Return AUTH_* flags from check_user() instead of 1/0/-1.

This commit is contained in:
Todd C. Miller
2023-09-09 14:59:46 -06:00
parent 2fdb4db339
commit c54bdd799b
6 changed files with 15 additions and 21 deletions

View File

@@ -19,12 +19,9 @@
#ifndef SUDO_AUTH_H #ifndef SUDO_AUTH_H
#define SUDO_AUTH_H #define SUDO_AUTH_H
/* Auth function return values (rowhammer resistent). */ /* Private auth function return values (rowhammer resistent). */
#define AUTH_SUCCESS 0x52a2925 /* 0101001010100010100100100101 */
#define AUTH_FAILURE 0xad5d6da /* 1010110101011101011011011010 */
#define AUTH_INTR 0x69d61fc8 /* 1101001110101100001111111001000 */ #define AUTH_INTR 0x69d61fc8 /* 1101001110101100001111111001000 */
#define AUTH_ERROR 0x1629e037 /* 0010110001010011110000000110111 */ #define AUTH_NONINTERACTIVE 0x1629e037 /* 0010110001010011110000000110111 */
#define AUTH_NONINTERACTIVE 0x1fc8d3ac /* 11111110010001101001110101100 */
struct sudoers_context; struct sudoers_context;
typedef struct sudo_auth { typedef struct sudo_auth {

View File

@@ -87,8 +87,8 @@ get_authpw(struct sudoers_context *ctx, unsigned int mode)
} }
/* /*
* Returns true if the user successfully authenticates, false if not * Returns AUTH_SUCCESS if the user successfully authenticates,
* or -1 on error. * AUTH_FAILURE if not or AUTH_ERROR on error.
*/ */
int int
check_user(struct sudoers_context *ctx, unsigned int validated, check_user(struct sudoers_context *ctx, unsigned int validated,
@@ -225,15 +225,7 @@ done:
if (closure.auth_pw != NULL) if (closure.auth_pw != NULL)
sudo_pw_delref(closure.auth_pw); sudo_pw_delref(closure.auth_pw);
/* TODO: return AUTH_* directly */ debug_return_int(ret);
switch (ret) {
case AUTH_SUCCESS:
debug_return_int(true);
case AUTH_FAILURE:
debug_return_int(false);
default:
debug_return_int(-1);
}
} }
/* /*

View File

@@ -711,7 +711,7 @@ int
check_user(struct sudoers_context *ctx, unsigned int validated, check_user(struct sudoers_context *ctx, unsigned int validated,
unsigned int mode) unsigned int mode)
{ {
return true; return AUTH_SUCCESS;
} }
/* STUB */ /* STUB */

View File

@@ -466,10 +466,10 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
/* Require a password if sudoers says so. */ /* Require a password if sudoers says so. */
switch (check_user(ctx, validated, ctx->mode)) { switch (check_user(ctx, validated, ctx->mode)) {
case true: case AUTH_SUCCESS:
/* user authenticated successfully. */ /* user authenticated successfully. */
break; break;
case false: case AUTH_FAILURE:
/* Note: log_denial() calls audit for us. */ /* Note: log_denial() calls audit for us. */
if (!ISSET(validated, VALIDATE_SUCCESS)) { if (!ISSET(validated, VALIDATE_SUCCESS)) {
/* Only display a denial message if no password was read. */ /* Only display a denial message if no password was read. */

View File

@@ -229,6 +229,13 @@ struct sudoers_context {
#define FLAG_NO_USER_INPUT 0x100U #define FLAG_NO_USER_INPUT 0x100U
#define FLAG_BAD_PASSWORD 0x200U #define FLAG_BAD_PASSWORD 0x200U
/*
* Return values for check_user() (rowhammer resistent).
*/
#define AUTH_SUCCESS 0x52a2925 /* 0101001010100010100100100101 */
#define AUTH_FAILURE 0xad5d6da /* 1010110101011101011011011010 */
#define AUTH_ERROR 0x1fc8d3ac /* 11111110010001101001110101100 */
/* /*
* find_path()/set_cmnd() return values * find_path()/set_cmnd() return values
*/ */

View File

@@ -24,8 +24,6 @@
#ifndef SUDOERS_TIMESTAMP_H #ifndef SUDOERS_TIMESTAMP_H
#define SUDOERS_TIMESTAMP_H #define SUDOERS_TIMESTAMP_H
#include "auth/sudo_auth.h"
struct passwd; struct passwd;
struct sudoers_context; struct sudoers_context;
struct getpass_closure { struct getpass_closure {