acct_r.c
index 44992e6..29ed901 100644
--- a/libtac/lib/acct_r.c
+++ b/libtac/lib/acct_r.c
@@ -110,7 +110,7 @@ int tac_acct_read(int fd, struct areply *re) {
}
/* decrypt the body */
- _tac_crypt((u_char *) tb, &th);
+ _tac_crypt((unsigned char *) tb, &th);
/* Convert network byte order to host byte order */
tb->msg_len = ntohs(tb->msg_len);
@@ -133,7 +133,7 @@ int tac_acct_read(int fd, struct areply *re) {
/* save status and clean up */
if(tb->msg_len) {
msg=(char *) xcalloc(1, tb->msg_len+1);
- bcopy((u_char *) tb+TAC_ACCT_REPLY_FIXED_FIELDS_SIZE, msg, tb->msg_len);
+ bcopy((unsigned char *) tb+TAC_ACCT_REPLY_FIXED_FIELDS_SIZE, msg, tb->msg_len);
msg[(int)tb->msg_len] = '\0';
re->msg = msg; /* Freed by caller */
}
diff --git a/libtac/lib/acct_s.c b/libtac/lib/acct_s.c
index db68067..4338ef2 100644
--- a/libtac/lib/acct_s.c
+++ b/libtac/lib/acct_s.c
@@ -50,14 +50,14 @@ int tac_acct_send(int fd, int type, const char *user, char *tty,
HDR *th;
struct acct tb;
- u_char user_len, port_len, r_addr_len;
+ unsigned char user_len, port_len, r_addr_len;
struct tac_attrib *a;
int i = 0; /* arg count */
int pkt_len = 0;
int pktl = 0;
int w; /* write count */
- u_char *pkt=NULL;
- /* u_char *pktp; */ /* obsolute */
+ unsigned char *pkt=NULL;
+ /* unsigned char *pktp; */ /* obsolute */
int ret = 0;
th = _tac_req_header(TAC_PLUS_ACCT, 0);
@@ -71,11 +71,11 @@ int tac_acct_send(int fd, int type, const char *user, char *tty,
(tac_encryption) ? "yes" : "no", \
tac_acct_flag2str(type));
- user_len=(u_char) strlen(user);
- port_len=(u_char) strlen(tty);
- r_addr_len=(u_char) strlen(r_addr);
+ user_len=(unsigned char) strlen(user);
+ port_len=(unsigned char) strlen(tty);
+ r_addr_len=(unsigned char) strlen(r_addr);
- tb.flags=(u_char) type;
+ tb.flags=(unsigned char) type;
tb.authen_method=tac_authen_method;
tb.priv_lvl=tac_priv_lvl;
if (!*tac_login) {
@@ -96,7 +96,7 @@ int tac_acct_send(int fd, int type, const char *user, char *tty,
tb.r_addr_len=r_addr_len;
/* allocate packet */
- pkt=(u_char *) xcalloc(1, TAC_ACCT_REQ_FIXED_FIELDS_SIZE);
+ pkt=(unsigned char *) xcalloc(1, TAC_ACCT_REQ_FIXED_FIELDS_SIZE);
pkt_len=sizeof(tb);
/* fill attribute length fields */
@@ -104,7 +104,7 @@ int tac_acct_send(int fd, int type, const char *user, char *tty,
while (a) {
pktl = pkt_len;
pkt_len += sizeof(a->attr_len);
- pkt = (u_char*) xrealloc(pkt, pkt_len);
+ pkt = (unsigned char*) xrealloc(pkt, pkt_len);
/* see comments in author_s.c
pktp=pkt + pkt_len;
@@ -132,7 +132,7 @@ int tac_acct_send(int fd, int type, const char *user, char *tty,
#define PUTATTR(data, len) \
pktl = pkt_len; \
pkt_len += len; \
- pkt = (u_char*) xrealloc(pkt, pkt_len); \
+ pkt = (unsigned char*) xrealloc(pkt, pkt_len); \
bcopy(data, pkt + pktl, len);
/* fill user and port fields */
diff --git a/libtac/lib/attrib.c b/libtac/lib/attrib.c
index b8a7d82..c148288 100644
--- a/libtac/lib/attrib.c
+++ b/libtac/lib/attrib.c
@@ -29,14 +29,14 @@ void tac_add_attrib(struct tac_attrib **attr, char *name, char *value) {
void tac_add_attrib_pair(struct tac_attrib **attr, char *name, char sep, char *value) {
struct tac_attrib *a;
- u_char l1 = (u_char) strlen(name);
- u_char l2;
+ unsigned char l1 = (unsigned char) strlen(name);
+ unsigned char l2;
int total_len;
if (value == NULL) {
l2 = 0;
} else {
- l2 = (u_char) strlen(value);
+ l2 = (unsigned char) strlen(value);
}
total_len = l1 + l2 + 1; /* "name" + "=" + "value" */
