diff --git a/fix-ldap-test-because-openldap-was-upgraded.patch b/fix-ldap-test-because-openldap-was-upgraded.patch deleted file mode 100644 index 22bff4e..0000000 --- a/fix-ldap-test-because-openldap-was-upgraded.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 85bcf0efc3d3e6453f6e50da877dc7eb1a4d1ae1 Mon Sep 17 00:00:00 2001 -From: panxiaohe -Date: Mon, 10 Jan 2022 13:17:22 +0800 -Subject: [PATCH] fix ldap test because openldap was upgraded to 2.6.0 - -The new version of openldap has removed deprecated -h and -p options -to client tools. And it has deleted back-bdb, so this patch uses mdb. ---- - tests/default_pw_test | 6 ++++-- - tests/ldap_test | 3 ++- - tests/slapd.conf.in | 2 +- - 3 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/tests/default_pw_test b/tests/default_pw_test -index 733c85c..932dcb2 100755 ---- a/tests/default_pw_test -+++ b/tests/default_pw_test -@@ -69,7 +69,8 @@ get_file_password() # file under $workdir/files, entry name - get_ldap_password() # entry filter - { - echo "Checking $1 ..." >&2 -- ldapsearch -LLL -h 127.0.0.1 -p "$ldap_port" -x -b 'dc=libuser' "$1" \ -+ URI="ldap://127.0.0.1:$ldap_port/" -+ ldapsearch -LLL -H "$URI" -x -b 'dc=libuser' "$1" \ - userPassword | sed -n 's/userPassword:: //p' - } - -@@ -103,7 +104,8 @@ for modules in \ - tests/wait_for_slapd_start "$workdir"/slapd.pid "$ldap_port" - slapd_pid=$(cat "$workdir"/slapd.pid) - trap 'status=$?; kill $slapd_pid; rm -rf "$workdir"; exit $status' 0 -- ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \ -+ URI="ldap://127.0.0.1:$ldap_port/" -+ ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \ - -D cn=Manager,dc=libuser -w password - ;; - esac -diff --git a/tests/ldap_test b/tests/ldap_test -index 54609b1..de9308c 100755 ---- a/tests/ldap_test -+++ b/tests/ldap_test -@@ -56,7 +56,8 @@ slapd_pid=$(cat "$workdir"/slapd.pid) - trap 'status=$?; kill $slapd_pid - tests/wait_for_slapd_exit "$workdir"/slapd.pid "$ldap_port" - rm -rf "$workdir"; exit $status' 0 --ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \ -+URI="ldap://127.0.0.1:$ldap_port/" -+ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \ - -D cn=Manager,dc=libuser -w password - - -diff --git a/tests/slapd.conf.in b/tests/slapd.conf.in -index 06ef10d..8e49a36 100644 ---- a/tests/slapd.conf.in -+++ b/tests/slapd.conf.in -@@ -10,7 +10,7 @@ pidfile @WORKDIR@/slapd.pid - TLSCertificateFile @WORKDIR@/key.pem - TLSCertificateKeyFile @WORKDIR@/key.pem - --database bdb -+database mdb - suffix "dc=libuser" - rootdn "cn=Manager,dc=libuser" - rootpw {SSHA}ABgelmLFZQ/OJzVEp3OM5MzWQ9rt3b4F --- -1.8.3.1 - diff --git a/libuser-0.63-PR49_add_yescrypt.patch b/libuser-0.63-PR49_add_yescrypt.patch deleted file mode 100644 index 18a767d..0000000 --- a/libuser-0.63-PR49_add_yescrypt.patch +++ /dev/null @@ -1,260 +0,0 @@ -From 3b8a2aa52bcee6e03f047840251ae42ab971a8a0 Mon Sep 17 00:00:00 2001 -From: Björn Esser -Date: Jun 07 2021 20:25:41 +0000 -Subject: [PATCH 1/5] lib/util.c: bcrypt should use $2b$ as prefix for setting. - - -This prefix