diff --git a/Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch b/Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch deleted file mode 100644 index 323f5c0..0000000 --- a/Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Fri, 23 Jul 2021 17:51:13 -0500 -Subject: [PATCH] Fix out of tree builds with respect to libsubid includes - -There's a better way to do this, and I hope to clean that up, -but this fixes out of tree builds for me right now. - -Closes #386 - -Signed-off-by: Serge Hallyn ---- - lib/Makefile.am | 2 ++ - libmisc/Makefile.am | 2 +- - libsubid/Makefile.am | 4 ++-- - src/Makefile.am | 6 ++++++ - 4 files changed, 11 insertions(+), 3 deletions(-) - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index ecf3ee2..5ac2e11 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -10,6 +10,8 @@ if HAVE_VENDORDIR - libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" - endif - -+libshadow_la_CPPFLAGS += -I$(top_srcdir) -+ - libshadow_la_SOURCES = \ - commonio.c \ - commonio.h \ -diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am -index 9766a7e..9f237e0 100644 ---- a/libmisc/Makefile.am -+++ b/libmisc/Makefile.am -@@ -1,7 +1,7 @@ - - EXTRA_DIST = .indent.pro xgetXXbyYY.c - --AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS) -+AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS) - - noinst_LTLIBRARIES = libmisc.la - -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index 8305156..99308c1 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -20,8 +20,8 @@ MISCLIBS = \ - $(LIBPAM) - - libsubid_la_LIBADD = \ -- $(top_srcdir)/lib/libshadow.la \ -- $(top_srcdir)/libmisc/libmisc.la \ -+ $(top_builddir)/lib/libshadow.la \ -+ $(top_builddir)/libmisc/libmisc.la \ - $(MISCLIBS) -ldl - - AM_CPPFLAGS = \ -diff --git a/src/Makefile.am b/src/Makefile.am -index 3502701..7c1a349 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -10,6 +10,7 @@ sgidperms = 2755 - AM_CPPFLAGS = \ - -I${top_srcdir}/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -DLOCALEDIR=\"$(datadir)/locale\" - - # XXX why are login and su in /bin anyway (other than for -@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \ - list_subid_ranges_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - get_subid_owners_LDADD = \ -@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \ - get_subid_owners_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - new_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - new_subid_range_LDADD = \ -@@ -210,6 +214,7 @@ new_subid_range_LDADD = \ - free_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - free_subid_range_LDADD = \ -@@ -220,6 +225,7 @@ free_subid_range_LDADD = \ - - check_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libmisc - - check_subid_range_LDADD = \ --- -1.8.3.1 - diff --git a/Fixes-the-linking-issues-when-libsubid-is-static-and.patch b/Fixes-the-linking-issues-when-libsubid-is-static-and.patch deleted file mode 100644 index 4284b4d..0000000 --- a/Fixes-the-linking-issues-when-libsubid-is-static-and.patch +++ /dev/null @@ -1,28 +0,0 @@ -From fc832e4648d6e80e95aaa762a158453ee43fe1cb Mon Sep 17 00:00:00 2001 -From: "(GalaxyMaster)" -Date: Wed, 27 Oct 2021 20:14:42 +1100 -Subject: [PATCH] Fixes the linking issues when libsubid is static and linked - to binaries that also define the Prog and shadow_logfd variables. - ---- - libsubid/api.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libsubid/api.c b/libsubid/api.c -index a7b904d..a51b4e0 100644 ---- a/libsubid/api.c -+++ b/libsubid/api.c -@@ -39,8 +39,8 @@ - #include "idmapping.h" - #include "subid.h" - --const char *Prog = "(libsubid)"; --FILE *shadow_logfd; -+static const char *Prog = "(libsubid)"; -+static FILE *shadow_logfd; - - bool libsubid_init(const char *progname, FILE * logfd) - { --- -1.8.3.1 - diff --git a/Makefile-include-libeconf-dependency-in-new-idmap.patch b/Makefile-include-libeconf-dependency-in-new-idmap.patch deleted file mode 100644 index 91b1277..0000000 --- a/Makefile-include-libeconf-dependency-in-new-idmap.patch +++ /dev/null @@ -1,32 +0,0 @@ -From c6847011e8b656adacd9a0d2a78418cad0de34cb Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Mon, 2 Aug 2021 15:54:20 +0200 -Subject: [PATCH] Makefile: include libeconf dependency in new*idmap - -new*idmap has a dependency with libeconf since commit -c464ec55709dc931ba2f24073b8b1a86d5209ab0. I'm just adding it to the -Makefile to be able to compile in distributions that include libeconf. - -Signed-off-by: Iker Pedrosa ---- - src/Makefile.am | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 7c1a349..6cc873b 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT) - endif - - chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) --newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl --newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl -+newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl -+newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl - chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) - chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) --- -1.8.3.1 - diff --git a/Respect-enable-static-no-in-libsubid.patch b/Respect-enable-static-no-in-libsubid.patch deleted file mode 100644 index 956f7e3..0000000 --- a/Respect-enable-static-no-in-libsubid.patch +++ /dev/null @@ -1,45 +0,0 @@ -From fa986b1d73605ecca54a4f19249227aeab827bf6 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Sun, 25 Jul 2021 17:18:02 +0000 -Subject: [PATCH] Respect --enable-static=no in libsubid - -libsubid's Makefile.am was always setting enable-shared in its LDFLAGS. -Do that only if not building static. - -Closes #387 - -Signed-off-by: Serge Hallyn ---- - configure.ac | 2 ++ - libsubid/Makefile.am | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 0f237cc..994836b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -321,6 +321,8 @@ if test "$with_sha_crypt" = "yes"; then - AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms]) - fi - -+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes") -+ - AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes") - if test "$with_bcrypt" = "yes"; then - AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm]) -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index 99308c1..8bba02a 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -1,6 +1,8 @@ - lib_LTLIBRARIES = libsubid.la -+if ENABLE_SHARED - libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \ - -shared -version-info @LIBSUBID_ABI_MAJOR@ -+endif - libsubid_la_SOURCES = api.c - - pkginclude_HEADERS = subid.h --- -1.8.3.1 - diff --git a/Revert-useradd.c-fix-memleaks-of-grp.patch b/Revert-useradd.c-fix-memleaks-of-grp.patch deleted file mode 100644 index 10e2d64..0000000 --- a/Revert-useradd.c-fix-memleaks-of-grp.