From 064251e292f1299d278a84746d2fea64600fc1c3 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sat, 31 Oct 2020 17:20:10 +0100 Subject: [PATCH] package/libpam-tacplus: bump to version 1.6.1 - Drop all patches (already in version) - Update indentation in hash file (two spaces) Signed-off-by: Fabrice Fontaine Signed-off-by: Thomas Petazzoni --- ...btac-lib-magic.c-fix-build-on-uclibc.patch | 52 -- .../0002-Drop-u_char-and-u_short.patch | 653 ------------------ ...0003-Fix-unused-parameters-with-musl.patch | 52 -- ...build-failure-when-time_t-is-64-bits.patch | 80 --- ...failure-of-OpenSSL-RAND_pseudo_bytes.patch | 146 ---- package/libpam-tacplus/libpam-tacplus.hash | 4 +- package/libpam-tacplus/libpam-tacplus.mk | 5 +- 7 files changed, 3 insertions(+), 989 deletions(-) delete mode 100644 package/libpam-tacplus/0001-libtac-lib-magic.c-fix-build-on-uclibc.patch delete mode 100644 package/libpam-tacplus/0002-Drop-u_char-and-u_short.patch delete mode 100644 package/libpam-tacplus/0003-Fix-unused-parameters-with-musl.patch delete mode 100644 package/libpam-tacplus/0004-fix-build-failure-when-time_t-is-64-bits.patch delete mode 100644 package/libpam-tacplus/0005-Check-for-failure-of-OpenSSL-RAND_pseudo_bytes.patch diff --git a/package/libpam-tacplus/0001-libtac-lib-magic.c-fix-build-on-uclibc.patch b/package/libpam-tacplus/0001-libtac-lib-magic.c-fix-build-on-uclibc.patch deleted file mode 100644 index 8cdbba4506..0000000000 --- a/package/libpam-tacplus/0001-libtac-lib-magic.c-fix-build-on-uclibc.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b2af0aca53d696e6dad17d8a0351d233d1dd1200 Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Wed, 22 Jan 2020 20:51:59 +0100 -Subject: [PATCH] libtac/lib/magic.c: fix build on uclibc - -Commit 7e990f9db6d8805d369876f45964df87efad9e08 replaced _GNU_SOURCE by -AC_SYSTEM_EXTENSIONS. This is fine but then config.h must be included -before system includes otherwise build fails with uclibc on: - -libtac/lib/magic.c: In function 'magic': -libtac/lib/magic.c:70:11: error: implicit declaration of function 'getrandom' [-Werror=implicit-function-declaration] - ret = getrandom(&num, sizeof(num), GRND_NONBLOCK); - ^ - -Fixes: - - http://autobuild.buildroot.org/results/05c67484136f3bb433ce7fc47b2ce01167048cc2 - -Signed-off-by: Fabrice Fontaine -[Upstream status: https://github.com/kravietz/pam_tacplus/pull/137] ---- - libtac/lib/magic.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libtac/lib/magic.c b/libtac/lib/magic.c -index 9df5e3f..e13a483 100644 ---- a/libtac/lib/magic.c -+++ b/libtac/lib/magic.c -@@ -18,6 +18,10 @@ - * See `CHANGES' file for revision history. - */ - -+#ifdef HAVE_CONFIG_H -+ #include "config.h" -+#endif -+ - #include - #include - #include -@@ -27,10 +31,6 @@ - #include - #include - --#ifdef HAVE_CONFIG_H -- #include "config.h" --#endif -- - #include "magic.h" - - #ifdef _MSC_VER --- -2.24.1 - diff --git a/package/libpam-tacplus/0002-Drop-u_char-and-u_short.patch b/package/libpam-tacplus/0002-Drop-u_char-and-u_short.patch deleted file mode 100644 index 1921938356..0000000000 --- a/package/libpam-tacplus/0002-Drop-u_char-and-u_short.patch +++ /dev/null @@ -1,653 +0,0 @@ -From b6ec2208640456a9422a74b4f39a50ddb65e4970 Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Sat, 25 Jan 2020 10:42:20 +0100 -Subject: [PATCH] Drop u_char and u_short - -Replace u_char and u_short by unsigned char and unsigned short to fix -build on musl - -Signed-off-by: Fabrice Fontaine -[Retrieved from: -https://github.com/kravietz/pam_tacplus/commit/b6ec2208640456a9422a74b4f39a50ddb65e4970] ---- - libtac/include/libtac.h | 8 ++-- - libtac/include/tacplus.h | 88 ++++++++++++++++++++-------------------- - libtac/lib/acct_r.c | 4 +- - libtac/lib/acct_s.c | 20 ++++----- - libtac/lib/attrib.c | 6 +-- - libtac/lib/authen_r.c | 2 +- - libtac/lib/authen_s.c | 14 +++---- - libtac/lib/author_r.c | 22 +++++----- - libtac/lib/author_s.c | 18 ++++---- - libtac/lib/cont_s.c | 4 +- - libtac/lib/crypt.c | 10 ++--- - libtac/lib/header.c | 2 +- - 12 files changed, 99 insertions(+), 99 deletions(-) - -diff --git a/libtac/include/libtac.h b/libtac/include/libtac.h -index 4922bf7..d8c7289 100644 ---- a/libtac/include/libtac.h -+++ b/libtac/include/libtac.h -@@ -96,7 +96,7 @@ typedef unsigned int u_int32_t; - - struct tac_attrib { - char *attr; -- u_char attr_len; -+ unsigned char attr_len; - struct tac_attrib *next; - }; - -@@ -169,12 +169,12 @@ int tac_connect_single(const struct