and PAM as code. As a side effect, this simplifies the code for CVEs.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@820 185d5e19-27fe-0310-9dcf-9bff6b9f3609
- Rename the uri command to geturi (but retain backward compatibility).
- Add a getkey command that prints the key in hexadecimal.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@818 185d5e19-27fe-0310-9dcf-9bff6b9f3609
size of the buffer is not necessarily known, and which can replace the
"memset(str, 0, strlen(str))" idiom. Use it to clear buffers which may
have contained authentication tokens.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@803 185d5e19-27fe-0310-9dcf-9bff6b9f3609
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
however, we want to record the *next* allowed counter value.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@794 185d5e19-27fe-0310-9dcf-9bff6b9f3609
they were being used as array indices. Cast them back to uint8_t.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@779 185d5e19-27fe-0310-9dcf-9bff6b9f3609
- Return the desired length when the buffer is too small.
- Annotate the switch so Bullseye doesn't complain about an uncovered
default case.
Decoder:
- The table approach was a good idea, but there was no way to tell the
difference between a character that decodes as 0 and an invalid
character. Modify the tables so an invalid character is indicated
by 0xff instead of 0x00.
- Check that padding starts in a valid position. Note that we still
don't check for left-over bits.
- The overflow test always failed, because we set *olen = len before
comparing them.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@776 185d5e19-27fe-0310-9dcf-9bff6b9f3609
functions and add many new tests, several of which fail.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@773 185d5e19-27fe-0310-9dcf-9bff6b9f3609
code is less strict about padding, thus ensuring compatibility with
implementations which do not understand padding, such as MIME::Base32.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@771 185d5e19-27fe-0310-9dcf-9bff6b9f3609
latter was derived from the former, and had a couple of copy-paste bugs
in addition to the padding bug.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@770 185d5e19-27fe-0310-9dcf-9bff6b9f3609