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Sat, 14 Aug 2021 19:37:24 -0500 -Subject: [PATCH] Revert "useradd.c:fix memleaks of grp" - -In some cases, the value which was being freed is not actually -safe to free. - -Closes #394 - -This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5. ---- - src/useradd.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/useradd.c b/src/useradd.c -index f90127c..0d3f390 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -413,7 +413,6 @@ static void get_defaults (void) - } else { - def_group = grp->gr_gid; - def_gname = xstrdup (grp->gr_name); -- gr_free(grp); - } - } - --- -1.8.3.1 - diff --git a/backport-Add-header-guards.patch b/backport-Add-header-guards.patch deleted file mode 100644 index 9312fc4..0000000 --- a/backport-Add-header-guards.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0c7ded471fdd2a130edfb265279663c68cfd2a3c Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Tue, 10 May 2022 15:26:15 +0200 -Subject: [PATCH] Add header guards - -Signed-off-by: Iker Pedrosa - -Reference: https://github.com/shadow-maint/shadow/commit/0c7ded471fdd2a130edfb265279663c68cfd2a3c -Conflict: shadowlog_internal.h is not currently available, and run_part.h is adapted ---- - lib/pwauth.h | 5 +++++ - lib/run_part.h | 5 +++++ - 2 files changed, 10 insertions(+) - -diff --git a/lib/pwauth.h b/lib/pwauth.h -index fb205b71..b610025d 100644 ---- a/lib/pwauth.h -+++ b/lib/pwauth.h -@@ -34,6 +34,9 @@ - * $Id$ - */ - -+#ifndef _PWAUTH_H -+#define _PWAUTH_H -+ - #ifndef USE_PAM - int pw_auth (const char *cipher, - const char *user, -@@ -64,3 +67,5 @@ int pw_auth (const char *cipher, - #define PW_RLOGIN 202 - #define PW_FTP 203 - #define PW_REXEC 204 -+ -+#endif /* _PWAUTH_H */ -diff --git a/lib/run_part.h b/lib/run_part.h -index 0b68dbfc..6422134c 100644 ---- a/lib/run_part.h -+++ b/lib/run_part.h -@@ -1,2 +1,7 @@ -+#ifndef _RUN_PART_H -+#define _RUN_PART_H -+ - int run_part (char *script_path, char *name, char *action); - int run_parts (char *directory, char *name, char *action); -+ -+#endif /* _RUN_PART_H */ --- -2.23.0 diff --git a/backport-Change-to-strncat.patch b/backport-Change-to-strncat.patch deleted file mode 100644 index f41f517..0000000 --- a/backport-Change-to-strncat.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9560152f1bdae02b072b54ea65d1e686ebd46e5f Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Fri, 18 Mar 2022 15:35:02 -0400 -Subject: [PATCH] Change to strncat - -ut_line is declared as a nonstring in bits/utmp.h. It might not be NUL -terminated. Limit how much it copies to the size of the array. - -Reference: https://github.com/shadow-maint/shadow/commit/4f393a5f9fd9168c91225ae1b39843fc90372c74 -Conflict: NA ---- - src/logoutd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/logoutd.c b/src/logoutd.c -index 780c29f..06c12c6 100644 ---- a/src/logoutd.c -+++ b/src/logoutd.c -@@ -250,7 +250,7 @@ int main (int argc, char **argv) - tty_name[0] = '\0'; - } - -- strcat (tty_name, ut->ut_line); -+ strncat (tty_name, ut->ut_line, UT_LINESIZE); - #ifndef O_NOCTTY - #define O_NOCTTY 0 - #endif --- -2.33.0 diff --git a/backport-Do-not-return-garbage-in-run_parts.patch b/backport-Do-not-return-garbage-in-run_parts.patch deleted file mode 100644 index bd68e86..0000000 --- a/backport-Do-not-return-garbage-in-run_parts.patch +++ /dev/null @@ -1,31 +0,0 @@ -From b2bc1f692736debf3ba94872db73435d114d19ec Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 Jan 2022 13:12:31 +0100 -Subject: [PATCH] Do not return garbage in run_parts - -If scandir(3) returns 0, the uninitialized value of execute_result will -be returned. - -Reference: https://github.com/shadow-maint/shadow/commit/b2bc1f692736debf3ba94872db73435d114d19ec -Conflict: NA - ---- - lib/run_part.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/run_part.c b/lib/run_part.c -index 884bbefa..1e4f154b 100644 ---- a/lib/run_part.c -+++ b/lib/run_part.c -@@ -48,7 +48,7 @@ int run_parts (const char *directory, const char *name, const char *action) - int execute_result; - - scanlist = scandir (directory, &namelist, 0, alphasort); -- if (scanlist<0) { -+ if (scanlist<=0) { - return (0); - } - --- -2.27.0 - diff --git a/backport-Handle-ERANGE-error-correctly.patch b/backport-Handle-ERANGE-error-correctly.patch deleted file mode 100644 index d5e1f2a..0000000 --- a/backport-Handle-ERANGE-error-correctly.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e9bf727253e13968c4c61d71f4725e668cd49881 Mon Sep 17 00:00:00 2001 -From: Niko <2089413+NikoDelarich@users.noreply.github.com> -Date: Tue, 1 Mar 2022 14:43:07 +0100 -Subject: [PATCH] Handle ERANGE error correctly - -The reentrant functions getgrgid_r, getgrnam_r, getpwnam_r, etc. all return an error code instead of setting errno. Adapt the error check accordingly. - -Reference: https://github.com/shadow-maint/shadow/commit/e9bf727253e13968c4c61d71f4725e668cd49881 -Conflict: NA - ---- - libmisc/xgetXXbyYY.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/libmisc/xgetXXbyYY.c b/libmisc/xgetXXbyYY.c -index db010224..6a3f9693 100644 ---- a/libmisc/xgetXXbyYY.c -+++ b/libmisc/xgetXXbyYY.c -@@ -66,7 +66,6 @@ - "x" STRINGIZE(FUNCTION_NAME)); - exit (13); - } -- errno = 0; - status = REENTRANT_NAME(ARG_NAME, result, buffer, - length, &resbuf); - if ((0 == status) && (resbuf == result)) { -@@ -78,7 +77,7 @@ - return ret_result; - } - -- if (ERANGE != errno) { -+ if (ERANGE != status) { - free (buffer); - free (result); - return NULL; --- -2.27.0 - diff --git a/backport-Initialize-local-variables.patch b/backport-Initialize-local-variables.patch deleted file mode 100644 index f225025..0000000 --- a/backport-Initialize-local-variables.