addrinfo *, const char *, struct addrinfo *, - char *tac_ntop(const struct sockaddr *); - - int tac_authen_send(int, const char *, const char *, const char *, const char *, -- u_char); -+ unsigned char); - int tac_authen_read(int, struct areply *); - int tac_cont_send_seq(int, const char *, int); - #define tac_cont_send(fd, pass) tac_cont_send_seq((fd), (pass), 3) --HDR *_tac_req_header(u_char, int); --void _tac_crypt(u_char *, const HDR *); -+HDR *_tac_req_header(unsigned char, int); -+void _tac_crypt(unsigned char *, const HDR *); - void tac_add_attrib(struct tac_attrib **, char *, char *); - void tac_free_attrib(struct tac_attrib **); - char *tac_acct_flag2str(int); -diff --git a/libtac/include/tacplus.h b/libtac/include/tacplus.h -index 90d7c8b..2ac8848 100644 ---- a/libtac/include/tacplus.h -+++ b/libtac/include/tacplus.h -@@ -24,7 +24,7 @@ - - /* All tacacs+ packets have the same header format */ - struct tac_plus_pak_hdr { -- u_char version; -+ unsigned char version; - - #define TAC_PLUS_MAJOR_VER_MASK 0xf0 - #define TAC_PLUS_MAJOR_VER 0xc0 -@@ -35,14 +35,14 @@ struct tac_plus_pak_hdr { - #define TAC_PLUS_MINOR_VER_1 0x01 - #define TAC_PLUS_VER_1 (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_1) - -- u_char type; -+ unsigned char type; - - #define TAC_PLUS_AUTHEN 0x01 - #define TAC_PLUS_AUTHOR 0x02 - #define TAC_PLUS_ACCT 0x03 - -- u_char seq_no; /* packet sequence number */ -- u_char encryption; /* packet is encrypted or cleartext */ -+ unsigned char seq_no; /* packet sequence number */ -+ unsigned char encryption; /* packet is encrypted or cleartext */ - - #define TAC_PLUS_ENCRYPTED_FLAG 0x00 /* packet is encrypted */ - #define TAC_PLUS_UNENCRYPTED_FLAG 0x01 /* packet is unencrypted */ -@@ -59,21 +59,21 @@ typedef struct tac_plus_pak_hdr HDR; - - /* Authentication packet NAS sends to us */ - struct authen_start { -- u_char action; -+ unsigned char action; - - #define TAC_PLUS_AUTHEN_LOGIN 0x01 - #define TAC_PLUS_AUTHEN_CHPASS 0x02 - #define TAC_PLUS_AUTHEN_SENDPASS 0x03 /* deprecated */ - #define TAC_PLUS_AUTHEN_SENDAUTH 0x04 - -- u_char priv_lvl; -+ unsigned char priv_lvl; - - #define TAC_PLUS_PRIV_LVL_MIN 0x00 - #define TAC_PLUS_PRIV_LVL_MAX 0x0f - #define TAC_PLUS_PRIV_LVL_USER 0x01 - #define TAC_PLUS_PRIV_LVL_ROOT 0x0f - -- u_char authen_type; -+ unsigned char authen_type; - - #define TAC_PLUS_AUTHEN_TYPE_ASCII 0x01 - #define TAC_PLUS_AUTHEN_TYPE_PAP 0x02 -@@ -81,7 +81,7 @@ struct authen_start { - #define TAC_PLUS_AUTHEN_TYPE_ARAP 0x04 - #define TAC_PLUS_AUTHEN_TYPE_MSCHAP 0x05 - -- u_char service; -+ unsigned char service; - - #define TAC_PLUS_AUTHEN_SVC_NONE 0x00 - #define TAC_PLUS_AUTHEN_SVC_LOGIN 0x01 -@@ -94,19 +94,19 @@ struct authen_start { - #define TAC_PLUS_AUTHEN_SVC_NASI 0x08 - #define TAC_PLUS_AUTHEN_SVC_FWPROXY 0x09 - -- u_char user_len; -- u_char port_len; -- u_char r_addr_len; -- u_char data_len; -+ unsigned char user_len; -+ unsigned char port_len; -+ unsigned char r_addr_len; -+ unsigned char data_len; - }; - - #define TAC_AUTHEN_START_FIXED_FIELDS_SIZE 8 - - /* Authentication continue packet NAS sends to us */ - struct authen_cont { -- u_short user_msg_len; -- u_short user_data_len; -- u_char flags; -+ unsigned short user_msg_len; -+ unsigned short user_data_len; -+ unsigned char flags; - - #define TAC_PLUS_CONTINUE_FLAG_ABORT 0x01 - -@@ -116,7 +116,7 @@ struct authen_cont { - - /* Authentication reply packet we send to NAS */ - struct authen_reply { -- u_char status; -+ unsigned char status; - - #define TAC_PLUS_AUTHEN_STATUS_PASS 0x01 - #define TAC_PLUS_AUTHEN_STATUS_FAIL 0x02 -@@ -127,12 +127,12 @@ struct authen_reply { - #define TAC_PLUS_AUTHEN_STATUS_ERROR 0x07 - #define TAC_PLUS_AUTHEN_STATUS_FOLLOW 0x21 - -- u_char flags; -+ unsigned char flags; - - #define TAC_PLUS_AUTHEN_FLAG_NOECHO 0x01 - -- u_short msg_len; -- u_short data_len; -+ unsigned short msg_len; -+ unsigned short data_len; - }; - - #define TAC_AUTHEN_REPLY_FIXED_FIELDS_SIZE 6 -@@ -158,29 +158,29 @@ struct authen_reply { - #define AUTHEN_METH_RCMD TAC_PLUS_AUTHEN_METH_RCMD - - struct acct { -- u_char flags; -+ unsigned char flags; - - #define TAC_PLUS_ACCT_FLAG_MORE 0x01 - #define TAC_PLUS_ACCT_FLAG_START 0x02 - #define TAC_PLUS_ACCT_FLAG_STOP 0x04 - #define TAC_PLUS_ACCT_FLAG_WATCHDOG 0x08 - -- u_char authen_method; -- u_char priv_lvl; -- u_char authen_type; -- u_char authen_service; -- u_char user_len; -- u_char port_len; -- u_char r_addr_len; -- u_char arg_cnt; /* the number of cmd args */ -+ unsigned char authen_method; -+ unsigned char priv_lvl; -+ unsigned char authen_type; -+ unsigned char authen_service; -+ unsigned char user_len; -+ unsigned char port_len; -+ unsigned char r_addr_len; -+ unsigned char arg_cnt; /* the number of cmd args */ - }; - - #define TAC_ACCT_REQ_FIXED_FIELDS_SIZE 9 - - struct acct_reply { -- u_short msg_len; -- u_short data_len; -- u_char status; -+ unsigned short msg_len; -+ unsigned short data_len; -+ unsigned char status; - - #define TAC_PLUS_ACCT_STATUS_SUCCESS 0x1 - #define TAC_PLUS_ACCT_STATUS_ERROR 0x2 -@@ -192,25 +192,25 @@ struct acct_reply { - - /* An authorization request packet */ - struct author { -- u_char authen_method; -- u_char priv_lvl; -- u_char authen_type; -- u_char service; -- -- u_char user_len; -- u_char port_len; -- u_char r_addr_len; -- u_char arg_cnt; /* the number of args */ -+ unsigned char authen_method; -+ unsigned char priv_lvl; -+ unsigned char authen_type; -+ unsigned char service; -+ -+ unsigned char user_len; -+ unsigned char port_len; -+ unsigned char r_addr_len; -+ unsigned char arg_cnt; /* the number of args */ - }; - - #define TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE 8 - - /* An authorization reply packet */ - struct author_reply { -- u_char status; -- u_char arg_cnt; -- u_short msg_len; -- u_short data_len; -+ unsigned char status; -+ unsigned char arg_cnt; -+ unsigned short msg_len; -+ unsigned short data_len; - - #define TAC_PLUS_AUTHOR_STATUS_PASS_ADD 0x01 - #define TAC_PLUS_AUTHOR_STATUS_PASS_REPL 0x02 -diff --git a/libtac/lib/acct_r.c b/libtac/lib/acct_r.c -index 44992e6..29ed901 100644 ---- a/libtac/lib/acct_r.c -+++ b/libtac/lib/acct_r.c -@@ -110,7 +110,7 @@ int tac_acct_read(int fd, struct areply *re) { - } - - /* decrypt the body */ -- _tac_crypt((u_char *) tb, &th); -+ _tac_crypt((unsigned char *) tb, &th); - - /* Convert network byte order to host byte order */ - tb->msg_len = ntohs(tb->msg_len); -@@ -133,7 +133,7 @@ int tac_acct_read(int fd, struct areply *re) { - /* save status and clean up */ - if(tb->msg_len) { - msg=(char *) xcalloc(1, tb->msg_len+1); -- bcopy((u_char *) tb+TAC_ACCT_REPLY_FIXED_FIELDS_SIZE, msg, tb->msg_len); -+ bcopy((unsigned char *) tb+TAC_ACCT_REPLY_FIXED_FIELDS_SIZE, msg, tb->msg_len); - msg[(int)tb->msg_len] = '\0'; - re->msg = msg; /* Freed by caller */ - } -diff --git a/libtac/lib/acct_s.c b/libtac/lib/acct_s.c -index db68067..4338ef2 100644 ---- a/libtac/lib/acct_s.c -+++ b/libtac/lib/acct_s.c -@@ -50,14 +50,14 @@ int tac_acct_send(int fd, int type, const char *user, char *tty, - - HDR *th; - struct acct tb; -- u_char user_len, port_len, r_addr_len; -+ unsigned char user_len, port_len, r_addr_len; - struct tac_attrib *a; - int i = 0; /* arg count */ - int pkt_len = 0; - int pktl = 0; - int w; /* write count */ -- u_char *pkt=NULL; -- /* u_char *pktp; */ /* obsolute */ -+ unsigned char *pkt=NULL; -+ /* unsigned char *pktp; */ /* obsolute */ - int ret = 0; - - th = _tac_req_header(TAC_PLUS_ACCT, 0); -@@ -71,11 +71,11 @@ int tac_acct_send(int fd, int type, const char *user, char *tty, - (tac_encryption) ? "yes" : "no", \ - tac_acct_flag2str(type)); - -- user_len=(u_char) strlen(user); -- port_len=(u_char) strlen(tty); -- r_addr_len=(u_char) strlen(r_addr); -+ user_len=(unsigned char) strlen(user); -+ port_len=(unsigned char) strlen(tty); -+ r_addr_len=(unsigned char) strlen(r_addr); - -- tb.flags=(u_char) type; -+ tb.flags=(unsigned char) type; - tb.authen_method=tac_authen_method; - tb.priv_lvl=tac_priv_lvl; - if (!*tac_login) { -@@ -96,7 +96,7 @@ int tac_acct_send(int fd, int type, const char *user, char *tty, - tb.r_addr_len=r_addr_len; - - /* allocate packet */ -- pkt=(u_char *) xcalloc(1, TAC_ACCT_REQ_FIXED_FIELDS_SIZE); -+ pkt=(unsigned char *) xcalloc(1, TAC_ACCT_REQ_FIXED_FIELDS_SIZE); - pkt_len=sizeof(tb); - - /* fill attribute length fields */ -@@ -104,7 +104,7 @@ int tac_acct_send(int fd, int type, const char *user, char *tty, - while (a) { - pktl = pkt_len; - pkt_len += sizeof(a->attr_len); -- pkt = (u_char*) xrealloc(pkt, pkt_len); -+ pkt = (unsigned char*) xrealloc(pkt, pkt_len); - - /* see comments in author_s.c - pktp=pkt + pkt_len; -@@ -132,7 +132,7 @@ int tac_acct_send(int fd, int type, const char *user, char *tty, - #define PUTATTR(data, len) \ - pktl = pkt_len; \ - pkt_len += len; \ -- pkt = (u_char*) xrealloc(pkt, pkt_len); \ -+ pkt = (unsigned char*) xrealloc(pkt, pkt_len); \ - bcopy(data, pkt + pktl, len); - - /* fill user and port