diff --git a/libtac/lib/authen_r.c b/libtac/lib/authen_r.c
index cc03e9b..3ffdc4d 100644
--- a/libtac/lib/authen_r.c
+++ b/libtac/lib/authen_r.c
@@ -106,7 +106,7 @@ int tac_authen_read(int fd, struct areply *re) {
}
/* decrypt the body */
- _tac_crypt((u_char *) tb, &th);
+ _tac_crypt((unsigned char *) tb, &th);
/* Convert network byte order to host byte order */
tb->msg_len = ntohs(tb->msg_len);
diff --git a/libtac/lib/authen_s.c b/libtac/lib/authen_s.c
index b33d954..3bbb51a 100644
--- a/libtac/lib/authen_s.c
+++ b/libtac/lib/authen_s.c
@@ -34,7 +34,7 @@
/* assume digest points to a buffer MD5_LEN size */
static void
-digest_chap(u_char digest[MD5_LBLOCK], uint8_t id,
+digest_chap(unsigned char digest[MD5_LBLOCK], uint8_t id,
const char *pass, unsigned pass_len,
const char *chal, unsigned chal_len) {
@@ -46,8 +46,8 @@ digest_chap(u_char digest[MD5_LBLOCK], uint8_t id,
* for a single call.
*/
MD5_Update(&mdcontext, &id, sizeof(id));
- MD5_Update(&mdcontext, (const u_char *)pass, pass_len);
- MD5_Update(&mdcontext, (const u_char *)chal, chal_len);
+ MD5_Update(&mdcontext, (const unsigned char *)pass, pass_len);
+ MD5_Update(&mdcontext, (const unsigned char *)chal, chal_len);
MD5_Final(digest, &mdcontext);
}
@@ -62,7 +62,7 @@ digest_chap(u_char digest[MD5_LBLOCK], uint8_t id,
* LIBTAC_STATUS_ASSEMBLY_ERR
*/
int tac_authen_send(int fd, const char *user, const char *pass, const char *tty,
- const char *r_addr, u_char action) {
+ const char *r_addr, unsigned char action) {
HDR *th; /* TACACS+ packet header */
struct authen_start tb; /* message body */
@@ -72,7 +72,7 @@ int tac_authen_send(int fd, const char *user, const char *pass, const char *tty,
int ret = 0;
char *chal = "1234123412341234";
char *token = NULL;
- u_char *pkt = NULL;
+ unsigned char *pkt = NULL;
const uint8_t id = 5;
th = _tac_req_header(TAC_PLUS_AUTHEN, 0);
@@ -99,7 +99,7 @@ int tac_authen_send(int fd, const char *user, const char *pass, const char *tty,
r_addr_len = strlen(r_addr);
if (!strcmp(tac_login, "chap")) {
- u_char digest[MD5_LBLOCK];
+ unsigned char digest[MD5_LBLOCK];
digest_chap(digest, id, pass, pass_len, chal, chal_len);
@@ -159,7 +159,7 @@ int tac_authen_send(int fd, const char *user, const char *pass, const char *tty,
}
/* build the packet */
- pkt = (u_char *) xcalloc(1, bodylength + 10);
+ pkt = (unsigned char *) xcalloc(1, bodylength + 10);
bcopy(&tb, pkt + pkt_len, sizeof(tb)); /* packet body beginning */
pkt_len += sizeof(tb);
diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c
index a677de0..19a72c9 100644
--- a/libtac/lib/author_r.c
+++ b/libtac/lib/author_r.c
@@ -43,7 +43,7 @@ int tac_author_read(int fd, struct areply *re) {
struct author_reply *tb = NULL;
size_t len_from_header, len_from_body;
ssize_t packet_read;
- u_char *pktp = NULL;
+ unsigned char *pktp = NULL;
char *msg = NULL;
int timeleft = 0;
re->msg = NULL;
@@ -114,7 +114,7 @@ int tac_author_read(int fd, struct areply *re) {
}
/* decrypt the body */
- _tac_crypt((u_char *) tb, &th);
+ _tac_crypt((unsigned char *) tb, &th);
/* Convert network byte order to host byte order */
tb->msg_len = ntohs(tb->msg_len);
@@ -127,7 +127,7 @@ int tac_author_read(int fd, struct areply *re) {
len_from_body = TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE + tb->msg_len
+ tb->data_len;
- pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE;
+ pktp = (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE;
/* cycle through the arguments supplied in the packet */