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 3b89b71680b2eb46135439e0a7760dbe040628e5 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Mon, 16 May 2022 17:24:58 +0200 -Subject: [PATCH] Initialize local variables - -CWE-457 by CodeQL. - -Signed-off-by: Iker Pedrosa - -Reference: https://github.com/shadow-maint/shadow/commit/3b89b71680b2eb46135439e0a7760dbe040628e5 -Conflict: The number of lines is inconsistent and there is a little difference in adaptation - ---- - lib/run_part.c | 2 +- - src/faillog.c | 4 ++-- - src/lastlog.c | 21 ++++++++++----------- - 3 files changed, 13 insertions(+), 14 deletions(-) - -diff --git a/lib/run_part.c b/lib/run_part.c -index 1e4f154b..bce11d37 100644 ---- a/lib/run_part.c -+++ b/lib/run_part.c -@@ -43,7 +43,7 @@ int run_parts (char *directory, char *name, char *action) - struct dirent **namelist; - int scanlist; - int n; -- int execute_result; -+ int execute_result = 0; - - scanlist = scandir (directory, &namelist, 0, alphasort); - if (scanlist<=0) { -diff --git a/src/faillog.c b/src/faillog.c -index d33fe9b6..0f94836f 100644 ---- a/src/faillog.c -+++ b/src/faillog.c -@@ -565,9 +565,9 @@ static void set_locktime (long locktime) - - int main (int argc, char **argv) - { -- long fail_locktime; -+ long fail_locktime = 0; - short fail_max = 0; // initialize to silence compiler warning -- long days; -+ long days = 0; - - /* - * Get the program name. The program name is used as a prefix to -diff --git a/src/lastlog.c b/src/lastlog.c -index 3c0fc9c6..0d4b5fd2 100644 ---- a/src/lastlog.c -+++ b/src/lastlog.c -@@ -114,7 +114,16 @@ static void print_one (/*@null@*/const struct passwd *pw) - #endif - - #ifdef HAVE_LL_HOST -- int maxIPv6Addrlen; -+ /* -+ * ll_host is in minimized form, thus the maximum IPv6 address possible is -+ * 8*4+7 = 39 characters. -+ * RFC 4291 2.5.6 states that for LL-addresses fe80+only the interface ID is set, -+ * thus having a maximum size of 25+1+IFNAMSIZ. -+ * POSIX says IFNAMSIZ should be 16 characters long including the null byte, thus -+ * 25+1+IFNAMSIZ >= 42 > 39 -+ */ -+ /* Link-Local address + % + Interfacename */ -+ const int maxIPv6Addrlen = 25+1+IFNAMSIZ; - #endif - - if (NULL == pw) { -@@ -158,16 +167,6 @@ static void print_one (/*@null@*/const struct passwd *pw) - /* Print the header only once */ - if (!once) { - #ifdef HAVE_LL_HOST -- /* -- * ll_host is in minimized form, thus the maximum IPv6 address possible is -- * 8*4+7 = 39 characters. -- * RFC 4291 2.5.6 states that for LL-addresses fe80+only the interface ID is set, -- * thus having a maximum size of 25+1+IFNAMSIZ. -- * POSIX says IFNAMSIZ should be 16 characters long including the null byte, thus -- * 25+1+IFNAMSIZ >= 42 > 39 -- */ -- /* Link-Local address + % + Interfacename */ -- maxIPv6Addrlen = 25+1+IFNAMSIZ; - printf (_("Username Port From%*sLatest\n"), maxIPv6Addrlen-3, " "); - #else - puts (_("Username Port Latest")); --- -2.27.0 - diff --git a/backport-Remove-commented-out-code-and-FIXMEs.patch b/backport-Remove-commented-out-code-and-FIXMEs.patch deleted file mode 100644 index 5b79af8..0000000 --- a/backport-Remove-commented-out-code-and-FIXMEs.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 0b51cde162322ad1c6d162be0bc1b97065ff25c8 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Tue, 10 May 2022 15:01:21 +0200 -Subject: [PATCH] Remove commented out code and FIXMEs - -In order to remove some of the FIXMEs it was necessary to change the -code and call getulong() instead of getlong(). - -Signed-off-by: Iker Pedrosa - -Reference: https://github.com/shadow-maint/shadow/commit/0b51cde162322ad1c6d162be0bc1b97065ff25c8 -Conflict: NA - ---- - lib/getdef.c | 1 - - lib/sgetspent.c | 3 +-- - lib/shadow.c | 3 +-- - libmisc/salt.c | 3 ++- - 4 files changed, 4 insertions(+), 6 deletions(-) - -diff --git a/lib/getdef.c b/lib/getdef.c -index fbaea2e1..2e6022fa 100644 ---- a/lib/getdef.c -+++ b/lib/getdef.c -@@ -345,7 +345,6 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt) - } - - if (getulong (d->value, &val) == 0) { -- /* FIXME: we should have a getulong */ - fprintf (shadow_logfd, - _("configuration error - cannot parse %s value: '%s'"), - item, d->value); -diff --git a/lib/sgetspent.c b/lib/sgetspent.c -index a35b6759..cbadb7e6 100644 ---- a/lib/sgetspent.c -+++ b/lib/sgetspent.c -@@ -171,8 +171,7 @@ struct spwd *sgetspent (const char *string) - - if (fields[8][0] == '\0') { - spwd.sp_flag = SHADOW_SP_FLAG_UNSET; -- } else if (getlong (fields[8], &spwd.sp_flag) == 0) { -- /* FIXME: add a getulong function */ -+ } else if (getulong (fields[8], &spwd.sp_flag) == 0) { - return 0; - } - -diff --git a/lib/shadow.c b/lib/shadow.c -index 9e86b908..b628b657 100644 ---- a/lib/shadow.c -+++ b/lib/shadow.c -@@ -305,8 +305,7 @@ static struct spwd *my_sgetspent (const char *string) - if (fields[8][0] == '\0') { - spwd.sp_flag = SHADOW_SP_FLAG_UNSET; - } else { -- if (getlong (fields[8], &spwd.sp_flag) == 0) { -- /* FIXME: add a getulong function */ -+ if (getulong (fields[8], &spwd.sp_flag) == 0) { - #ifdef USE_NIS - if (nis_used) { - spwd.sp_flag = SHADOW_SP_FLAG_UNSET; -diff --git a/libmisc/salt.c b/libmisc/salt.c -index ebf162fc..450293d7 100644 ---- a/libmisc/salt.c -+++ b/libmisc/salt.c -@@ -341,9 +341,10 @@ static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int * - /* - * Use 19 as an upper bound for now, - * because musl doesn't allow rounds >= 20. -+ * If musl ever supports > 20 rounds, -+ * rounds should be set to B_ROUNDS_MAX. - */ - if (rounds > 19) { -- /* rounds = B_ROUNDS_MAX; */ - rounds = 19; - } - #endif /* USE_XCRYPT_GENSALT */ --- -2.27.0 - diff --git a/backport-Remove-redeclared-variable.patch b/backport-Remove-redeclared-variable.patch deleted file mode 100644 index 96f716d..0000000 --- a/backport-Remove-redeclared-variable.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 23baa40d9d96743dd3377de0de8e422b7ec3ed94 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Tue, 10 May 2022 13:23:07 +0200 -Subject: [PATCH] Remove redeclared variable - -No need to redeclare a variable with the same name and type. Just keep -the one with the biggest scope. - -Signed-off-by: Iker Pedrosa - -Reference: https://github.com/shadow-maint/shadow/commit/23baa40d9d96743dd3377de0de8e422b7ec3ed94 -Conflict: NA - ---- - src/vipw.