pam_timestamp: replace hmac implementation

sha1 is no longer recommended as a cryptographic algorithm for
authentication. Thus, the idea of this change is to replace the
implementation provided by hmacsha1 included in pam_timestamp module by
the one in the openssl library. This way, there's no need to maintain
the cryptographic algorithm implementation and it can be easily changed
with a single configuration change.

modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
functions around openssl's hmac implementation. Moreover, manage the key
generation and its read and write in a file. Include an option to
configure the cryptographic algorithm in login.defs file.
modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
modules/pam_timestamp/pam_timestamp.c: replace calls to functions
provided by hmacsha1 by functions provided by openssl's wrapper.
configure.ac: include openssl dependecy if it is enabled.
modules/pam_timestamp/Makefile.am: include new files and openssl library
to compilation.
ci/install-dependencies.sh: include openssl library to dependencies.
NEWS: add new item to next release.
Make.xml.rules.in: add stringparam profiling for hmac
doc/custom-man.xsl: change import docbook to one with profiling
modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
indicate the value in /etc/login.defs that holds the value for the
encryption algorithm

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294

1 files changed, 5 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 2d49ec39..f4d11303 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,10 @@
 Linux-PAM NEWS -- history of user-visible changes.
 
+Release next
+* pam_timestamp: change hmac algorithm to call openssl instead of the bundled
+                 sha1 implementation if selected. Add option to select the hash
+                 algorithm to use with HMAC.
+
 Release 1.5.1
 * pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
             doesn't exist and root password is blank