for (r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT;
@@ -141,7 +141,7 @@ int tac_author_read(int fd, struct areply *re) {
free(tb);
return re->status;
}
- len_from_body += sizeof(u_char); /* add arg length field's size*/
+ len_from_body += sizeof(unsigned char); /* add arg length field's size*/
len_from_body += *pktp; /* add arg length itself */
pktp++;
}
@@ -160,8 +160,8 @@ int tac_author_read(int fd, struct areply *re) {
if (tb->msg_len) {
char *msg = (char *) xcalloc(1, tb->msg_len + 1);
bcopy(
- (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE
- + (tb->arg_cnt) * sizeof(u_char), msg, tb->msg_len);
+ (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE
+ + (tb->arg_cnt) * sizeof(unsigned char), msg, tb->msg_len);
msg[(int) tb->msg_len] = '\0';
re->msg = msg; /* freed by caller */
}
@@ -170,8 +170,8 @@ int tac_author_read(int fd, struct areply *re) {
if (tb->data_len) {
char *smsg = (char *) xcalloc(1, tb->data_len + 1);
bcopy(
- (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE
- + (tb->arg_cnt) * sizeof(u_char) + tb->msg_len, smsg,
+ (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE
+ + (tb->arg_cnt) * sizeof(unsigned char) + tb->msg_len, smsg,
tb->data_len);
smsg[(int) tb->data_len] = '\0';
TACSYSLOG(LOG_ERR, "%s: reply message: %s", __FUNCTION__, smsg);
@@ -190,7 +190,7 @@ int tac_author_read(int fd, struct areply *re) {
/*FALLTHRU*/
case TAC_PLUS_AUTHOR_STATUS_PASS_ADD: {
- u_char *argp;
+ unsigned char *argp;
if (!re->msg)
re->msg = xstrdup(author_ok_msg);
@@ -198,8 +198,8 @@ int tac_author_read(int fd, struct areply *re) {
/* add attributes received to attribute list returned to
the client */
- pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE;
- argp = pktp + (tb->arg_cnt * sizeof(u_char)) + tb->msg_len
+ pktp = (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE;
+ argp = pktp + (tb->arg_cnt * sizeof(unsigned char)) + tb->msg_len
+ tb->data_len;
TACSYSLOG(LOG_DEBUG, "Args cnt %d", tb->arg_cnt);
/* argp points to current argument string
diff --git a/libtac/lib/author_s.c b/libtac/lib/author_s.c
index d067e2c..db05008 100644
--- a/libtac/lib/author_s.c
+++ b/libtac/lib/author_s.c
@@ -37,14 +37,14 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr,
HDR *th;
struct author tb;
- u_char user_len, port_len, r_addr_len;
+ unsigned char user_len, port_len, r_addr_len;
struct tac_attrib *a;
int i = 0; /* attributes count */
int pkt_len = 0; /* current packet length */
int pktl = 0; /* temporary storage for previous pkt_len values */
int w; /* write() return value */
- u_char *pkt = NULL; /* packet building pointer */
- /* u_char *pktp; *//* obsolete */
+ unsigned char *pkt = NULL; /* packet building pointer */
+ /* unsigned char *pktp; *//* obsolete */
int ret = 0;
th = _tac_req_header(TAC_PLUS_AUTHOR, 0);
@@ -59,9 +59,9 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr,
__FUNCTION__, user,
tty, r_addr, tac_encryption ? "yes" : "no");
- user_len = (u_char) strlen(user);
- port_len = (u_char) strlen(tty);
- r_addr_len = (u_char) strlen(r_addr);
+ user_len = (unsigned char) strlen(user);
+ port_len = (unsigned char) strlen(tty);
+ r_addr_len = (unsigned char) strlen(r_addr);
tb.authen_method = tac_authen_method;
tb.priv_lvl = tac_priv_lvl;
@@ -83,7 +83,7 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr,
tb.r_addr_len = r_addr_len;
/* allocate packet */
- pkt = (u_char *) xcalloc(1, TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE);