fields */ -diff --git a/libtac/lib/attrib.c b/libtac/lib/attrib.c -index b8a7d82..c148288 100644 ---- a/libtac/lib/attrib.c -+++ b/libtac/lib/attrib.c -@@ -29,14 +29,14 @@ void tac_add_attrib(struct tac_attrib **attr, char *name, char *value) { - - void tac_add_attrib_pair(struct tac_attrib **attr, char *name, char sep, char *value) { - struct tac_attrib *a; -- u_char l1 = (u_char) strlen(name); -- u_char l2; -+ unsigned char l1 = (unsigned char) strlen(name); -+ unsigned char l2; - int total_len; - - if (value == NULL) { - l2 = 0; - } else { -- l2 = (u_char) strlen(value); -+ l2 = (unsigned char) strlen(value); - } - total_len = l1 + l2 + 1; /* "name" + "=" + "value" */ - -diff --git a/libtac/lib/authen_r.c b/libtac/lib/authen_r.c -index cc03e9b..3ffdc4d 100644 ---- a/libtac/lib/authen_r.c -+++ b/libtac/lib/authen_r.c -@@ -106,7 +106,7 @@ int tac_authen_read(int fd, struct areply *re) { - } - - /* decrypt the body */ -- _tac_crypt((u_char *) tb, &th); -+ _tac_crypt((unsigned char *) tb, &th); - - /* Convert network byte order to host byte order */ - tb->msg_len = ntohs(tb->msg_len); -diff --git a/libtac/lib/authen_s.c b/libtac/lib/authen_s.c -index b33d954..3bbb51a 100644 ---- a/libtac/lib/authen_s.c -+++ b/libtac/lib/authen_s.c -@@ -34,7 +34,7 @@ - - /* assume digest points to a buffer MD5_LEN size */ - static void --digest_chap(u_char digest[MD5_LBLOCK], uint8_t id, -+digest_chap(unsigned char digest[MD5_LBLOCK], uint8_t id, - const char *pass, unsigned pass_len, - const char *chal, unsigned chal_len) { - -@@ -46,8 +46,8 @@ digest_chap(u_char digest[MD5_LBLOCK], uint8_t id, - * for a single call. - */ - MD5_Update(&mdcontext, &id, sizeof(id)); -- MD5_Update(&mdcontext, (const u_char *)pass, pass_len); -- MD5_Update(&mdcontext, (const u_char *)chal, chal_len); -+ MD5_Update(&mdcontext, (const unsigned char *)pass, pass_len); -+ MD5_Update(&mdcontext, (const unsigned char *)chal, chal_len); - MD5_Final(digest, &mdcontext); - } - -@@ -62,7 +62,7 @@ digest_chap(u_char digest[MD5_LBLOCK], uint8_t id, - * LIBTAC_STATUS_ASSEMBLY_ERR - */ - int tac_authen_send(int fd, const char *user, const char *pass, const char *tty, -- const char *r_addr, u_char action) { -+ const char *r_addr, unsigned char action) { - - HDR *th; /* TACACS+ packet header */ - struct authen_start tb; /* message body */ -@@ -72,7 +72,7 @@ int tac_authen_send(int fd, const char *user, const char *pass, const char *tty, - int ret = 0; - char *chal = "1234123412341234"; - char *token = NULL; -- u_char *pkt = NULL; -+ unsigned char *pkt = NULL; - const uint8_t id = 5; - - th = _tac_req_header(TAC_PLUS_AUTHEN, 0); -@@ -99,7 +99,7 @@ int tac_authen_send(int fd, const char *user, const char *pass, const char *tty, - r_addr_len = strlen(r_addr); - - if (!strcmp(tac_login, "chap")) { -- u_char digest[MD5_LBLOCK]; -+ unsigned char digest[MD5_LBLOCK]; - - digest_chap(digest, id, pass, pass_len, chal, chal_len); - -@@ -159,7 +159,7 @@ int tac_authen_send(int fd, const char *user, const char *pass, const char *tty, - } - - /* build the packet */ -- pkt = (u_char *) xcalloc(1, bodylength + 10); -+ pkt = (unsigned char *) xcalloc(1, bodylength + 10); - - bcopy(&tb, pkt + pkt_len, sizeof(tb)); /* packet body beginning */ - pkt_len += sizeof(tb); -diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c -index a677de0..19a72c9 100644 ---- a/libtac/lib/author_r.c -+++ b/libtac/lib/author_r.c -@@ -43,7 +43,7 @@ int tac_author_read(int fd, struct areply *re) { - struct author_reply *tb = NULL; - size_t len_from_header, len_from_body; - ssize_t packet_read; -- u_char *pktp = NULL; -+ unsigned char *pktp = NULL; - char *msg = NULL; - int timeleft = 0; - re->msg = NULL; -@@ -114,7 +114,7 @@ int tac_author_read(int fd, struct areply *re) { - } - - /* decrypt the body */ -- _tac_crypt((u_char *) tb, &th); -+ _tac_crypt((unsigned char *) tb, &th); - - /* Convert network byte order to host byte order */ - tb->msg_len = ntohs(tb->msg_len); -@@ -127,7 +127,7 @@ int tac_author_read(int fd, struct areply *re) { - len_from_body = TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE + tb->msg_len - + tb->data_len; - -- pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE; -+ pktp = (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE; - - /* cycle through the arguments supplied in the packet */ - for (r = 0; r < tb->arg_cnt && r < TAC_PLUS_MAX_ARGCOUNT; -@@ -141,7 +141,7 @@ int tac_author_read(int fd, struct areply *re) { - free(tb); - return