From: "Christian Göttsche" <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: "Christian Göttsche" <cgzones@googlemail.com>
Subject: [RFC PATCH 3/3] newrole: use ROWHAMMER resistant values
Date: Mon, 8 Apr 2024 17:30:06 +0200 [thread overview]
Message-ID: <20240408153006.69840-3-cgoettsche@seltendoof.de> (raw)
In-Reply-To: <20240408153006.69840-1-cgoettsche@seltendoof.de>
From: Christian Göttsche <cgzones@googlemail.com>
Use values for success and failure that are more resistant to bit flips,
to harden against potential ROWHAMMER attacks.
Inspired by [1].
[1]: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/newrole/newrole.c | 35 +++++++++++++++++--------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 59a5caa3..618c4101 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -89,6 +89,9 @@
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
#endif
+#define ALLOW 0x52a2925
+#define DENY 0xad5d6da
+
#define TRUE 1
#define FALSE 0
@@ -174,8 +177,8 @@ static const char *service_name = "newrole";
* out: nothing
* return: value condition
* ----- ---------
- * 1 PAM thinks that the user authenticated themselves properly
- * 0 otherwise
+ * ALLOW PAM thinks that the user authenticated themselves properly
+ * DENY otherwise
*
* This function uses PAM to authenticate the user running this
* program. This is the only function in this program that makes PAM
@@ -184,7 +187,7 @@ static const char *service_name = "newrole";
static int authenticate_via_pam(const char *ttyn, pam_handle_t * pam_handle)
{
- int result = 0; /* set to 0 (not authenticated) by default */
+ int result = DENY; /* set to DENY (not authenticated) by default */
int pam_rc; /* pam return code */
const char *tty_name;
@@ -210,7 +213,7 @@ static int authenticate_via_pam(const char *ttyn, pam_handle_t * pam_handle)
/* Ask PAM to verify acct_mgmt */
pam_rc = pam_acct_mgmt(pam_handle, 0);
if (pam_rc == PAM_SUCCESS) {
- result = 1; /* user authenticated OK! */
+ result = ALLOW; /* user authenticated OK! */
}
out:
@@ -348,12 +351,12 @@ static int streq_constant(const char *userinput, const char *secret)
s_len = strlen(secret);
if (u_len != s_len)
- return 0;
+ return DENY;
for (i = 0; i < u_len; i++)
ret |= x[i] ^ y[i];
- return ret == 0;
+ return ret == 0 ? ALLOW : DENY;
}
/* authenticate_via_shadow_passwd()
@@ -362,9 +365,9 @@ static int streq_constant(const char *userinput, const char *secret)
* out: nothing
* return: value condition
* ----- ---------
- * 1 user authenticated themselves properly according to the
+ * ALLOW user authenticated themselves properly according to the
* shadow passwd file.
- * 0 otherwise
+ * DENY otherwise
*
* This function uses the shadow passwd file to thenticate the user running
* this program.
@@ -382,14 +385,14 @@ static int authenticate_via_shadow_passwd(const char *uname)
if (!(p_shadow_line)) {
fprintf(stderr, _("Cannot find your entry in the shadow "
"passwd file.\n"));
- return 0;
+ return DENY;
}
/* Ask user to input unencrypted password */
if (!(unencrypted_password_s = getpass(PASSWORD_PROMPT))) {
fprintf(stderr, _("getpass cannot open /dev/tty\n"));
memzero(p_shadow_line->sp_pwdp, strlen(p_shadow_line->sp_pwdp));
- return 0;
+ return DENY;
}
/* Use crypt() to encrypt user's input password. */
@@ -400,7 +403,7 @@ static int authenticate_via_shadow_passwd(const char *uname)
if (errno || !encrypted_password_s) {
fprintf(stderr, _("Cannot encrypt password.\n"));
memzero(p_shadow_line->sp_pwdp, strlen(p_shadow_line->sp_pwdp));
- return 0;
+ return DENY;
}
ret = streq_constant(encrypted_password_s, p_shadow_line->sp_pwdp);
@@ -416,7 +419,7 @@ static int authenticate_via_shadow_passwd(const char *uname)
*/
static int verify_shell(const char *shell_name)
{
- int found = 0;
+ int found = DENY;
const char *buf;
if (!(shell_name && shell_name[0]))
@@ -429,7 +432,7 @@ static int verify_shell(const char *shell_name)
/* check the shell skipping newline char */
if (!strcmp(shell_name, buf)) {
- found = 1;
+ found = ALLOW;
break;
}
}
@@ -479,7 +482,7 @@ static int extract_pw_data(struct passwd *pw_copy)
goto out_free;
}
- if (verify_shell(pw->pw_shell) == 0) {
+ if (verify_shell(pw->pw_shell) != ALLOW) {
fprintf(stderr, _("Error! Shell is not valid.\n"));
goto out_free;
}
@@ -1182,9 +1185,9 @@ int main(int argc, char *argv[])
goto err_free;
}
- if (!authenticate_via_pam(ttyn, pam_handle))
+ if (authenticate_via_pam(ttyn, pam_handle) != ALLOW)
#else
- if (!authenticate_via_shadow_passwd(pw.pw_name))
+ if (authenticate_via_shadow_passwd(pw.pw_name) != ALLOW)
#endif
{
fprintf(stderr, _("newrole: incorrect password for %s\n"),
--
2.43.0
next prev parent reply other threads:[~2024-04-08 15:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-08 15:30 [RFC PATCH 1/3] newrole: constant time password comparison Christian Göttsche
2024-04-08 15:30 ` [RFC PATCH 2/3] newrole: cleanse shadow data hold by libc Christian Göttsche
2024-04-08 15:30 ` Christian Göttsche [this message]
2024-04-09 17:56 ` [RFC PATCH 1/3] newrole: constant time password comparison Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240408153006.69840-3-cgoettsche@seltendoof.de \
--to=cgoettsche@seltendoof.de \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).