+ pkt = (unsigned char *) xcalloc(1, TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE);
pkt_len = sizeof(tb);
/* fill attribute length fields */
@@ -91,7 +91,7 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr,
while (a) {
pktl = pkt_len;
pkt_len += sizeof(a->attr_len);
- pkt = (u_char*) xrealloc(pkt, pkt_len);
+ pkt = (unsigned char*) xrealloc(pkt, pkt_len);
/* bad method: realloc() is allowed to return different pointer
with each call
@@ -120,7 +120,7 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr,
#define PUTATTR(data, len) \
pktl = pkt_len; \
pkt_len += len; \
- pkt = (u_char*) xrealloc(pkt, pkt_len); \
+ pkt = (unsigned char*) xrealloc(pkt, pkt_len); \
bcopy(data, pkt + pktl, len);
/* fill user and port fields */
diff --git a/libtac/lib/cont_s.c b/libtac/lib/cont_s.c
index e281567..50c01d9 100644
--- a/libtac/lib/cont_s.c
+++ b/libtac/lib/cont_s.c
@@ -41,7 +41,7 @@ int tac_cont_send_seq(int fd, const char *pass, int seq) {
int pass_len, bodylength, w;
int pkt_len = 0;
int ret = 0;
- u_char *pkt = NULL;
+ unsigned char *pkt = NULL;
th = _tac_req_header(TAC_PLUS_AUTHEN, 1);
@@ -75,7 +75,7 @@ int tac_cont_send_seq(int fd, const char *pass, int seq) {
}
/* build the packet */
- pkt = (u_char *) xcalloc(1, bodylength);
+ pkt = (unsigned char *) xcalloc(1, bodylength);
bcopy(&tb, pkt + pkt_len, TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE); /* packet body beginning */
pkt_len += TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE;
diff --git a/libtac/lib/crypt.c b/libtac/lib/crypt.c
index b3e3158..5bf0107 100644
--- a/libtac/lib/crypt.c
+++ b/libtac/lib/crypt.c
@@ -36,7 +36,7 @@
Use data from packet header and secret, which
should be a global variable */
static void _tac_md5_pad(const HDR *hdr,
- u_char *new_digest, u_char *old_digest) {
+ unsigned char *new_digest, unsigned char *old_digest) {
unsigned tac_secret_len = strlen(tac_secret);
MD5_CTX mdcontext;
@@ -45,8 +45,8 @@ static void _tac_md5_pad(const HDR *hdr,
/* place session_id, key, version and seq_no in buffer */
MD5_Init(&mdcontext);
- MD5_Update(&mdcontext, (const u_char *) &hdr->session_id, sizeof(hdr->session_id));
- MD5_Update(&mdcontext, (const u_char *) tac_secret, tac_secret_len);
+ MD5_Update(&mdcontext, (const unsigned char *) &hdr->session_id, sizeof(hdr->session_id));
+ MD5_Update(&mdcontext, (const unsigned char *) tac_secret, tac_secret_len);
MD5_Update(&mdcontext, &hdr->version, sizeof(hdr->version));
MD5_Update(&mdcontext, &hdr->seq_no, sizeof(hdr->seq_no));
@@ -62,12 +62,12 @@ static void _tac_md5_pad(const HDR *hdr,
/* Perform encryption/decryption on buffer. This means simply XORing
each byte from buffer with according byte from pseudo-random
pad. */
-void _tac_crypt(u_char *buf, const HDR *th) {
+void _tac_crypt(unsigned char *buf, const HDR *th) {
unsigned i, j, length = ntohl(th->datalength);
/* null operation if no encryption requested */
if((tac_secret != NULL) && (th->encryption & TAC_PLUS_UNENCRYPTED_FLAG) != TAC_PLUS_UNENCRYPTED_FLAG) {
- u_char digest[MD5_LBLOCK];
+ unsigned char digest[MD5_LBLOCK];
for (i=0; i<length; i++) {
j = i % MD5_LBLOCK;
diff --git a/libtac/lib/header.c b/libtac/lib/header.c
index 2156d2a..7331947 100644
--- a/libtac/lib/header.c
+++ b/libtac/lib/header.c
@@ -66,7 +66,7 @@ int tac_readtimeout_enable = 0;
* field depends on the TACACS+ request type and thus it
* cannot be predefined.
