Add support for using the message digest functions in libgcrypt

instead of sudo's own SHA2 implementation.

INSTALL

@@ -515,6 +515,12 @@ Authentication options:
         gss_krb5_ccache_name() provides a better API to do this it
         is not supported by all Kerberos V and SASL combinations.
 
+  --enable-gcrypt[=DIR]
+        Use GNU crypt's SHA-2 message digest functions instead of the
+        ones bundled with sudo (or in the system's C library).
+        If specified, DIR should contain include and lib directories
+        with gcrypt.h and libgcrypt respectively.
+
   --enable-openssl[=DIR]
         Use OpenSSL's SHA-2 message digest functions instead of the
         ones bundled with sudo (or in the system's C library).

MANIFEST

@@ -264,6 +264,7 @@ plugins/sudoers/digestname.c
 plugins/sudoers/editor.c
 plugins/sudoers/env.c
 plugins/sudoers/filedigest.c
+plugins/sudoers/filedigest_gcrypt.c
 plugins/sudoers/filedigest_openssl.c
 plugins/sudoers/find_path.c
 plugins/sudoers/gc.c

configure

@@ -948,6 +948,7 @@ enable_env_reset
 enable_warnings
 enable_werror
 enable_openssl
+enable_gcrypt
 enable_hardening
 enable_pie
 enable_asan
@@ -1625,6 +1626,8 @@ Optional Features:
   --enable-werror         Whether to enable the -Werror compiler option
   --enable-openssl        Use OpenSSL's message digest functions instead of
                           sudo's
+  --enable-gcrypt         Use GNU crypt's message digest functions instead of
+                          sudo's
   --disable-hardening     Do not use compiler/linker exploit mitigation
                           options
   --enable-pie            Build sudo as a position independent executable.
@@ -6385,6 +6388,120 @@ fi
 
 
 
+if ${SUDOERS_LDFLAGS+:} false; then :
+
+  case " $SUDOERS_LDFLAGS " in #(
+  *" -L${enableval}/lib "*) :
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS already contains -L\${enableval}/lib"; } >&5
+  (: SUDOERS_LDFLAGS already contains -L${enableval}/lib) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append SUDOERS_LDFLAGS " -L${enableval}/lib"
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS=\"\$SUDOERS_LDFLAGS\""; } >&5
+  (: SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else
+
+  SUDOERS_LDFLAGS=-L${enableval}/lib
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS=\"\$SUDOERS_LDFLAGS\""; } >&5
+  (: SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    if test X"$enable_rpath" = X"yes"; then
+
+if ${SUDOERS_LDFLAGS_R+:} false; then :
+
+  case " $SUDOERS_LDFLAGS_R " in #(
+  *" -R${enableval}/lib "*) :
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS_R already contains -R\${enableval}/lib"; } >&5
+  (: SUDOERS_LDFLAGS_R already contains -R${enableval}/lib) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append SUDOERS_LDFLAGS_R " -R${enableval}/lib"
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS_R=\"\$SUDOERS_LDFLAGS_R\""; } >&5
+  (: SUDOERS_LDFLAGS_R="$SUDOERS_LDFLAGS_R") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else
+
+  SUDOERS_LDFLAGS_R=-R${enableval}/lib
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: : SUDOERS_LDFLAGS_R=\"\$SUDOERS_LDFLAGS_R\""; } >&5
+  (: SUDOERS_LDFLAGS_R="$SUDOERS_LDFLAGS_R") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    fi
+
+		fi
+		;;
+ esac
+
+fi
+
+
+# Check whether --enable-gcrypt was given.
+if test "${enable_gcrypt+set}" = set; then :
+  enableval=$enable_gcrypt;  case $enableval in
+    no)		;;
+    *)		LIBMD="-lgcrypt"
+		FILEDIGEST=filedigest_gcrypt.lo
+		if test "$enableval" != "yes"; then
+
+if ${CPPFLAGS+:} false; then :
+
+  case " $CPPFLAGS " in #(
+  *" -I${enableval}/include "*) :
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enableval}/include"; } >&5
+  (: CPPFLAGS already contains -I${enableval}/include) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " -I${enableval}/include"
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else
+
+  CPPFLAGS=-I${enableval}/include
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+
+
 if ${SUDOERS_LDFLAGS+:} false; then :
 
   case " $SUDOERS_LDFLAGS " in #(

configure.ac

@@ -1465,6 +1465,20 @@ AC_ARG_ENABLE(openssl,
  esac
 ])
 