re->status; - } -- len_from_body += sizeof(u_char); /* add arg length field's size*/ -+ len_from_body += sizeof(unsigned char); /* add arg length field's size*/ - len_from_body += *pktp; /* add arg length itself */ - pktp++; - } -@@ -160,8 +160,8 @@ int tac_author_read(int fd, struct areply *re) { - if (tb->msg_len) { - char *msg = (char *) xcalloc(1, tb->msg_len + 1); - bcopy( -- (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE -- + (tb->arg_cnt) * sizeof(u_char), msg, tb->msg_len); -+ (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE -+ + (tb->arg_cnt) * sizeof(unsigned char), msg, tb->msg_len); - msg[(int) tb->msg_len] = '\0'; - re->msg = msg; /* freed by caller */ - } -@@ -170,8 +170,8 @@ int tac_author_read(int fd, struct areply *re) { - if (tb->data_len) { - char *smsg = (char *) xcalloc(1, tb->data_len + 1); - bcopy( -- (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE -- + (tb->arg_cnt) * sizeof(u_char) + tb->msg_len, smsg, -+ (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE -+ + (tb->arg_cnt) * sizeof(unsigned char) + tb->msg_len, smsg, - tb->data_len); - smsg[(int) tb->data_len] = '\0'; - TACSYSLOG(LOG_ERR, "%s: reply message: %s", __FUNCTION__, smsg); -@@ -190,7 +190,7 @@ int tac_author_read(int fd, struct areply *re) { - /*FALLTHRU*/ - - case TAC_PLUS_AUTHOR_STATUS_PASS_ADD: { -- u_char *argp; -+ unsigned char *argp; - - if (!re->msg) - re->msg = xstrdup(author_ok_msg); -@@ -198,8 +198,8 @@ int tac_author_read(int fd, struct areply *re) { - - /* add attributes received to attribute list returned to - the client */ -- pktp = (u_char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE; -- argp = pktp + (tb->arg_cnt * sizeof(u_char)) + tb->msg_len -+ pktp = (unsigned char *) tb + TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE; -+ argp = pktp + (tb->arg_cnt * sizeof(unsigned char)) + tb->msg_len - + tb->data_len; - TACSYSLOG(LOG_DEBUG, "Args cnt %d", tb->arg_cnt); - /* argp points to current argument string -diff --git a/libtac/lib/author_s.c b/libtac/lib/author_s.c -index d067e2c..db05008 100644 ---- a/libtac/lib/author_s.c -+++ b/libtac/lib/author_s.c -@@ -37,14 +37,14 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr, - - HDR *th; - struct author tb; -- u_char user_len, port_len, r_addr_len; -+ unsigned char user_len, port_len, r_addr_len; - struct tac_attrib *a; - int i = 0; /* attributes count */ - int pkt_len = 0; /* current packet length */ - int pktl = 0; /* temporary storage for previous pkt_len values */ - int w; /* write() return value */ -- u_char *pkt = NULL; /* packet building pointer */ -- /* u_char *pktp; *//* obsolete */ -+ unsigned char *pkt = NULL; /* packet building pointer */ -+ /* unsigned char *pktp; *//* obsolete */ - int ret = 0; - - th = _tac_req_header(TAC_PLUS_AUTHOR, 0); -@@ -59,9 +59,9 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr, - __FUNCTION__, user, - tty, r_addr, tac_encryption ? "yes" : "no"); - -- user_len = (u_char) strlen(user); -- port_len = (u_char) strlen(tty); -- r_addr_len = (u_char) strlen(r_addr); -+ user_len = (unsigned char) strlen(user); -+ port_len = (unsigned char) strlen(tty); -+ r_addr_len = (unsigned char) strlen(r_addr); - - tb.authen_method = tac_authen_method; - tb.priv_lvl = tac_priv_lvl; -@@ -83,7 +83,7 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr, - tb.r_addr_len = r_addr_len; - - /* allocate packet */ -- pkt = (u_char *) xcalloc(1, TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE); -+ pkt = (unsigned char *) xcalloc(1, TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE); - pkt_len = sizeof(tb); - - /* fill attribute length fields */ -@@ -91,7 +91,7 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr, - while (a) { - pktl = pkt_len; - pkt_len += sizeof(a->attr_len); -- pkt = (u_char*) xrealloc(pkt, pkt_len); -+ pkt = (unsigned char*) xrealloc(pkt, pkt_len); - - /* bad method: realloc() is allowed to return different pointer - with each call -@@ -120,7 +120,7 @@ int tac_author_send(int fd, const char *user, char *tty, char *r_addr, - #define PUTATTR(data, len) \ - pktl = pkt_len; \ - pkt_len += len; \ -- pkt = (u_char*) xrealloc(pkt, pkt_len); \ -+ pkt = (unsigned char*) xrealloc(pkt, pkt_len); \ - bcopy(data, pkt + pktl, len); - - /* fill user and port fields */ -diff --git a/libtac/lib/cont_s.c b/libtac/lib/cont_s.c -index e281567..50c01d9 100644 ---- a/libtac/lib/cont_s.c -+++ b/libtac/lib/cont_s.c -@@ -41,7 +41,7 @@ int tac_cont_send_seq(int fd, const char *pass, int