*/
-HDR *_tac_req_header(u_char type, int cont_session) {
+HDR *_tac_req_header(unsigned char type, int cont_session) {
HDR *th;
th=(HDR *) xcalloc(1, TAC_PLUS_HDR_SIZE);

52
package/libpam-tacplus/0003-Fix-unused-parameters-with-musl.patch
View file

@ -1,52 +0,0 @@
From a46b3f48d27f6a229627ef731fc23e3971056caa Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Sat, 25 Jan 2020 10:51:36 +0100
Subject: [PATCH] Fix unused parameters with musl
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/kravietz/pam_tacplus/commit/a46b3f48d27f6a229627ef731fc23e3971056caa]
---
support.c | 1 +
tacc.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/support.c b/support.c
index 6e3fe45..76a5102 100644
--- a/support.c
+++ b/support.c
@@ -116,6 +116,7 @@ int converse(pam_handle_t *pamh, int nargs, const struct pam_message *message,
int tacacs_get_password(pam_handle_t *pamh, int flags __Unused,
int ctrl, char **password) {
+ (void) flags;
const void *pam_pass;
char *pass = NULL;
diff --git a/tacc.c b/tacc.c
index 302058a..ef9d081 100644
--- a/tacc.c
+++ b/tacc.c
@@ -498,6 +498,7 @@ int main(int argc, char **argv) {
}
void sighandler(int sig __Unused) {
+ (void) sig;
TACDEBUG(LOG_DEBUG, "caught signal %d", sig);
}
@@ -602,12 +603,14 @@ void showversion(char *progname) {
}
void timeout_handler(int signum __Unused) {
+ (void) signum;
syslog(LOG_ERR, "timeout reading password from user %s", g_user);
}
#ifdef TACDEBUG_AT_RUNTIME
void logmsg(int level __Unused, const char *fmt, ...)
{
+ (void) level;
va_list ap;
va_start(ap, fmt);

80
package/libpam-tacplus/0004-fix-build-failure-when-time_t-is-64-bits.patch
View file

@ -1,80 +0,0 @@
From 74a6cc484a83270273b373da17c05c1e394d3dd9 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Sun, 17 May 2020 21:55:11 +0200
Subject: [PATCH] fix build failure when time_t is 64 bits
Build can fail if time_t is 64 bits and not 32 bits because of the
following warning (which results in a build failure due to -Werror):
tacc.c: In function 'main':
tacc.c:346:25: error: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'time_t' {aka 'long long int'} [-Werror=format=]
sprintf(buf, "%lu", time(0));
~~^ ~~~~~~~
%llu
Instead of casting time_t to unsigned long as already done in
pam_tacplus.c, use strftime which seems the right approach to
convert time_t into a string. While at it, also update pam_tacplus.c.
Fixes:
- http://autobuild.buildroot.org/results/874433d8cb30d21332f23024081a8b6d7b3254ae
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/kravietz/pam_tacplus/commit/74a6cc484a83270273b373da17c05c1e394d3dd9]
---
pam_tacplus.c | 6 +++++-
tacc.c | 12 ++++++++++--
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/pam_tacplus.c b/pam_tacplus.c
index 7d8bb5f..a0cb83d 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -86,10 +86,14 @@ int _pam_send_account(int tac_fd, int type, const char *user, char *tty,
char buf[64];
struct tac_attrib *attr;
int retval;
+ time_t t;
+ struct tm tm;
attr = (struct tac_attrib *) xcalloc(1, sizeof(struct tac_attrib));
- sprintf(buf, "%lu", (unsigned long) time(NULL));
+ t = time(NULL);
+ gmtime_r(&t, &tm);
+ strftime(buf, sizeof(buf), "%s", &tm);
if (type == TAC_PLUS_ACCT_FLAG_START) {
tac_add_attrib(&attr, "start_time", buf);
diff --git a/tacc.c b/tacc.c
index ef9d081..affc649 100644
--- a/tacc.c
+++ b/tacc.c
@@ -342,8 +342,12 @@ int main(int argc, char **argv) {
if (do_account) {
/* start accounting */
struct tac_attrib *attr = NULL;
+ time_t t;
+ struct tm tm;
- sprintf(buf, "%lu", time(0));
+ t = time(0);
+ gmtime_r(&t, &tm);