+AC_ARG_ENABLE(gcrypt,
+[AS_HELP_STRING([--enable-gcrypt], [Use GNU crypt's message digest functions instead of sudo's])],
+[ case $enableval in
+    no)		;;
+    *)		LIBMD="-lgcrypt"
+		FILEDIGEST=filedigest_gcrypt.lo
+		if test "$enableval" != "yes"; then
+		    AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
+		    SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${enableval}/lib])
+		fi
+		;;
+ esac
+])
+
 AC_ARG_ENABLE(hardening,
 [AS_HELP_STRING([--disable-hardening], [Do not use compiler/linker exploit mitigation options])],
 [], [enable_hardening=yes])

mkdep.pl

@@ -70,7 +70,7 @@ sub mkdep {
     $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo solaris_audit.lo sssd.lo:;
     # XXX - fill in AUTH_OBJS from contents of the auth dir instead
     $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
-    $makefile =~ s:\@FILEDIGEST\@:filedigest.lo filedigest_openssl.lo:;
+    $makefile =~ s:\@FILEDIGEST\@:filedigest.lo filedigest_openssl.lo filedigest_gcrypt.lo:;
     $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo strtonum.lo utimens.lo vsyslog.lo:;
 
     # Parse OBJS lines

plugins/sudoers/Makefile.in

@@ -692,6 +692,17 @@ filedigest.lo: $(srcdir)/filedigest.c $(devdir)/def_data.h \
                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
                $(top_builddir)/pathnames.h
 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/filedigest.c
+filedigest_gcrypt.lo: $(srcdir)/filedigest_gcrypt.c $(devdir)/def_data.h \
+                      $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+                      $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+                      $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                      $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                      $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                      $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                      $(top_builddir)/pathnames.h
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/filedigest_gcrypt.c
 filedigest_openssl.lo: $(srcdir)/filedigest_openssl.c $(devdir)/def_data.h \
                        $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
                        $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \

plugins/sudoers/filedigest_gcrypt.c

@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2017 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <gcrypt.h>
+
+#include "sudoers.h"
+#include "parse.h"
+
+unsigned char *
+sudo_filedigest(int fd, const char *file, int digest_type, size_t *digest_lenp)
+{
+    unsigned char *file_digest = NULL;
+    unsigned char buf[32 * 1024];
+    int fd2, gcry_digest_type;
+    size_t digest_len, nread;
+    gcry_error_t error;
+    gcry_md_hd_t ctx;
+    FILE *fp = NULL;
+    debug_decl(sudo_filedigest, SUDOERS_DEBUG_UTIL)
+
+    switch (digest_type) {
+    case SUDO_DIGEST_SHA224:
+	gcry_digest_type = GCRY_MD_SHA224;
+	break;
+    case SUDO_DIGEST_SHA256:
+	gcry_digest_type = GCRY_MD_SHA256;
+	break;
+    case SUDO_DIGEST_SHA384:
+	gcry_digest_type = GCRY_MD_SHA384;
+	break;
+    case SUDO_DIGEST_SHA512:
+	gcry_digest_type = GCRY_MD_SHA512;
+	break;
+    default:
+	sudo_warnx(U_("unsupported digest type %d for %s"), digest_type, file);
+	debug_return_ptr(NULL);
+    }
+
+    error = gcry_md_open(&ctx, gcry_digest_type, 0);
+    if (error != 0) {
+	sudo_warnx(U_("%s: %s"), digest_type_to_name(digest_type),
+	    gcry_strerror(error));
+	goto bad;
+    }
+    digest_len = gcry_md_get_algo_dlen(gcry_digest_type);
+
+    if ((fd2 = dup(fd)) == -1) {
+	sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s",
+	    file, strerror(errno));
+	goto bad;
+    }
+    if ((fp = fdopen(fd2, "r")) == NULL) {
+	sudo_debug_printf(SUDO_DEBUG_INFO, "unable to fdopen %s: %s",
+	    file, strerror(errno));
+	close(fd2);
+	goto bad;
+    }
+    if ((file_digest = malloc(digest_len)) == NULL) {
+	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+	goto bad;
+    }
+
+    while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
+	gcry_md_write(ctx, buf, nread);
+    }
+    if (ferror(fp)) {
+	sudo_warnx(U_("%s: read error"), file);
+	goto bad;
+    }
+    gcry_md_final(ctx);
+    fclose(fp);
+
+    memcpy(file_digest, gcry_md_read(ctx, 0), digest_len);
+    *digest_lenp = digest_len;
+    debug_return_ptr(file_digest);
+bad:
+    free(file_digest);
+    gcry_md_close(ctx);
+    if (fp != NULL)
+	fclose(fp);
+    debug_return_ptr(NULL);
+}