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/vipw.c b/src/vipw.c -index 8c97f4bc..488a97d9 100644 ---- a/src/vipw.c -+++ b/src/vipw.c -@@ -293,7 +293,6 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) - /* use the system() call to invoke the editor so that it accepts - command line args in the EDITOR and VISUAL environment vars */ - char *buf; -- int status; - - /* Wait for parent to make us the foreground pgrp. */ - if (orig_pgrp != -1) { --- -2.27.0 diff --git a/backport-chpasswd-add-get_salt-for-generating-salt-value.patch b/backport-chpasswd-add-get_salt-for-generating-salt-value.patch deleted file mode 100644 index 116f519..0000000 --- a/backport-chpasswd-add-get_salt-for-generating-salt-value.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 6d1b10b9e516bd88fa34392395b0a7c6e6f54fd7 Mon Sep 17 00:00:00 2001 -From: juyin -Date: Thu, 31 Mar 2022 16:45:19 +0800 -Subject: [PATCH] chpasswd: add get_salt for generating salt value - -The function that generates the salt value is extracted separately, and it is more convenient to modify it later. - -Reference: https://github.com/shadow-maint/shadow/commit/a026154c6fca7c7e5d6d0723e0cc29d6cd9fa00a -Conflict: The EulerOS supports SM3. As a result, the patch is different. ---- - src/chpasswd.c | 73 +++++++++++++++++++++++++++----------------------- - 1 file changed, 39 insertions(+), 34 deletions(-) - -diff --git a/src/chpasswd.c b/src/chpasswd.c -index 5dfb995..708f973 100644 ---- a/src/chpasswd.c -+++ b/src/chpasswd.c -@@ -430,12 +430,54 @@ static void close_files (void) - pw_locked = false; - } - -+static const char *get_salt(void) -+{ -+ if ( !eflg -+ && ( (NULL == crypt_method) -+ || (0 != strcmp (crypt_method, "NONE")))) { -+ void *arg = NULL; -+ -+ if (md5flg) { -+ crypt_method = "MD5"; -+ } -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+ if (sflg) { -+#if defined(USE_SHA_CRYPT) -+ if ( (0 == strcmp (crypt_method, "SHA256")) -+ || (0 == strcmp (crypt_method, "SHA512"))) { -+ arg = &sha_rounds; -+ } -+#endif /* USE_SHA_CRYPT */ -+#if defined(USE_BCRYPT) -+ if (0 == strcmp (crypt_method, "BCRYPT")) { -+ arg = &bcrypt_rounds; -+ } -+#endif /* USE_BCRYPT */ -+#if defined(USE_YESCRYPT) -+ if (0 == strcmp (crypt_method, "YESCRYPT")) { -+ arg = &yescrypt_cost; -+ } -+#endif /* USE_YESCRYPT */ -+#if defined(USE_SM3_CRYPT) -+ if (0 == strcmp (crypt_method, "SM3")) { -+ arg = &sm3_rounds; -+ } -+#endif /* USE_SM3_CRYPT */ -+ } -+#endif -+ return crypt_make_salt (crypt_method, arg); -+ } -+ -+ return NULL; -+} -+ - int main (int argc, char **argv) - { - char buf[BUFSIZ]; - char *name; - char *newpwd; - char *cp; -+ const char *salt; - - #ifdef USE_PAM - bool use_pam = true; -@@ -545,40 +587,8 @@ int main (int argc, char **argv) - const struct passwd *pw; - struct passwd newpw; - -- if ( !eflg -- && ( (NULL == crypt_method) -- || (0 != strcmp (crypt_method, "NONE")))) { -- void *arg = NULL; -- const char *salt; -- if (md5flg) { -- crypt_method = "MD5"; -- } --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -- if (sflg) { --#if defined(USE_SHA_CRYPT) -- if ( (0 == strcmp (crypt_method, "SHA256")) -- || (0 == strcmp (crypt_method, "SHA512"))) { -- arg = &sha_rounds; -- } --#endif /* USE_SHA_CRYPT */ --#if defined(USE_BCRYPT) -- if (0 == strcmp (crypt_method, "BCRYPT")) { -- arg = &bcrypt_rounds; -- } --#endif /* USE_BCRYPT */ --#if defined(USE_YESCRYPT) -- if (0 == strcmp (crypt_method, "YESCRYPT")) { -- arg = &yescrypt_cost; -- } --#endif /* USE_YESCRYPT */ --#if defined(USE_SM3_CRYPT) -- if (0 == strcmp (crypt_method, "SM3")) { -- arg = &sm3_rounds; -- } --#endif /* USE_SM3_CRYPT */ -- } --#endif -- salt = crypt_make_salt (crypt_method, arg); -+ salt = get_salt(); -+ if (salt) { - cp = pw_encrypt (newpwd, salt); - if (NULL == cp) { - fprintf (stderr, --- -2.33.0 diff --git a/backport-chpasswd-fix-function-problem-with-R-parameter.patch b/backport-chpasswd-fix-function-problem-with-R-parameter.patch deleted file mode 100644 index 1d454ec..0000000 --- a/backport-chpasswd-fix-function-problem-with-R-parameter.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3732cf72d6f05fcd9d9f301eac84c1a61443e379 Mon Sep 17 00:00:00 2001 -From: juyin -Date: Thu, 31 Mar 2022 16:48:52 +0800 -Subject: [PATCH] chpasswd: fix function problem with -R parameter - -Generating salt value depends on /dev/urandom. But after the -function process_root_flag changed the root directory, It does -not exist. - -So, generate salt value before changeing the directory. - -Fixes: #514 - -Reference: https://github.com/shadow-maint/shadow/commit/3732cf72d6f05fcd9d9f301eac84c1a61443e379 -Conflict: NA ---- - src/chpasswd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/chpasswd.c b/src/chpasswd.c -index 94e923ab..d0da14c6 100644 ---- a/src/chpasswd.c -+++ b/src/chpasswd.c -@@ -451,10 +451,11 @@ int main (int argc, char **argv) - (void) bindtextdomain (PACKAGE, LOCALEDIR); - (void) textdomain (PACKAGE); - -- process_root_flag ("-R", argc, argv); -- - process_flags (argc, argv); - -+ salt = get_salt(); -+ process_root_flag ("-R", argc, argv); -+ - #ifdef USE_PAM - if (md5flg || eflg || cflg) { - use_pam = false; -@@ -545,7 +546,6 @@ int main (int argc, char **argv) - const struct passwd *pw; - struct passwd newpw; - -- salt = get_salt(); - if (salt) { - cp = pw_encrypt (newpwd, salt); - if (NULL == cp) { --- -2.23.0 - diff --git a/backport-libmisc-add-check-fopen-return-value-in-read_random_.patch b/backport-libmisc-add-check-fopen-return-value-in-read_random_.patch deleted file mode 100644 index 7794c44..0000000 --- a/backport-libmisc-add-check-fopen-return-value-in-read_random_.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a43d0b95c44b2c36025452b772b9d4b251281e3e Mon Sep 17 00:00:00 2001 -From: juyin -Date: Wed, 30 Mar 2022 19:21:32 +0800 -Subject: [PATCH] libmisc: add check fopen return value in read_random_bytes() - -Returns null when fopen fails. Then, using fread with a null pointer will cause a segfault. - -Signed-off-by: Yan Zhu - -Reference: https://github.com/shadow-maint/shadow/commit/a43d0b95c44b2c36025452b772b9d4b251281e3e -Conflict: NA - ---- - libmisc/salt.