+ strftime(buf, sizeof(buf), "%s", &tm);
tac_add_attrib(&attr, "start_time", buf);
// this is not crypto but merely an identifier
@@ -452,7 +456,11 @@ int main(int argc, char **argv) {
if (do_account) {
/* stop accounting */
struct tac_attrib *attr = NULL;
- sprintf(buf, "%lu", time(0));
+ time_t t;
+ struct tm tm;
+ t = time(0);
+ gmtime_r(&t, &tm);
+ strftime(buf, sizeof(buf), "%s", &tm);
tac_add_attrib(&attr, "stop_time", buf);
sprintf(buf, "%hu", task_id);
tac_add_attrib(&attr, "task_id", buf);

146
package/libpam-tacplus/0005-Check-for-failure-of-OpenSSL-RAND_pseudo_bytes.patch
View file

@ -1,146 +0,0 @@
From c9bed7496e81e550ee22746f23bbb11be2e046ed Mon Sep 17 00:00:00 2001
From: Duncan Eastoe <duncan.eastoe@att.com>
Date: Thu, 22 Oct 2020 19:18:27 +0100
Subject: [PATCH] magic.c: check for failure of RAND_[pseudo_]bytes
When magic() is implemented via libcrypto's RAND_bytes or
RAND_pseudo_bytes we should check for a failure and abort to
ensure we don't use a predictable session_id.
This prevents (further) weakening* of the TACACS+ protocol
"encryption" since session_id is an input to the algorithm.
*by modern standards TACACS+ is deemed "obfuscated" - RFC 8907.
[Retrieved from:
https://github.com/kravietz/pam_tacplus/commit/468cc9d484364ecdc8bb245805f5c1fcb415fec9]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
libtac/lib/magic.c | 26 +++++++++++++++++++++-----
pam_tacplus.c | 6 ++++++
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/libtac/lib/magic.c b/libtac/lib/magic.c
index e13a483..ae6b44f 100644
--- a/libtac/lib/magic.c
+++ b/libtac/lib/magic.c
@@ -81,26 +81,42 @@ magic()
#elif defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO)
+#include <openssl/err.h>
#include <openssl/rand.h>
/* RAND_bytes is OpenSSL's classic function to obtain cryptographic strength pseudo-random bytes
- however, since the magic() function is used to generate TACACS+ session id rather than crypto keys
- we can use RAND_pseudo_bytes() which doesn't deplete the system's entropy pool
+ however, we can use RAND_pseudo_bytes() which doesn't deplete the system's entropy pool, so long
+ as it returns a "cryptographically strong" result - since session_id is an input to the TACACS+
+ "encryption" ("obfuscation" by modern standards - RFC 8907) algorithm.
*/
u_int32_t
magic()
{
u_int32_t num;
+ int ret;
#ifdef HAVE_RAND_BYTES
- RAND_bytes((unsigned char *)&num, sizeof(num));
+ ret = RAND_bytes((unsigned char *)&num, sizeof(num));
#elif HAVE_RAND_PSEUDO_BYTES
- RAND_pseudo_bytes((unsigned char *)&num, sizeof(num));
+ ret = RAND_pseudo_bytes((unsigned char *)&num, sizeof(num));
#else
#error Neither RAND_bytes nor RAND_pseudo_bytes seems to be available
#endif
- return num;
+
+ /* RAND_bytes success / RAND_pseudo_bytes "cryptographically strong" result */
+ if (ret == 1)
+ return num;
+
+ TACSYSLOG(LOG_CRIT,"%s: "
+#ifdef HAVE_RAND_BYTES
+ "RAND_bytes "
+#else
+ "RAND_pseudo_bytes "
+#endif
+ "failed; ret: %d err: %ld", __FUNCTION__, ret, ERR_get_error());
+
+ exit(1);
}
#else
diff --git a/pam_tacplus.c b/pam_tacplus.c
index a0cb83d..4999ca9 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -718,6 +718,12 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int UNUSED(flags), int argc,
PAM_EXTERN
int pam_sm_open_session(pam_handle_t *pamh, int UNUSED(flags), int argc,
const char **argv) {
+
+/* Task ID has no need to be cryptographically strong so we don't
+ * check for failures of the RAND functions. If they fail then we are
+ * as well sending the accounting request regardless of whether any value
+ * was written to task_id.