is the recommended one for new bcrypt hashes -for a long time. - -Signed-off-by: Björn Esser - ---- - -diff --git a/lib/util.c b/lib/util.c -index 1b03f7d..e549a35 100644 ---- a/lib/util.c -+++ b/lib/util.c -@@ -124,7 +124,7 @@ static const struct { - } salt_type_info[] = { - {"$1$", "$", 8, FALSE }, - /* FIXME: number of rounds, base64 of 128 bits */ -- {"$2a$", "$", 8, FALSE }, -+ {"$2b$", "$", 8, FALSE }, - {"$5$", "$", 16, TRUE }, - {"$6$", "$", 16, TRUE }, - { "", "", 2 }, -@@ -231,7 +231,7 @@ lu_util_default_salt_specifier(struct lu_context *context) - } salt_types[] = { - { "des", "", FALSE }, - { "md5", "$1$", FALSE }, -- { "blowfish", "$2a$", FALSE }, -+ { "blowfish", "$2b$", FALSE }, - { "sha256", "$5$", TRUE }, - { "sha512", "$6$", TRUE }, - }; - -From 9dcc69425677cf510ec6da5ababfdd295f875c1a Mon Sep 17 00:00:00 2001 -From: Björn Esser -Date: Jun 17 2021 15:34:02 +0000 -Subject: [PATCH 2/5] lib/util.c: Use crypt_gensalt(), if available in libcrypt. - - -Most Linux distributions, including Fedora and RHEL 8, are shipping -with libxcrypt >= 4.0. - -Since that version of libxcrypt the provided family of crypt_gensalt() -functions are able to use automatic entropy drawn from secure system -ressources, like arc4random(), getentropy() or getrandom(). - -Anyways, the settings generated by crypt_gensalt() are always -guaranteed to works with the crypt() function. - -Using crypt_gesalt() is also needed to make proper use of newer -hashing methods, like yescrypt, provided by libxcrypt. - -Signed-off-by: Björn Esser - ---- - -diff --git a/lib/util.c b/lib/util.c -index e549a35..b6db2af 100644 ---- a/lib/util.c -+++ b/lib/util.c -@@ -43,6 +43,13 @@ - #define HASH_ROUNDS_MIN 1000 - #define HASH_ROUNDS_MAX 999999999 - -+#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \ -+ CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) -+#define USE_XCRYPT_GENSALT 1 -+#else -+#define USE_XCRYPT_GENSALT 0 -+#endif -+ - struct lu_lock { - int fd; - struct flock lock; -@@ -66,6 +73,7 @@ lu_strcmp(gconstpointer v1, gconstpointer v2) - return strcmp((char *) v1, (char *) v2); - } - -+#if !USE_XCRYPT_GENSALT - /* A list of allowed salt characters, according to SUSv2. */ - #define ACCEPTABLE "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ - "abcdefghijklmnopqrstuvwxyz" \ -@@ -115,6 +123,7 @@ fill_urandom(char *output, size_t length) - close(fd); - return TRUE; - } -+#endif - - static const struct { - const char initial[5]; -@@ -135,6 +144,9 @@ lu_make_crypted(const char *plain, const char *previous) - { - char salt[2048]; - size_t i, len = 0; -+#if USE_XCRYPT_GENSALT -+ unsigned long rounds = 0; -+#endif - - if (previous == NULL) { - previous = LU_DEFAULT_SALT_TYPE; -@@ -151,6 +163,23 @@ lu_make_crypted(const char *plain, const char *previous) - - if (salt_type_info[i].sha_rounds != FALSE - && strncmp(previous + len, "rounds=", strlen("rounds=")) == 0) { -+#if USE_XCRYPT_GENSALT -+ const char *start; -+ char *end; -+ -+ start = previous + len + strlen("rounds="); -+ rounds = strtoul (start, &end, 10); -+ -+ if (rounds < HASH_ROUNDS_MIN) -+ rounds = HASH_ROUNDS_MIN; -+ else if (rounds > HASH_ROUNDS_MAX) -+ rounds = HASH_ROUNDS_MAX; -+ } -+ -+ g_assert(CRYPT_GENSALT_OUTPUT_SIZE <= sizeof(salt)); -+ -+ crypt_gensalt_rn(previous, rounds, NULL, 0, salt, sizeof(salt)); -+#else - const char *start, *end; - - start = previous + len + strlen("rounds="); -@@ -168,6 +197,7 @@ lu_make_crypted(const char *plain, const char *previous) - return NULL; - strcpy(salt + len + salt_type_info[i].salt_length, - salt_type_info[i].separator); -+#endif - - return crypt(plain, salt); - } -@@ -251,13 +281,18 @@ lu_util_default_salt_specifier(struct lu_context *context) - - found: - if (salt_types[i].sha_rounds != FALSE) { -- unsigned long rounds; -+ unsigned long rounds = 0; - - rounds = select_hash_rounds(context); -+#if USE_XCRYPT_GENSALT -+ return g_strdup(crypt_gensalt(salt_types[i].initializer, -+ rounds, NULL, 0)); -+#else - if (rounds != 0) - return g_strdup_printf("%srounds=%lu$", - salt_types[i].initializer, - rounds); -+#endif - } - return g_strdup(salt_types[i].initializer); - } - -From 2d40503977df3855f1415db995833ae4231e7944 Mon Sep 17 00:00:00 2001 -From: Björn Esser -Date: Jun 17 2021 15:34:02 +0000 -Subject: [PATCH 3/5] lib/util.c: Add yescrypt hashing method for user passwords. - - -The yescrypt hashing method is considered to be much stronger than -sha512crypt and fully supported by libxcrypt >= 4.3. It is based -on NIST-approved primitives and on par with argon2 in strength. - -Signed-off-by: Björn Esser - ---- - -diff --git a/lib/util.c b/lib/util.c -index b6db2af..bba9420 100644 ---- a/lib/util.c -+++ b/lib/util.c -@@ -50,6 +50,14 @@ - #define USE_XCRYPT_GENSALT 0 - #endif - -+#if ((defined XCRYPT_VERSION_NUM && \ -+ XCRYPT_VERSION_NUM >= ((4 << 16) | 3)) && \ -+ USE_XCRYPT_GENSALT) -+#define HAVE_YESCRYPT 1 -+#else -+#define HAVE_YESCRYPT 0 -+#endif -+ - struct lu_lock { - int fd; - struct flock lock; -@@ -136,6 +144,9 @@ static const struct { - {"$2b$", "$", 8, FALSE }, - {"$5$", "$", 16, TRUE }, - {"$6$", "$", 16, TRUE }, -+#if HAVE_YESCRYPT -+ {"$y$", "$", 24, FALSE }, -+#endif - { "", "", 2 }, - }; - -@@ -264,6 +275,9 @@ lu_util_default_salt_specifier(struct lu_context *context) - { "blowfish", "$2b$", FALSE }, - { "sha256", "$5$", TRUE }, - { "sha512", "$6$", TRUE }, -+#if HAVE_YESCRYPT -+ { "yescrypt", "$y$", FALSE }, -+#endif - }; - - const char *salt_type; - -From 71ef71fe1878a321612e1995cb5c59dcb501ff01 Mon Sep 17 00:00:00 2001 -From: Björn Esser -Date: Jun 17 2021 15:34:02 +0000 -Subject: [PATCH 4/5] docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style. - - -Signed-off-by: Björn Esser - ---- - -diff --git a/docs/libuser.conf.5.in b/docs/libuser.conf.5.in -index 2af0828..bd1daa7 100644 ---- a/docs/libuser.conf.5.in -+++ b/docs/libuser.conf.5.in -@@ -69,8 +69,8 @@ The current algorithm may be retained - when changing a password of an existing user, depending on the application. - - Possible values are \fBdes\fR, \fBmd5\fR, \fBblowfish\fR, --.B sha256 --and \fBsha512\fR, all case-insensitive. -+.B sha256, -+\fBsha512\fR, and \fByescrypt\fR, all case-insensitive. - Unrecognized values are treated as \fBdes\fR. - Default value is \fBdes\fR. - - -From 284b3195393688105b112b905069e0225c3046d2 Mon Sep 17 00:00:00 2001 -From: Björn Esser -Date: Jun 17 2021 15:34:02 +0000 -Subject: [PATCH 5/5] libuser.conf: Use yescrypt as default value for crypt_style. - - -Signed-off-by: Björn Esser - ---- - -diff --git a/libuser.conf b/libuser.conf -index 8ff5b2e..cd25eb2 100644 ---- a/libuser.conf -+++ b/libuser.conf -@@ -17,7 +17,7 @@ default_useradd = /etc/default/useradd - # skeleton = /etc/skel - # mailspooldir = /var/mail - --crypt_style = sha512 -+crypt_style = yescrypt - modules = files shadow - create_modules = files shadow - # modules = files shadow ldap - diff --git a/libuser-0.63-downstream_test_xcrypt.patch b/libuser-0.63-downstream_test_xcrypt.patch deleted file mode 100644 index 8375740..0000000 --- a/libuser-0.63-downstream_test_xcrypt.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/tests/pwhash_test b/tests/pwhash_test -index ff89d60..525885e 100755 ---- a/tests/pwhash_test -+++ b/tests/pwhash_test -@@ -77,6 +77,22 @@ if [ "x${pw#\$6\$}" = "x$pw" ]; then - exit 1 - fi - -+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF" -+echo 'crypt_style = blowfish' >> "$LIBUSER_CONF" -+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py) -+if [ "x${pw#\$2b\$}" = "x$pw" ]; then -+ echo "Invalid BLOWFISH hash" >&2 -+ exit 1 -+fi -+ -+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF" -+echo 'crypt_style = yescrypt' >> "$LIBUSER_CONF" -+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py) -+if [ "x${pw#\$y\$}" = "x$pw" ]; then -+ echo "Invalid YESCRYPT hash" >&2 -+ exit 1 -+fi -+ - cp "${LIBUSER_CONF}_" "$LIBUSER_CONF" - cat >> "$LIBUSER_CONF" <<\EOF - crypt_style = sha256 diff --git a/libuser-0.63.tar.xz b/libuser-0.63.tar.xz deleted file mode 100644 index c54e7b0..0000000 Binary files a/libuser-0.63.tar.xz and /dev/null differ diff --git a/libuser-0.64.tar.gz b/libuser-0.64.tar.gz new file mode 100644 index 0000000..37d2972 Binary files /dev/null and b/libuser-0.64.tar.gz differ diff --git a/libuser.spec b/libuser.spec index 0563d37..3a2d486 100644 --- a/libuser.spec +++ b/libuser.spec @@ -1,14 +1,10 @@ Name: libuser -Version: 0.63 -Release: 5 +Version: 0.64 +Release: 1 Summary: A user and group account administration library License: LGPLv2+ URL: https://pagure.io/libuser -Source: http://releases.pagure.org/libuser/libuser-%{version}.tar.xz - -Patch0: libuser-0.63-PR49_add_yescrypt.patch -Patch1: libuser-0.63-downstream_test_xcrypt.patch -Patch2: fix-ldap-test-because-openldap-was-upgraded.patch +Source: http://releases.pagure.org/libuser/libuser-%{version}.tar.gz Patch9000: add-sm3-crypt-support.patch @@ -104,6 +100,9 @@ python3 -c "import libuser" %{_mandir}/man5/* %changelog +* Mon Jul 17 2023 fuanan - 0.64-1 +- update version to 0.64 + * Wed Oct 19 2022 fuanan - 0.63-5 - DESC:optimize compilation by running make in parallel