packages/libuser
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 0.64

Browse Source
This commit is contained in:
fly_fzc 2023-07-17 10:14:59 +08:00
parent 74ac33cce7
commit 45c40330b6
6 changed files with 6 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
fix-ldap-test-because-openldap-was-upgraded.patch
View File

@ -1,67 +0,0 @@
From 85bcf0efc3d3e6453f6e50da877dc7eb1a4d1ae1 Mon Sep 17 00:00:00 2001
From: panxiaohe <panxiaohe@huawei.com>
Date: Mon, 10 Jan 2022 13:17:22 +0800
Subject: [PATCH] fix ldap test because openldap was upgraded to 2.6.0
The new version of openldap has removed deprecated -h and -p options
to client tools. And it has deleted back-bdb, so this patch uses mdb.
---
tests/default_pw_test | 6 ++++--
tests/ldap_test | 3 ++-
tests/slapd.conf.in | 2 +-
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/tests/default_pw_test b/tests/default_pw_test
index 733c85c..932dcb2 100755
--- a/tests/default_pw_test
+++ b/tests/default_pw_test
@@ -69,7 +69,8 @@ get_file_password() # file under $workdir/files, entry name
get_ldap_password() # entry filter
{
echo "Checking $1 ..." >&2
- ldapsearch -LLL -h 127.0.0.1 -p "$ldap_port" -x -b 'dc=libuser' "$1" \
+ URI="ldap://127.0.0.1:$ldap_port/"
+ ldapsearch -LLL -H "$URI" -x -b 'dc=libuser' "$1" \
userPassword | sed -n 's/userPassword:: //p'
}
@@ -103,7 +104,8 @@ for modules in \
tests/wait_for_slapd_start "$workdir"/slapd.pid "$ldap_port"
slapd_pid=$(cat "$workdir"/slapd.pid)
trap 'status=$?; kill $slapd_pid; rm -rf "$workdir"; exit $status' 0
- ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \
+ URI="ldap://127.0.0.1:$ldap_port/"
+ ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \
-D cn=Manager,dc=libuser -w password
;;
esac
diff --git a/tests/ldap_test b/tests/ldap_test
index 54609b1..de9308c 100755
--- a/tests/ldap_test
+++ b/tests/ldap_test
@@ -56,7 +56,8 @@ slapd_pid=$(cat "$workdir"/slapd.pid)
trap 'status=$?; kill $slapd_pid
tests/wait_for_slapd_exit "$workdir"/slapd.pid "$ldap_port"
rm -rf "$workdir"; exit $status' 0
-ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \
+URI="ldap://127.0.0.1:$ldap_port/"
+ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \
-D cn=Manager,dc=libuser -w password
diff --git a/tests/slapd.conf.in b/tests/slapd.conf.in
index 06ef10d..8e49a36 100644
--- a/tests/slapd.conf.in
+++ b/tests/slapd.conf.in
@@ -10,7 +10,7 @@ pidfile @WORKDIR@/slapd.pid
TLSCertificateFile @WORKDIR@/key.pem
TLSCertificateKeyFile @WORKDIR@/key.pem
-database bdb
+database mdb
suffix "dc=libuser"
rootdn "cn=Manager,dc=libuser"
rootpw {SSHA}ABgelmLFZQ/OJzVEp3OM5MzWQ9rt3b4F
--
1.8.3.1