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libmisc/salt.c b/libmisc/salt.c -index f8ac5669..ebf162fc 100644 ---- a/libmisc/salt.c -+++ b/libmisc/salt.c -@@ -175,6 +175,9 @@ static long read_random_bytes (void) - - #else - FILE *f = fopen ("/dev/urandom", "r"); -+ if (NULL == f) { -+ goto fail; -+ } - - if (fread (&randval, sizeof (randval), 1, f) != 1) { - fclose(f); --- -2.27.0 - diff --git a/backport-passwd-erase-password-copy-on-all-error-branches.patch b/backport-passwd-erase-password-copy-on-all-error-branches.patch deleted file mode 100644 index 166a37d..0000000 --- a/backport-passwd-erase-password-copy-on-all-error-branches.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 58b6e97a9eef866e9e479fb781aaaf59fb11ef36 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 25 Apr 2022 12:17:40 +0200 -Subject: [PATCH] passwd: erase password copy on all error branches - -Reference: https://github.com/shadow-maint/shadow/commit/58b6e97a9eef866e9e479fb781aaaf59fb11ef36 -Conflict: NA - ---- - src/passwd.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/passwd.c b/src/passwd.c -index 80531ec6..8c6f81a9 100644 ---- a/src/passwd.c -+++ b/src/passwd.c -@@ -289,6 +289,7 @@ static int new_password (const struct passwd *pw) - cp = getpass (_("New password: ")); - if (NULL == cp) { - memzero (orig, sizeof orig); -+ memzero (pass, sizeof pass); - return -1; - } - if (warned && (strcmp (pass, cp) != 0)) { -@@ -316,6 +317,7 @@ static int new_password (const struct passwd *pw) - cp = getpass (_("Re-enter new password: ")); - if (NULL == cp) { - memzero (orig, sizeof orig); -+ memzero (pass, sizeof pass); - return -1; - } - if (strcmp (cp, pass) != 0) { --- -2.27.0 - diff --git a/backport-useradd-modify-check-ID-range-for-system-users.patch b/backport-useradd-modify-check-ID-range-for-system-users.patch deleted file mode 100644 index c6aac9f..0000000 --- a/backport-useradd-modify-check-ID-range-for-system-users.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Tue, 4 Jan 2022 13:06:00 +0100 -Subject: [PATCH] useradd: modify check ID range for system users - -useradd warns that a system user ID less than SYS_UID_MIN is outside the -expected range, even though that ID has been specifically selected with -the "-u" option. - -In my opinion all the user ID's below SYS_UID_MAX are for the system, -thus I change the condition to take that into account. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911 - -Signed-off-by: Iker Pedrosa - -Conflict: context adaptation ---- - src/useradd.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/useradd.c b/src/useradd.c -index 34376fa..4c71c38 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id) - uid_t uid_min ; - uid_t uid_max ; - if(rflg){ -- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL); - uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1); -- if(uid_min <= uid_max){ -- if(user_id < uid_min || user_id >uid_max) -- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max); -+ if (user_id > uid_max) { -+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max); - } - }else{ - uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL); --- -1.8.3.1 - diff --git a/groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch b/groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch deleted file mode 100644 index 5a790da..0000000 --- a/groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a757b458ffb4fb9a40bcbb4f7869449431c67f83 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= -Date: Mon, 1 Nov 2021 13:54:25 +0100 -Subject: [PATCH] groupdel: fix SIGSEGV when passwd does not exist - -When using groupdel with a prefix, groupdel will attempt to read a -passwd file to look for any user in the group. When the file does not -exist it cores with segmentation fault. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1986111 -Conflict: context adaptation ---- - libmisc/prefix_flag.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c -index cca553a..b6628ac 100644 ---- a/libmisc/prefix_flag.c -+++ b/libmisc/prefix_flag.c -@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent() - if(!passwd_db_file) { - return getpwent(); - } -+ if (!fp_pwent) { -+ return NULL; -+ } - return fgetpwent(fp_pwent); - } - extern void prefix_endpwent() --- -1.8.3.1 - diff --git a/libmisc-fix-default-value-in-SHA_get_salt_rounds.patch b/libmisc-fix-default-value-in-SHA_get_salt_rounds.patch deleted file mode 100644 index 5c75f9d..0000000 --- a/libmisc-fix-default-value-in-SHA_get_salt_rounds.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert -Date: Sat, 14 Aug 2021 13:24:34 -0400 -Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds() - -If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified, -use SHA_ROUNDS_DEFAULT. - -Previously, the code fell through, calling shadow_random(-1, -1). This -ultimately set rounds = (unsigned long) -1, which ends up being a very -large number! This then got capped to SHA_ROUNDS_MAX later in the -function. - -The new behavior matches BCRYPT_get_salt_rounds(). - -Bug: https://bugs.gentoo.org/808195 -Fixes: https://github.com/shadow-maint/shadow/issues/393 ---- - libmisc/salt.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - -diff --git a/libmisc/salt.c b/libmisc/salt.c -index 91d528f..30eefb9 100644 ---- a/libmisc/salt.c -+++ b/libmisc/salt.c -@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre - if ((-1 == min_rounds) && (-1 == max_rounds)) { - rounds = SHA_ROUNDS_DEFAULT; - } -+ else { -+ if (-1 == min_rounds) { -+ min_rounds = max_rounds; -+ } - -- if (-1 == min_rounds) { -- min_rounds = max_rounds; -- } -+ if (-1 == max_rounds) { -+ max_rounds = min_rounds; -+ } - -- if (-1 == max_rounds) { -- max_rounds = min_rounds; -- } -+ if (min_rounds > max_rounds) { -+ max_rounds = min_rounds; -+ } - -- if (min_rounds > max_rounds) { -- max_rounds = min_rounds; -+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds); - } -- -- rounds = (unsigned long) shadow_random (min_rounds, max_rounds); - } else if (0 == *prefered_rounds) { - rounds = SHA_ROUNDS_DEFAULT; - } else { --- -1.8.3.1 - diff --git a/libsubid-link-to-PAM-libraries.patch b/libsubid-link-to-PAM-libraries.patch deleted file mode 100644 index 930517c..0000000 --- a/libsubid-link-to-PAM-libraries.patch +++ /dev/null @@ -1,28 +0,0 @@ -From f4a84efb468b8be21be124700ce35159c444e9d6 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao -Date: Fri, 23 Jul 2021 14:38:08 +0800 -Subject: [PATCH] libsubid: link to PAM libraries - -libsubid.so links to libmisc.a, which contains several routines referring to -PAM functions. ---- - libsubid/Makefile.am | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index 189165b..8305156 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -16,7 +16,8 @@ MISCLIBS = \ - $(LIBCRYPT) \ - $(LIBACL) \ - $(LIBATTR) \ -- $(LIBTCB) -+ $(LIBTCB) \ -+ $(LIBPAM) - - libsubid_la_LIBADD = \ - $(top_srcdir)/lib/libshadow.la \ --- -1.8.3.1 - diff --git a/newgrp-fix-segmentation-fault.patch b/newgrp-fix-segmentation-fault.patch deleted file mode 100644 index 0549217..0000000 --- a/newgrp-fix-segmentation-fault.