instead of sudo's own SHA2 implementation.
gss_krb5_ccache_name() provides a better API to do this it
is not supported by all Kerberos V and SASL combinations.
+ --enable-gcrypt[=DIR]
+ Use GNU crypt's SHA-2 message digest functions instead of the
+ ones bundled with sudo (or in the system's C library).
+ If specified, DIR should contain include and lib directories
+ with gcrypt.h and libgcrypt respectively.
+
--enable-openssl[=DIR]
Use OpenSSL's SHA-2 message digest functions instead of the
ones bundled with sudo (or in the system's C library).
plugins/sudoers/editor.c
plugins/sudoers/env.c
plugins/sudoers/filedigest.c
+plugins/sudoers/filedigest_gcrypt.c
plugins/sudoers/filedigest_openssl.c
plugins/sudoers/find_path.c
plugins/sudoers/gc.c
enable_warnings
enable_werror
enable_openssl
+enable_gcrypt
enable_hardening
enable_pie
enable_asan
--enable-werror Whether to enable the -Werror compiler option
--enable-openssl Use OpenSSL's message digest functions instead of
sudo's
+ --enable-gcrypt Use GNU crypt's message digest functions instead of
+ sudo's
--disable-hardening Do not use compiler/linker exploit mitigation
options
--enable-pie Build sudo as a position independent executable.
+if ${SUDOERS_LDFLAGS+:} false; then :
+
+ case " $SUDOERS_LDFLAGS " in #(
+ *" -L${enableval}/lib "*) :
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS already contains -L\${enableval}/lib"; } >&5
+ (: SUDOERS_LDFLAGS already contains -L${enableval}/lib) 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } ;; #(
+ *) :
+
+ as_fn_append SUDOERS_LDFLAGS " -L${enableval}/lib"
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS=\"\$SUDOERS_LDFLAGS\""; } >&5
+ (: SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+ ;;
+esac
+
+else
+
+ SUDOERS_LDFLAGS=-L${enableval}/lib
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS=\"\$SUDOERS_LDFLAGS\""; } >&5
+ (: SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+
+fi
+
+ if test X"$enable_rpath" = X"yes"; then
+
+if ${SUDOERS_LDFLAGS_R+:} false; then :
+
+ case " $SUDOERS_LDFLAGS_R " in #(
+ *" -R${enableval}/lib "*) :
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS_R already contains -R\${enableval}/lib"; } >&5
+ (: SUDOERS_LDFLAGS_R already contains -R${enableval}/lib) 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } ;; #(
+ *) :
+
+ as_fn_append SUDOERS_LDFLAGS_R " -R${enableval}/lib"
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS_R=\"\$SUDOERS_LDFLAGS_R\""; } >&5
+ (: SUDOERS_LDFLAGS_R="$SUDOERS_LDFLAGS_R") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+ ;;
+esac
+
+else
+
+ SUDOERS_LDFLAGS_R=-R${enableval}/lib
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS_R=\"\$SUDOERS_LDFLAGS_R\""; } >&5
+ (: SUDOERS_LDFLAGS_R="$SUDOERS_LDFLAGS_R") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+
+fi
+
+ fi
+
+ fi
+ ;;
+ esac
+
+fi
+
+
+# Check whether --enable-gcrypt was given.