260
libuser-0.63-PR49_add_yescrypt.patch
View File

@ -1,260 +0,0 @@
From 3b8a2aa52bcee6e03f047840251ae42ab971a8a0 Mon Sep 17 00:00:00 2001
From: Björn Esser <besser82@fedoraproject.org>
Date: Jun 07 2021 20:25:41 +0000
Subject: [PATCH 1/5] lib/util.c: bcrypt should use $2b$ as prefix for setting.
This prefix is the recommended one for new bcrypt hashes
for a long time.
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
diff --git a/lib/util.c b/lib/util.c
index 1b03f7d..e549a35 100644
--- a/lib/util.c
+++ b/lib/util.c
@@ -124,7 +124,7 @@ static const struct {
} salt_type_info[] = {
{"$1$", "$", 8, FALSE },
/* FIXME: number of rounds, base64 of 128 bits */
- {"$2a$", "$", 8, FALSE },
+ {"$2b$", "$", 8, FALSE },
{"$5$", "$", 16, TRUE },
{"$6$", "$", 16, TRUE },
{ "", "", 2 },
@@ -231,7 +231,7 @@ lu_util_default_salt_specifier(struct lu_context *context)
} salt_types[] = {
{ "des", "", FALSE },
{ "md5", "$1$", FALSE },
- { "blowfish", "$2a$", FALSE },
+ { "blowfish", "$2b$", FALSE },
{ "sha256", "$5$", TRUE },
{ "sha512", "$6$", TRUE },
};
From 9dcc69425677cf510ec6da5ababfdd295f875c1a Mon Sep 17 00:00:00 2001
From: Björn Esser <besser82@fedoraproject.org>
Date: Jun 17 2021 15:34:02 +0000
Subject: [PATCH 2/5] lib/util.c: Use crypt_gensalt(), if available in libcrypt.
Most Linux distributions, including Fedora and RHEL 8, are shipping
with libxcrypt >= 4.0.
Since that version of libxcrypt the provided family of crypt_gensalt()
functions are able to use automatic entropy drawn from secure system
ressources, like arc4random(), getentropy() or getrandom().
Anyways, the settings generated by crypt_gensalt() are always
guaranteed to works with the crypt() function.
Using crypt_gesalt() is also needed to make proper use of newer
hashing methods, like yescrypt, provided by libxcrypt.
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
diff --git a/lib/util.c b/lib/util.c
index e549a35..b6db2af 100644
--- a/lib/util.c
+++ b/lib/util.c
@@ -43,6 +43,13 @@
#define HASH_ROUNDS_MIN 1000
#define HASH_ROUNDS_MAX 999999999
+#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \
+ CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY)
+#define USE_XCRYPT_GENSALT 1
+#else
+#define USE_XCRYPT_GENSALT 0
+#endif
+
struct lu_lock {
int fd;
struct flock lock;
@@ -66,6 +73,7 @@ lu_strcmp(gconstpointer v1, gconstpointer v2)
return strcmp((char *) v1, (char *) v2);
}
+#if !USE_XCRYPT_GENSALT
/* A list of allowed salt characters, according to SUSv2. */
#define ACCEPTABLE "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
"abcdefghijklmnopqrstuvwxyz" \
@@ -115,6 +123,7 @@ fill_urandom(char *output, size_t length)
close(fd);
return TRUE;
}
+#endif
static const struct {
const char initial[5];
@@ -135,6 +144,9 @@ lu_make_crypted(const char *plain, const char *previous)
{
char salt[2048];
size_t i, len = 0;
+#if USE_XCRYPT_GENSALT
+ unsigned long rounds = 0;
+#endif
if (previous == NULL) {
previous = LU_DEFAULT_SALT_TYPE;
@@ -151,6 +163,23 @@ lu_make_crypted(const char *plain, const char *previous)
if (salt_type_info[i].sha_rounds != FALSE
&& strncmp(previous + len, "rounds=", strlen("rounds=")) == 0) {
+#if USE_XCRYPT_GENSALT
+ const char *start;
+ char *end;
+
+ start = previous + len + strlen("rounds=");
+ rounds = strtoul (start, &end, 10);
+
+ if (rounds < HASH_ROUNDS_MIN)
+ rounds = HASH_ROUNDS_MIN;
+ else if (rounds > HASH_ROUNDS_MAX)
+ rounds = HASH_ROUNDS_MAX;
+ }
+
+ g_assert(CRYPT_GENSALT_OUTPUT_SIZE <= sizeof(salt));
+
+ crypt_gensalt_rn(previous, rounds, NULL, 0, salt, sizeof(salt));
+#else
const char *start, *end;
start = previous + len + strlen("rounds=");
@@ -168,6 +197,7 @@ lu_make_crypted(const char *plain, const char *previous)
return NULL;
strcpy(salt + len + salt_type_info[i].salt_length,
salt_type_info[i].separator);
+#endif
return crypt(plain, salt);
}
@@ -251,13 +281,18 @@ lu_util_default_salt_specifier(struct lu_context *context)
found:
if (salt_types[i].sha_rounds != FALSE) {
- unsigned long rounds;
+ unsigned long rounds = 0;
rounds = select_hash_rounds(context);
+#if USE_XCRYPT_GENSALT
+ return g_strdup(crypt_gensalt(salt_types[i].initializer,
+ rounds, NULL, 0));
+#else
if (rounds != 0)
return g_strdup_printf("%srounds=%lu$",
salt_types[i].initializer,
rounds);
+#endif
}
return g_strdup(salt_types[i].initializer);
}
From 2d40503977df3855f1415db995833ae4231e7944 Mon Sep 17 00:00:00 2001
From: Björn Esser <besser82@fedoraproject.org>
Date: Jun 17 2021 15:34:02 +0000
Subject: [PATCH 3/5] lib/util.c: Add yescrypt hashing method for user passwords.
The yescrypt hashing method is considered to be much stronger than
sha512crypt and fully supported by libxcrypt >= 4.3. It is based
on NIST-approved primitives and on par with argon2 in strength.
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
diff --git a/lib/util.c b/lib/util.c
index b6db2af..bba9420 100644
--- a/lib/util.c
+++ b/lib/util.c
@@ -50,6 +50,14 @@
#define USE_XCRYPT_GENSALT 0
#endif
+#if ((defined XCRYPT_VERSION_NUM && \
+ XCRYPT_VERSION_NUM >= ((4 << 16) | 3)) && \
+ USE_XCRYPT_GENSALT)
+#define HAVE_YESCRYPT 1
+#else
+#define HAVE_YESCRYPT 0
+#endif
+
struct lu_lock {
int fd;
struct flock lock;
@@ -136,6 +144,9 @@ static const struct {
{"$2b$", "$", 8, FALSE },
{"$5$", "$", 16, TRUE },
{"$6$", "$", 16, TRUE },
+#if HAVE_YESCRYPT
+ {"$y$", "$", 24, FALSE },
+#endif
{ "", "", 2 },
};
@@ -264,6 +275,9 @@ lu_util_default_salt_specifier(struct lu_context *context)
{ "blowfish", "$2b$", FALSE },
{ "sha256", "$5$", TRUE },
{ "sha512", "$6$", TRUE },
+#if HAVE_YESCRYPT
+ { "yescrypt", "$y$", FALSE },
+#endif
};
const char *salt_type;
From 71ef71fe1878a321612e1995cb5c59dcb501ff01 Mon Sep 17 00:00:00 2001
From: Björn Esser <besser82@fedoraproject.org>
Date: Jun 17 2021 15:34:02 +0000
Subject: [PATCH 4/5] docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
diff --git a/docs/libuser.conf.5.in b/docs/libuser.conf.5.in
index 2af0828..bd1daa7 100644
--- a/docs/libuser.conf.5.in
+++ b/docs/libuser.conf.5.in
@@ -69,8 +69,8 @@ The current algorithm may be retained
when changing a password of an existing user, depending on the application.
Possible values are \fBdes\fR, \fBmd5\fR, \fBblowfish\fR,
-.B sha256
-and \fBsha512\fR, all case-insensitive.
+.B sha256,
+\fBsha512\fR, and \fByescrypt\fR, all case-insensitive.
Unrecognized values are treated as \fBdes\fR.
Default value is \fBdes\fR.
From 284b3195393688105b112b905069e0225c3046d2 Mon Sep 17 00:00:00 2001
From: Björn Esser <besser82@fedoraproject.org>
Date: Jun 17 2021 15:34:02 +0000
Subject: [PATCH 5/5] libuser.conf: Use yescrypt as default value for crypt_style.
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
diff --git a/libuser.conf b/libuser.conf
index 8ff5b2e..cd25eb2 100644
--- a/libuser.conf
+++ b/libuser.conf
@@ -17,7 +17,7 @@ default_useradd = /etc/default/useradd
# skeleton = /etc/skel
# mailspooldir = /var/mail
-crypt_style = sha512
+crypt_style = yescrypt
modules = files shadow
create_modules = files shadow
# modules = files shadow ldap