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Wed, 10 Nov 2021 12:02:04 +0100 -Subject: [PATCH] newgrp: fix segmentation fault - -Fix segmentation fault in newgrp when xgetspnam() returns a NULL value -that is immediately freed. - -The error was committed in -https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57 - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553 - -Signed-off-by: Iker Pedrosa ---- - src/newgrp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/newgrp.c b/src/newgrp.c -index 730f47e..566f1c8 100644 ---- a/src/newgrp.c -+++ b/src/newgrp.c -@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp, - spwd = xgetspnam (pwd->pw_name); - if (NULL != spwd) { - pwd->pw_passwd = xstrdup (spwd->sp_pwdp); -+ spw_free (spwd); - } -- spw_free (spwd); - - if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) { - needspasswd = true; --- -1.8.3.1 - diff --git a/pwck-fix-segfault-when-calling-fprintf.patch b/pwck-fix-segfault-when-calling-fprintf.patch deleted file mode 100644 index d649c13..0000000 --- a/pwck-fix-segfault-when-calling-fprintf.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Mon, 15 Nov 2021 12:40:15 +0100 -Subject: [PATCH] pwck: fix segfault when calling fprintf() - -As shadow_logfd variable is not set at the beginning of the program if -something fails and fprintf() is called a segmentation fault happens. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339 - -Signed-off-by: Iker Pedrosa ---- - src/pwck.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/pwck.c b/src/pwck.c -index 4248944..4ce86af 100644 ---- a/src/pwck.c -+++ b/src/pwck.c -@@ -857,6 +857,7 @@ int main (int argc, char **argv) - * Get my name so that I can use it to report errors. - */ - Prog = Basename (argv[0]); -+ shadow_logfd = stderr; - - (void) setlocale (LC_ALL, ""); - (void) bindtextdomain (PACKAGE, LOCALEDIR); --- -1.8.3.1 - diff --git a/semanage-close-the-selabel-handle.patch b/semanage-close-the-selabel-handle.patch deleted file mode 100644 index a138e1e..0000000 --- a/semanage-close-the-selabel-handle.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Fri, 8 Oct 2021 13:13:13 +0200 -Subject: [PATCH] semanage: close the selabel handle - -Close the selabel handle to update the file_context. This means that the -file_context will be remmaped and used by selabel_lookup() to return -the appropriate context to label the home folder. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081 - -Signed-off-by: Iker Pedrosa ---- - lib/prototypes.h | 1 + - lib/selinux.c | 5 +++++ - lib/semanage.c | 1 + - 3 files changed, 7 insertions(+) - -diff --git a/lib/prototypes.h b/lib/prototypes.h -index 1d1586d..b697e0e 100644 ---- a/lib/prototypes.h -+++ b/lib/prototypes.h -@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const - /* selinux.c */ - #ifdef WITH_SELINUX - extern int set_selinux_file_context (const char *dst_name, mode_t mode); -+extern void reset_selinux_handle (void); - extern int reset_selinux_file_context (void); - extern int check_selinux_permit (const char *perm_name); - #endif -diff --git a/lib/selinux.c b/lib/selinux.c -index c83545f..b075d4c 100644 ---- a/lib/selinux.c -+++ b/lib/selinux.c -@@ -50,6 +50,11 @@ static void cleanup(void) - } - } - -+void reset_selinux_handle (void) -+{ -+ cleanup(); -+} -+ - /* - * set_selinux_file_context - Set the security context before any file or - * directory creation. -diff --git a/lib/semanage.c b/lib/semanage.c -index 0d30456..a5bf921 100644 ---- a/lib/semanage.c -+++ b/lib/semanage.c -@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name) - } - - ret = 0; -+ reset_selinux_handle(); - - done: - semanage_seuser_key_free (key); --- -1.8.3.1 - diff --git a/shadow-4.13.tar.xz b/shadow-4.13.tar.xz new file mode 100644 index 0000000..38cdecf Binary files /dev/null and b/shadow-4.13.tar.xz differ diff --git a/shadow-4.8-goodname.patch b/shadow-4.8-goodname.patch deleted file mode 100644 index f3c18d5..0000000 --- a/shadow-4.8-goodname.patch +++ /dev/null @@ -1,100 +0,0 @@ -diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c ---- shadow-4.8/libmisc/chkname.c.goodname 2020-01-13 09:44:41.968507996 +0100 -+++ shadow-4.8/libmisc/chkname.c 2020-01-13 09:46:27.863727732 +0100 -@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n - } - - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ * -+ * Also do not allow fully numeric names or just "." or "..". -+ */ -+ int numeric; - -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -+ if ('\0' == *name || -+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || -+ '\0' == name[1])) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ *name == '_' || -+ *name == '.')) { - return false; - } - -+ numeric = isdigit(*name); -+ - while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -+ if (!