+if test "${enable_gcrypt+set}" = set; then :
+ enableval=$enable_gcrypt; case $enableval in
+ no) ;;
+ *) LIBMD="-lgcrypt"
+ FILEDIGEST=filedigest_gcrypt.lo
+ if test "$enableval" != "yes"; then
+
+if ${CPPFLAGS+:} false; then :
+
+ case " $CPPFLAGS " in #(
+ *" -I${enableval}/include "*) :
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enableval}/include"; } >&5
+ (: CPPFLAGS already contains -I${enableval}/include) 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } ;; #(
+ *) :
+
+ as_fn_append CPPFLAGS " -I${enableval}/include"
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+ (: CPPFLAGS="$CPPFLAGS") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+ ;;
+esac
+
+else
+
+ CPPFLAGS=-I${enableval}/include
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+ (: CPPFLAGS="$CPPFLAGS") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+
+fi
+
+
+
if ${SUDOERS_LDFLAGS+:} false; then :
case " $SUDOERS_LDFLAGS " in #(
esac
])
+AC_ARG_ENABLE(gcrypt,
+[AS_HELP_STRING([--enable-gcrypt], [Use GNU crypt's message digest functions instead of sudo's])],
+[ case $enableval in
+ no) ;;
+ *) LIBMD="-lgcrypt"
+ FILEDIGEST=filedigest_gcrypt.lo
+ if test "$enableval" != "yes"; then
+ AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
+ SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${enableval}/lib])
+ fi
+ ;;
+ esac
+])
+
AC_ARG_ENABLE(hardening,
[AS_HELP_STRING([--disable-hardening], [Do not use compiler/linker exploit mitigation options])],
[], [enable_hardening=yes])
$makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo solaris_audit.lo sssd.lo:;
# XXX - fill in AUTH_OBJS from contents of the auth dir instead
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
- $makefile =~ s:\@FILEDIGEST\@:filedigest.lo filedigest_openssl.lo:;
+ $makefile =~ s:\@FILEDIGEST\@:filedigest.lo filedigest_openssl.lo filedigest_gcrypt.lo:;
$makefile =~ s:\@LTLIBOBJS\@:closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo strtonum.lo utimens.lo vsyslog.lo:;
# Parse OBJS lines
$(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/filedigest.c
+filedigest_gcrypt.lo: $(srcdir)/filedigest_gcrypt.c $(devdir)/def_data.h \
+ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+ $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+ $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+ $(srcdir)/logging.h $(srcdir)/parse.h \
+ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+ $(top_builddir)/pathnames.h
+ $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/filedigest_gcrypt.c
filedigest_openssl.lo: $(srcdir)/filedigest_openssl.c $(devdir)/def_data.h \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
--- /dev/null
+/*
+ * Copyright (c) 2017 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <gcrypt.h>
+
+#include "sudoers.h"
+#include "parse.h"
+
+unsigned char *
+sudo_filedigest(int fd, const char *file, int digest_type, size_t *digest_lenp)
+{
+ unsigned char *file_digest = NULL;
+ unsigned char buf[32 * 1024];
+ int fd2, gcry_digest_type;
+ size_t digest_len, nread;
+ gcry_error_t error;
+ gcry_md_hd_t ctx;
+ FILE *fp = NULL;
+ debug_decl(sudo_filedigest, SUDOERS_DEBUG_UTIL)
+
+ switch (digest_type) {
+ case SUDO_DIGEST_SHA224:
+ gcry_digest_type = GCRY_MD_SHA224;
+ break;
+ case SUDO_DIGEST_SHA256:
+ gcry_digest_type = GCRY_MD_SHA256;
+ break;
+ case SUDO_DIGEST_SHA384:
+ gcry_digest_type = GCRY_MD_SHA384;
+ break;
+ case SUDO_DIGEST_SHA512:
+ gcry_digest_type = GCRY_MD_SHA512;
+ break;
+ default:
+ sudo_warnx(U_("unsupported digest type %d for %s"), digest_type, file);
+ debug_return_ptr(NULL);
+ }
+
+ error = gcry_md_open(&ctx, gcry_digest_type, 0);
+ if (error != 0) {
+ sudo_warnx(U_("%s: %s"), digest_type_to_name(digest_type),
+ gcry_strerror(error));
+ goto bad;
+ }
+ digest_len = gcry_md_get_algo_dlen(gcry_digest_type);
+
+ if ((fd2 = dup(fd)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s",
+ file, strerror(errno));
+ goto bad;
+ }
+ if ((fp = fdopen(fd2, "r")) == NULL) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "unable to fdopen %s: %s",
+ file, strerror(errno));
+ close(fd2);
+ goto bad;
+ }
+ if ((file_digest = malloc(digest_len)) == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ goto bad;
+ }
+
+ while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
+ gcry_md_write(ctx, buf, nread);
+ }
+ if (ferror(fp)) {
+ sudo_warnx(U_("%s: read error"), file);
+ goto bad;
+ }
+ gcry_md_final(ctx);
+ fclose(fp);
+
+ memcpy(file_digest, gcry_md_read(ctx, 0), digest_len);
+ *digest_lenp = digest_len;
+ debug_return_ptr(file_digest);
+bad:
+ free(file_digest);
+ gcry_md_close(ctx);
+ if (fp != NULL)
+ fclose(fp);
+ debug_return_ptr(NULL);
+}
projects / sudo / commitdiff