27
libuser-0.63-downstream_test_xcrypt.patch
View File

@ -1,27 +0,0 @@
diff --git a/tests/pwhash_test b/tests/pwhash_test
index ff89d60..525885e 100755
--- a/tests/pwhash_test
+++ b/tests/pwhash_test
@@ -77,6 +77,22 @@ if [ "x${pw#\$6\$}" = "x$pw" ]; then
exit 1
fi
+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
+echo 'crypt_style = blowfish' >> "$LIBUSER_CONF"
+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
+if [ "x${pw#\$2b\$}" = "x$pw" ]; then
+ echo "Invalid BLOWFISH hash" >&2
+ exit 1
+fi
+
+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
+echo 'crypt_style = yescrypt' >> "$LIBUSER_CONF"
+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
+if [ "x${pw#\$y\$}" = "x$pw" ]; then
+ echo "Invalid YESCRYPT hash" >&2
+ exit 1
+fi
+
cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
cat >> "$LIBUSER_CONF" <<\EOF
crypt_style = sha256

BIN
libuser-0.63.tar.xz
View File

Binary file not shown.

BIN
libuser-0.64.tar.gz Normal file
View File

Binary file not shown.

13
libuser.spec
View File

@ -1,14 +1,10 @@
Name: libuser
Version: 0.63
Release: 5
Version: 0.64
Release: 1
Summary: A user and group account administration library
License: LGPLv2+
URL: https://pagure.io/libuser
Source: http://releases.pagure.org/libuser/libuser-%{version}.tar.xz
Patch0: libuser-0.63-PR49_add_yescrypt.patch
Patch1: libuser-0.63-downstream_test_xcrypt.patch
Patch2: fix-ldap-test-because-openldap-was-upgraded.patch
Source: http://releases.pagure.org/libuser/libuser-%{version}.tar.gz
Patch9000: add-sm3-crypt-support.patch
@ -104,6 +100,9 @@ python3 -c "import libuser"
%{_mandir}/man5/*
%changelog
* Mon Jul 17 2023 fuanan <fuanan3@h-partners.com> - 0.64-1
- update version to 0.64
* Wed Oct 19 2022 fuanan <fuanan3@h-partners.com> - 0.63-5
- DESC:optimize compilation by running make in parallel