seq) { - int pass_len, bodylength, w; - int pkt_len = 0; - int ret = 0; -- u_char *pkt = NULL; -+ unsigned char *pkt = NULL; - - th = _tac_req_header(TAC_PLUS_AUTHEN, 1); - -@@ -75,7 +75,7 @@ int tac_cont_send_seq(int fd, const char *pass, int seq) { - } - - /* build the packet */ -- pkt = (u_char *) xcalloc(1, bodylength); -+ pkt = (unsigned char *) xcalloc(1, bodylength); - - bcopy(&tb, pkt + pkt_len, TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE); /* packet body beginning */ - pkt_len += TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE; -diff --git a/libtac/lib/crypt.c b/libtac/lib/crypt.c -index b3e3158..5bf0107 100644 ---- a/libtac/lib/crypt.c -+++ b/libtac/lib/crypt.c -@@ -36,7 +36,7 @@ - Use data from packet header and secret, which - should be a global variable */ - static void _tac_md5_pad(const HDR *hdr, -- u_char *new_digest, u_char *old_digest) { -+ unsigned char *new_digest, unsigned char *old_digest) { - unsigned tac_secret_len = strlen(tac_secret); - MD5_CTX mdcontext; - -@@ -45,8 +45,8 @@ static void _tac_md5_pad(const HDR *hdr, - - /* place session_id, key, version and seq_no in buffer */ - MD5_Init(&mdcontext); -- MD5_Update(&mdcontext, (const u_char *) &hdr->session_id, sizeof(hdr->session_id)); -- MD5_Update(&mdcontext, (const u_char *) tac_secret, tac_secret_len); -+ MD5_Update(&mdcontext, (const unsigned char *) &hdr->session_id, sizeof(hdr->session_id)); -+ MD5_Update(&mdcontext, (const unsigned char *) tac_secret, tac_secret_len); - MD5_Update(&mdcontext, &hdr->version, sizeof(hdr->version)); - MD5_Update(&mdcontext, &hdr->seq_no, sizeof(hdr->seq_no)); - -@@ -62,12 +62,12 @@ static void _tac_md5_pad(const HDR *hdr, - /* Perform encryption/decryption on buffer. This means simply XORing - each byte from buffer with according byte from pseudo-random - pad. */ --void _tac_crypt(u_char *buf, const HDR *th) { -+void _tac_crypt(unsigned char *buf, const HDR *th) { - unsigned i, j, length = ntohl(th->datalength); - - /* null operation if no encryption requested */ - if((tac_secret != NULL) && (th->encryption & TAC_PLUS_UNENCRYPTED_FLAG) != TAC_PLUS_UNENCRYPTED_FLAG) { -- u_char digest[MD5_LBLOCK]; -+ unsigned char digest[MD5_LBLOCK]; - - for (i=0; i -Date: Sat, 25 Jan 2020 10:51:36 +0100 -Subject: [PATCH] Fix unused parameters with musl - -Signed-off-by: Fabrice Fontaine -[Retrieved from: -https://github.com/kravietz/pam_tacplus/commit/a46b3f48d27f6a229627ef731fc23e3971056caa] ---- - support.c | 1 + - tacc.c | 3 +++ - 2 files changed, 4 insertions(+) - -diff --git a/support.c b/support.c -index 6e3fe45..76a5102 100644 ---- a/support.c -+++ b/support.c -@@ -116,6 +116,7 @@ int converse(pam_handle_t *pamh, int nargs, const struct pam_message *message, - int tacacs_get_password(pam_handle_t *pamh, int flags __Unused, - int ctrl, char **password) { - -+ (void) flags; - const void *pam_pass; - char *pass = NULL; - -diff --git a/tacc.c b/tacc.c -index 302058a..ef9d081 100644 ---- a/tacc.c -+++ b/tacc.c -@@ -498,6 +498,7 @@ int main(int argc, char **argv) { - } - - void sighandler(int sig __Unused) { -+ (void) sig; - TACDEBUG(LOG_DEBUG, "caught signal %d", sig); - } - -@@ -602,12 +603,14 @@ void showversion(char *progname) { - } - - void timeout_handler(int signum __Unused) { -+ (void) signum; - syslog(LOG_ERR, "timeout reading password from user %s", g_user); - } - - #ifdef TACDEBUG_AT_RUNTIME - void logmsg(int level __Unused, const char *fmt, ...) - { -+ (void) level; - va_list ap; - - va_start(ap, fmt); diff --git a/package/libpam-tacplus/0004-fix-build-failure-when-time_t-is-64-bits.patch b/package/libpam-tacplus/0004-fix-build-failure-when-time_t-is-64-bits.patch deleted file mode 100644 index c349674d16..0000000000 --- a/package/libpam-tacplus/0004-fix-build-failure-when-time_t-is-64-bits.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 74a6cc484a83270273b373da17c05c1e394d3dd9 Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Sun, 17 May 2020 21:55:11 +0200 -Subject: [PATCH] fix build failure when time_t is 64 bits - -Build can fail if time_t is 64 bits and not 32 bits because of the -following warning (which results in a build failure due to -Werror): - -tacc.c: In function 'main': -tacc.c:346:25: error: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'time_t' {aka 'long long int'} [-Werror=format=] - sprintf(buf, "%lu", time(0)); - ~~^ ~~~~~~~ - %llu - -Instead of casting time_t to unsigned long as already done in -pam_tacplus.c, use strftime