+ */
#if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO)
# if defined(HAVE_RAND_BYTES)
RAND_bytes((unsigned char *) &task_id, sizeof(task_id));
From bceaab0cd51a09b88f40f19da799ac7390264bf8 Mon Sep 17 00:00:00 2001
From: Duncan Eastoe <duncan.eastoe@att.com>
Date: Fri, 23 Oct 2020 11:23:07 +0100
Subject: [PATCH 2/2] pam_tacplus.c: Fallback to using PID as task ID
If there is a failure obtaining a random task ID for the session
accounting request then fallback to using the PID, as this is unique
for the lifetime of the PAM application and therefore session.
---
pam_tacplus.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/pam_tacplus.c b/pam_tacplus.c
index 4999ca9..b69e3d0 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -100,8 +100,13 @@ int _pam_send_account(int tac_fd, int type, const char *user, char *tty,
} else if (type == TAC_PLUS_ACCT_FLAG_STOP) {
tac_add_attrib(&attr, "stop_time", buf);
}
- sprintf(buf, "%hu", task_id);
+
+ if (task_id == 0)
+ snprintf(buf, sizeof(buf), "%d", getpid());
+ else
+ snprintf(buf, sizeof(buf), "%hu", task_id);
tac_add_attrib(&attr, "task_id", buf);
+
tac_add_attrib(&attr, "service", tac_service);
if (tac_protocol[0] != '\0')
tac_add_attrib(&attr, "protocol", tac_protocol);
@@ -720,9 +725,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int UNUSED(flags), int argc,
const char **argv) {
/* Task ID has no need to be cryptographically strong so we don't
- * check for failures of the RAND functions. If they fail then we are
- * as well sending the accounting request regardless of whether any value
- * was written to task_id.
+ * check for failures of the RAND functions. If we fail to get an ID we
+ * fallback to using our PID (in _pam_send_account).
*/
#if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO)
# if defined(HAVE_RAND_BYTES)
@@ -734,6 +738,10 @@ int pam_sm_open_session(pam_handle_t *pamh, int UNUSED(flags), int argc,
task_id=(short int) magic();
#endif
+ if (task_id == 0)
+ syslog(LOG_INFO, "%s: failed to generate random task ID, "
+ "falling back to PID", __FUNCTION__);
+
return _pam_account(pamh, argc, argv, TAC_PLUS_ACCT_FLAG_START, NULL);
} /* pam_sm_open_session */

4
package/libpam-tacplus/libpam-tacplus.hash
View file

@ -1,3 +1,3 @@
# Locally calculated
sha256 82f204b949b2a55d0711b314c6e3b213bd1c0c1ee0d9ba15680570db22bff2d8 libpam-tacplus-1.5.1.tar.gz
sha256 b2b961f07e97c4fb78074276da304ea36b85dc299aae5efb79080cedaea3d5ac COPYING
sha256 73961800dc0d5e422751ad4c9f09b1863ab33e381e0bdb2a1d0343dcfc30e44e libpam-tacplus-1.6.1.tar.gz
sha256 b2b961f07e97c4fb78074276da304ea36b85dc299aae5efb79080cedaea3d5ac COPYING

5
package/libpam-tacplus/libpam-tacplus.mk
View file

@ -4,7 +4,7 @@
#
################################################################################
LIBPAM_TACPLUS_VERSION = 1.5.1
LIBPAM_TACPLUS_VERSION = 1.6.1
LIBPAM_TACPLUS_SITE = $(call github,jeroennijhof,pam_tacplus,v$(LIBPAM_TACPLUS_VERSION))
LIBPAM_TACPLUS_LICENSE = GPL-2.0+
LIBPAM_TACPLUS_LICENSE_FILES = COPYING
@ -17,7 +17,4 @@ LIBPAM_TACPLUS_INSTALL_STAGING = YES
LIBPAM_TACPLUS_CONF_ENV = \
ax_cv_check_cflags___fstack_protector_all=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)
# 0005-Check-for-failure-of-OpenSSL-RAND_pseudo_bytes.patch
LIBPAM_TACPLUS_IGNORE_CVES += CVE-2020-27743
$(eval $(autotools-package))