which seems the right approach to -convert time_t into a string. While at it, also update pam_tacplus.c. - -Fixes: - - http://autobuild.buildroot.org/results/874433d8cb30d21332f23024081a8b6d7b3254ae - -Signed-off-by: Fabrice Fontaine -[Retrieved from: -https://github.com/kravietz/pam_tacplus/commit/74a6cc484a83270273b373da17c05c1e394d3dd9] ---- - pam_tacplus.c | 6 +++++- - tacc.c | 12 ++++++++++-- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/pam_tacplus.c b/pam_tacplus.c -index 7d8bb5f..a0cb83d 100644 ---- a/pam_tacplus.c -+++ b/pam_tacplus.c -@@ -86,10 +86,14 @@ int _pam_send_account(int tac_fd, int type, const char *user, char *tty, - char buf[64]; - struct tac_attrib *attr; - int retval; -+ time_t t; -+ struct tm tm; - - attr = (struct tac_attrib *) xcalloc(1, sizeof(struct tac_attrib)); - -- sprintf(buf, "%lu", (unsigned long) time(NULL)); -+ t = time(NULL); -+ gmtime_r(&t, &tm); -+ strftime(buf, sizeof(buf), "%s", &tm); - - if (type == TAC_PLUS_ACCT_FLAG_START) { - tac_add_attrib(&attr, "start_time", buf); -diff --git a/tacc.c b/tacc.c -index ef9d081..affc649 100644 ---- a/tacc.c -+++ b/tacc.c -@@ -342,8 +342,12 @@ int main(int argc, char **argv) { - if (do_account) { - /* start accounting */ - struct tac_attrib *attr = NULL; -+ time_t t; -+ struct tm tm; - -- sprintf(buf, "%lu", time(0)); -+ t = time(0); -+ gmtime_r(&t, &tm); -+ strftime(buf, sizeof(buf), "%s", &tm); - tac_add_attrib(&attr, "start_time", buf); - - // this is not crypto but merely an identifier -@@ -452,7 +456,11 @@ int main(int argc, char **argv) { - if (do_account) { - /* stop accounting */ - struct tac_attrib *attr = NULL; -- sprintf(buf, "%lu", time(0)); -+ time_t t; -+ struct tm tm; -+ t = time(0); -+ gmtime_r(&t, &tm); -+ strftime(buf, sizeof(buf), "%s", &tm); - tac_add_attrib(&attr, "stop_time", buf); - sprintf(buf, "%hu", task_id); - tac_add_attrib(&attr, "task_id", buf); diff --git a/package/libpam-tacplus/0005-Check-for-failure-of-OpenSSL-RAND_pseudo_bytes.patch b/package/libpam-tacplus/0005-Check-for-failure-of-OpenSSL-RAND_pseudo_bytes.patch deleted file mode 100644 index ba87ca5a19..0000000000 --- a/package/libpam-tacplus/0005-Check-for-failure-of-OpenSSL-RAND_pseudo_bytes.patch +++ /dev/null @@ -1,146 +0,0 @@ -From c9bed7496e81e550ee22746f23bbb11be2e046ed Mon Sep 17 00:00:00 2001 -From: Duncan Eastoe -Date: Thu, 22 Oct 2020 19:18:27 +0100 -Subject: [PATCH] magic.c: check for failure of RAND_[pseudo_]bytes - -When magic() is implemented via libcrypto's RAND_bytes or -RAND_pseudo_bytes we should check for a failure and abort to -ensure we don't use a predictable session_id. - -This prevents (further) weakening* of the TACACS+ protocol -"encryption" since session_id is an input to the algorithm. - -*by modern standards TACACS+ is deemed "obfuscated" - RFC 8907. - -[Retrieved from: -https://github.com/kravietz/pam_tacplus/commit/468cc9d484364ecdc8bb245805f5c1fcb415fec9] -Signed-off-by: Fabrice Fontaine ---- - libtac/lib/magic.c | 26 +++++++++++++++++++++----- - pam_tacplus.c | 6 ++++++ - 2 files changed, 27 insertions(+), 5 deletions(-) - -diff --git a/libtac/lib/magic.c b/libtac/lib/magic.c -index e13a483..ae6b44f 100644 ---- a/libtac/lib/magic.c -+++ b/libtac/lib/magic.c -@@ -81,26 +81,42 @@ magic() - - #elif defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO) - -+#include - #include - - /* RAND_bytes is OpenSSL's classic function to obtain cryptographic strength pseudo-random bytes -- however, since the magic() function is used to generate TACACS+ session id rather than crypto keys -- we can use RAND_pseudo_bytes() which doesn't deplete the system's entropy pool -+ however, we can use RAND_pseudo_bytes() which doesn't deplete the system's entropy pool, so long -+ as it returns a "cryptographically strong" result - since session_id is an input to the TACACS+ -+ "encryption" ("obfuscation" by modern standards - RFC 8907) algorithm. - */ - - u_int32_t - magic() - { - u_int32_t num; -+ int ret; - - #ifdef HAVE_RAND_BYTES -- RAND_bytes((unsigned char *)&num, sizeof(num)); -+ ret = RAND_bytes((unsigned char *)&num, sizeof(num)); - #elif HAVE_RAND_PSEUDO_BYTES -- RAND_pseudo_bytes((unsigned char *)&num, sizeof(num)); -+ ret = RAND_pseudo_bytes((unsigned char *)&num, sizeof(num)); - #else - #error Neither RAND_bytes nor RAND_pseudo_bytes seems to be available - #endif -- return num; -+ -+ /* RAND_bytes success / RAND_pseudo_bytes "cryptographically strong" result */ -+ if (ret == 1) -+ return num; -+ -+ TACSYSLOG(LOG_CRIT,"%s: " -+#ifdef HAVE_RAND_BYTES -+ "RAND_bytes " -+#else -+ "RAND_pseudo_bytes " -+#endif -+ "failed; ret: %d err: %ld", __FUNCTION__, ret, ERR_get_error()); -+ -+ exit(1); - } - - #else -diff --git a/pam_tacplus.c b/pam_tacplus.c -index a0cb83d..4999ca9 100644 ---- a/pam_tacplus.c -+++ b/pam_tacplus.c -@@ -718,6 +718,12 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int UNUSED(flags), int argc, - PAM_EXTERN - int pam_sm_open_session(pam_handle_t *pamh, int UNUSED(flags), int argc, - const char **argv) { -+ -+/* Task ID has no need to be cryptographically strong so we don't -+ * check for failures of the RAND functions. If they fail then we are -+ * as well sending the accounting request regardless of whether any value -+ * was written to task_id. -+ */ - #if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO) - # if defined(HAVE_RAND_BYTES) - RAND_bytes((unsigned char *) &task_id, sizeof(task_id)); - -From bceaab0cd51a09b88f40f19da799ac7390264bf8 Mon Sep 17 00:00:00 2001 -From: Duncan Eastoe -Date: Fri, 23 Oct 2020 11:23:07 +0100 -Subject: [PATCH 2/2] pam_tacplus.c: Fallback to using PID as task ID - -If there is a failure obtaining a random task ID for the session -accounting request then fallback to using the PID, as this is unique -for the lifetime of the PAM application and therefore session. ---- - pam_tacplus.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/pam_tacplus.c b/pam_tacplus.c -index 4999ca9..b69e3d0 100644 ---- a/pam_tacplus.c -+++ b/pam_tacplus.c -@@ -100,8 +100,13 @@ int _pam_send_account(int tac_fd, int type, const char *user, char *tty, - } else if (type == TAC_PLUS_ACCT_FLAG_STOP) { - tac_add_attrib(&attr, "stop_time", buf); - } -- sprintf(buf, "%hu", task_id); -+ -+ if (task_id == 0) -+ snprintf(buf, sizeof(buf), "%d", getpid()); -+ else -+ snprintf(buf, sizeof(buf), "%hu", task_id); - tac_add_attrib(&attr, "task_id", buf); -+ - tac_add_attrib(&attr, "service", tac_service); - if (tac_protocol[0] != '\0') - tac_add_attrib(&attr, "protocol", tac_protocol); -@@ -720,9 +725,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int UNUSED(flags), int argc, - const char **argv) { - - /* Task ID has no need to be cryptographically strong so we don't -- * check for failures of the RAND functions. If they fail then we are -- * as well sending the accounting request regardless of whether any value -- * was written to task_id. -+ * check for failures of the RAND functions. If we fail to get an ID we -+ * fallback to using our PID (in _pam_send_account). - */ - #if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO) - # if defined(HAVE_RAND_BYTES) -@@ -734,6 +738,10 @@ int pam_sm_open_session(pam_handle_t *pamh, int UNUSED(flags), int argc, - task_id=(short int) magic(); - #endif - -+ if (task_id == 0) -+ syslog(LOG_INFO, "%s: failed to generate random task ID, " -+ "falling back to PID", __FUNCTION__); -+ - return _pam_account(pamh, argc, argv, TAC_PLUS_ACCT_FLAG_START, NULL); - } /* pam_sm_open_session */ - diff --git a/package/libpam-tacplus/libpam-tacplus.hash b/package/libpam-tacplus/libpam-tacplus.hash index b1cd053f12..084a3e54a4 100644 --- a/package/libpam-tacplus/libpam-tacplus.hash +++ b/package/libpam-tacplus/libpam-tacplus.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 82f204b949b2a55d0711b314c6e3b213bd1c0c1ee0d9ba15680570db22bff2d8 libpam-tacplus-1.5.1.tar.gz -sha256 b2b961f07e97c4fb78074276da304ea36b85dc299aae5efb79080cedaea3d5ac COPYING +sha256 73961800dc0d5e422751ad4c9f09b1863ab33e381e0bdb2a1d0343dcfc30e44e libpam-tacplus-1.6.1.tar.gz +sha256 b2b961f07e97c4fb78074276da304ea36b85dc299aae5efb79080cedaea3d5ac COPYING diff --git a/package/libpam-tacplus/libpam-tacplus.mk b/package/libpam-tacplus/libpam-tacplus.mk index 86a5b1c461..4e1f8bd173 100644 --- a/package/libpam-tacplus/libpam-tacplus.mk +++ b/package/libpam-tacplus/libpam-tacplus.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBPAM_TACPLUS_VERSION = 1.5.1 +LIBPAM_TACPLUS_VERSION = 1.6.1 LIBPAM_TACPLUS_SITE = $(call github,jeroennijhof,pam_tacplus,v$(LIBPAM_TACPLUS_VERSION)) LIBPAM_TACPLUS_LICENSE = GPL-2.0+ LIBPAM_TACPLUS_LICENSE_FILES = COPYING @@ -17,7 +17,4 @@ LIBPAM_TACPLUS_INSTALL_STAGING = YES LIBPAM_TACPLUS_CONF_ENV = \ ax_cv_check_cflags___fstack_protector_all=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no) -# 0005-Check-for-failure-of-OpenSSL-RAND_pseudo_bytes.patch -LIBPAM_TACPLUS_IGNORE_CVES += CVE-2020-27743 - $(eval $(autotools-package)) -- 2.30.2