((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ *name == '_' || -+ *name == '.' || -+ *name == '-' || -+ (*name == '$' && name[1] == '\0') - )) { - return false; - } -+ numeric &= isdigit(*name); - } - -- return true; -+ return !numeric; - } - - bool is_valid_user_name (const char *name) -diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml ---- shadow-4.8/man/groupadd.8.xml.goodname 2019-07-23 17:26:08.000000000 +0200 -+++ shadow-4.8/man/groupadd.8.xml 2020-01-13 09:44:41.968507996 +0100 -@@ -273,10 +273,12 @@ - - CAVEATS - -- Groupnames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -+ Groupnames may contain only lower and upper case letters, digits, -+ underscores, or dashes. They can end with a dollar sign. -+ -+ Dashes are not allowed at the beginning of the groupname. -+ Fully numeric groupnames and groupnames . or .. are -+ also disallowed. - - - Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml ---- shadow-4.8/man/useradd.8.xml.goodname 2019-10-05 03:23:58.000000000 +0200 -+++ shadow-4.8/man/useradd.8.xml 2020-01-13 09:44:41.968507996 +0100 -@@ -661,10 +661,14 @@ - - - -- Usernames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -+ Usernames may contain only lower and upper case letters, digits, -+ underscores, or dashes. They can end with a dollar sign. -+ -+ Dashes are not allowed at the beginning of the username. -+ Fully numeric usernames and usernames . or .. are -+ also disallowed. It is not recommended to use usernames beginning -+ with . character as their home directories will be hidden in -+ the ls output. - - - Usernames may only be up to 32 characters long. diff --git a/shadow-4.8-long-entry.patch b/shadow-4.8-long-entry.patch deleted file mode 100644 index 64d9636..0000000 --- a/shadow-4.8-long-entry.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h ---- shadow-4.8/lib/defines.h.long-entry 2020-01-13 10:29:45.288957339 +0100 -+++ shadow-4.8/lib/defines.h 2020-01-13 10:30:47.482902954 +0100 -@@ -388,6 +388,9 @@ extern char *strerror (); - # endif - #endif - -+/* Maximum length of passwd entry */ -+#define PASSWD_ENTRY_MAX_LENGTH 32768 -+ - #ifdef HAVE_SECURE_GETENV - # define shadow_getenv(name) secure_getenv(name) - # else -diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c ---- shadow-4.8/lib/pwio.c.long-entry 2019-07-23 17:26:08.000000000 +0200 -+++ shadow-4.8/lib/pwio.c 2020-01-13 10:29:45.288957339 +0100 -@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, - || (pw->pw_gid == (gid_t)-1) - || (valid_field (pw->pw_gecos, ":\n") == -1) - || (valid_field (pw->pw_dir, ":\n") == -1) -- || (valid_field (pw->pw_shell, ":\n") == -1)) { -+ || (valid_field (pw->pw_shell, ":\n") == -1) -+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) + -+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) + -+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) { - return -1; - } - -diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c ---- shadow-4.8/lib/sgetpwent.c.long-entry 2019-10-05 03:23:58.000000000 +0200 -+++ shadow-4.8/lib/sgetpwent.c 2020-01-13 10:29:45.288957339 +0100 -@@ -57,7 +57,7 @@ - struct passwd *sgetpwent (const char *buf) - { - static struct passwd pwent; -- static char pwdbuf[1024]; -+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH]; - register int i; - register char *cp; - char *fields[NFIELDS]; -@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu - * the password structure remain valid. - */ - -- if (strlen (buf) >= sizeof pwdbuf) -+ if (strlen (buf) >= sizeof pwdbuf) { -+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n"); - return 0; /* fail if too long */ -+ } - strcpy (pwdbuf, buf); - - /* -diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c ---- shadow-4.8/lib/sgetspent.c.long-entry 2019-07-23 17:26:08.000000000 +0200 -+++ shadow-4.8/lib/sgetspent.c 2020-01-13 10:29:45.289957322 +0100 -@@ -48,7 +48,7 @@ - */ - struct spwd *sgetspent (const char *string) - { -- static char spwbuf[1024]; -+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH]; - static struct spwd spwd; - char *fields[FIELDS]; - char *cp; -@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri - */ - - if (strlen (string) >= sizeof spwbuf) { -+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n"); - return 0; /* fail if too long */ - } - strcpy (spwbuf, string); -diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c ---- shadow-4.8/lib/shadowio.c.long-entry 2019-07-23 17:26:08.000000000 +0200 -+++ shadow-4.8/lib/shadowio.c 2020-01-13 10:29:45.289957322 +0100 -@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, - - if ( (NULL == sp) - || (valid_field (sp->sp_namp, ":\n") == -1) -- || (valid_field (sp->sp_pwdp, ":\n") == -1)) { -+ || (valid_field (sp->sp_pwdp, ":\n") == -1) -+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) + -+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) { - return -1; - } - diff --git a/shadow-4.9-null-tm.patch b/shadow-4.9-null-tm.patch deleted file mode 100644 index 249b27b..0000000 --- a/shadow-4.9-null-tm.patch +++ /dev/null @@ -1,70 +0,0 @@ -Index: shadow-4.5/src/chage.c -=================================================================== ---- shadow-4.5.orig/src/chage.c -+++ shadow-4.5/src/chage.c -@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size - struct tm *tp; - - tp = gmtime (&date); -+ if (tp == NULL) { -+ (void) snprintf (buf, maxsize, "(unknown)"); -+ return; -+ } - #ifdef HAVE_STRFTIME - (void) strftime (buf, maxsize, "%Y-%m-%d", tp); - #else -Index: shadow-4.5/src/lastlog.c -=================================================================== ---- shadow-4.5.orig/src/lastlog.c -+++ shadow-4.5/src/lastlog.c -@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s - - ll_time = ll.ll_time; - tm = localtime (&ll_time); -+ if (tm == NULL) { -+ cp = "(unknown)"; -+ } else { - #ifdef HAVE_STRFTIME -- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); -- cp = ptime; -+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); -+ cp = ptime; - #else -- cp = asctime (tm); -- cp[24] = '\0'; -+ cp = asctime (tm); -+ cp[24] = '\0'; - #endif -+ } - - if (ll.ll_time == (time_t) 0) { - cp = _("**Never logged in**\0"); -Index: shadow-4.5/src/passwd.c -=================================================================== ---- shadow-4.5.orig/src/passwd.c -+++ shadow-4.5/src/passwd.c -@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to - struct tm *tm; - - tm = gmtime (&t); -+ if (tm == NULL) { -+ return "(unknown)"; -+ } - #ifdef HAVE_STRFTIME - (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); - #else /* !HAVE_STRFTIME */ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ - } else { - time_t t = (time_t) date; - tp = gmtime (&t); -+ if (tp == NULL) { -+ strncpy (buf, "unknown", maxsize); -+ return; -+ } - #ifdef HAVE_STRFTIME - strftime (buf, maxsize, "%Y-%m-%d", tp); - #else diff --git a/shadow-4.9.tar.xz b/shadow-4.9.tar.xz deleted file mode 100644 index efe30aa..0000000 Binary files a/shadow-4.9.tar.xz and /dev/null differ diff --git a/shadow-add-sm3-crypt-support.patch b/shadow-add-sm3-crypt-support.patch index cd1a42c..d9b6cf4 100644 --- a/shadow-add-sm3-crypt-support.patch +++ b/shadow-add-sm3-crypt-support.patch @@ -1,780 +1,782 @@ -From d7fa75bbd22a08b4e0b8c7e3ccab588c87d23835 Mon Sep 17 00:00:00 2001 -From: root -Date: Wed, 29 Dec 2021 16:05:56 +0800 -Subject: [PATCH] shadow add sm3 crypt support - ---- - configure.ac | 9 ++++ - etc/login.defs | 17 ++++++++ - lib/encrypt.c | 3 ++ - lib/getdef.c | 4 ++ - libmisc/obscure.c | 3 ++ - libmisc/salt.c | 106 +++++++++++++++++++++++++++++++++++++++++++--- - src/chgpasswd.c | 48 +++++++++++++++------ - src/chpasswd.c | 44 +++++++++++++------ - src/newusers.c | 59 +++++++++++++++++++------- - src/passwd.c | 7 ++- - 10 files changed, 252 insertions(+), 48 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 994836b..40348c0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -288,6 +288,9 @@ AC_ARG_WITH(libcrack, - AC_ARG_WITH(sha-crypt, - [AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])], - [with_sha_crypt=$withval], [with_sha_crypt=yes]) -+AC_ARG_WITH(sm3-crypt, -+ [AC_HELP_STRING([--with-sm3-crypt], [allow the SM3 password encryption algorithms @<:@default=yes@:>@])], -+ [with_sm3_crypt=$withval], [with_sm3_crypt=yes]) - AC_ARG_WITH(bcrypt, - [AC_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])], - [with_bcrypt=$withval], [with_bcrypt=no]) -@@ -321,6 +324,11 @@ if test "$with_sha_crypt" = "yes"; then - AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms]) - fi - -+AM_CONDITIONAL(USE_SM3_CRYPT, test "x$with_sm3_crypt" = "xyes") -+if test "$with_sm3_crypt" = "yes"; then -+ AC_DEFINE(USE_SM3_CRYPT, 1, [Define to allow the SM3 password encryption algorithms]) -+fi -+ - AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes") - - AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes") -@@ -766,6 +774,7 @@ echo " tcb support (incomplete): $with_tcb" - echo " shadow group support: $enable_shadowgrp" - echo " S/Key support: $with_skey" - echo " SHA passwords encryption: $with_sha_crypt" -+echo " SM3 passwords encryption: $with_sm3_crypt" - echo " bcrypt passwords encryption: $with_bcrypt" - echo " yescrypt passwords encryption: $with_yescrypt" - echo " nscd support: $with_nscd" -diff --git a/etc/login.defs b/etc/login.defs -index 94a2b1b..6db08e1 100644 ---- a/etc/login.defs -+++ b/etc/login.defs -@@ -353,6 +353,23 @@ CHFN_RESTRICT rwh - #SHA_CRYPT_MIN_ROUNDS 5000 - #SHA_CRYPT_MAX_ROUNDS 5000 - -+# -+# Only works if ENCRYPT_METHOD is set to SM3. -+# -+# Define the number of SM3 rounds. -+# With a lot of rounds, it is more difficult to brute-force the password. -+# However, more CPU resources will be needed to authenticate users if -+# this value is increased. -+# -+# If not specified, the libc will choose the default number of rounds (5000), -+# which is orders of magnitude too low for modern hardware. -+# The values must be within the 1000-999999999 range. -+# If only one of the MIN or MAX values is set, then this value will be used. -+# If MIN > MAX, the highest value will be used. -+# -+#SM3_CRYPT_MAX_ROUNDS 5000 -+#SM3_CRYPT_MIN_ROUNDS 5000 -+ - # - # Only works if ENCRYPT_METHOD is set to BCRYPT. - # -diff --git a/lib/encrypt.c b/lib/encrypt.c -index 66c52f2..7fae31d 100644 ---- a/lib/encrypt.c -+++ b/lib/encrypt.c -@@ -74,6 +74,9 @@ - case '6': - method = "SHA512"; - break; -+ case 's': // salt = $sm3$... -+ method = "SM3"; -+ break; - case 'y': - method = "YESCRYPT"; - break; -diff --git a/lib/getdef.c b/lib/getdef.c -index 80eb18c..00459ff 100644 ---- a/lib/getdef.c -+++ b/lib/getdef.c -@@ -124,6 +124,10 @@ static struct itemdef def_table[] = { - {"SHA_CRYPT_MAX_ROUNDS", NULL}, - {"SHA_CRYPT_MIN_ROUNDS", NULL}, - #endif -+#ifdef USE_SM3_CRYPT -+ {"SM3_CRYPT_MAX_ROUNDS", NULL}, -+ {"SM3_CRYPT_MIN_ROUNDS", NULL}, -+#endif - #ifdef USE_BCRYPT - {"BCRYPT_MAX_ROUNDS", NULL}, - {"BCRYPT_MIN_ROUNDS", NULL}, -diff --git a/libmisc/obscure.c b/libmisc/obscure.c -index dc69f76..3907294 100644 ---- a/libmisc/obscure.c -+++ b/libmisc/obscure.c -@@ -269,6 +269,9 @@ static /*@observer@*//*@null@*/const char *obscure_msg ( - || (strcmp (result, "SHA256") == 0) - || (strcmp (result, "SHA512") == 0) - #endif -+#ifdef USE_SM3_CRYPT -+ || (strcmp (result, "SM3") == 0) -+#endif - #ifdef USE_BCRYPT - || (strcmp (result, "BCRYPT") == 0) - #endif -diff --git a/libmisc/salt.c b/libmisc/salt.c -index 30eefb9..b108a23 100644 ---- a/libmisc/salt.c -+++ b/libmisc/salt.c -@@ -55,6 +55,17 @@ - #define SHA_ROUNDS_MAX 999999999 - #endif - -+#ifdef USE_SM3_CRYPT -+/* Fixed salt len for sm3 crypt. */ -+#define SM3_CRYPT_SALT_SIZE 16 -+/* Default number of rounds if not explicitly specified. */ -+#define SM3_ROUNDS_DEFAULT 5000 -+/* Minimum number of rounds. */ -+#define SM3_ROUNDS_MIN 1000 -+/* Maximum number of rounds. */ -+#define SM3_ROUNDS_MAX 999999999 -+#endif -+ - #ifdef USE_YESCRYPT - /* - * Default number of base64 characters used for the salt. -@@ -87,13 +98,17 @@ static long read_random_bytes (void); - #if !USE_XCRYPT_GENSALT - static /*@observer@*/const char *gensalt (size_t salt_size); - #endif /* !USE_XCRYPT_GENSALT */ --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) - static long shadow_random (long min, long max); --#endif /* USE_SHA_CRYPT || USE_BCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_SM3_CRYPT*/ - #ifdef USE_SHA_CRYPT - static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds); - static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds); - #endif /* USE_SHA_CRYPT */ -+#ifdef USE_SM3_CRYPT -+static /*@observer@*/const unsigned long SM3_get_salt_rounds (/*@null@*/int *prefered_rounds); -+static /*@observer@*/void SM3_salt_rounds_to_buf (char *buf, unsigned long rounds); -+#endif - #ifdef USE_BCRYPT - static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds); - static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds); -@@ -186,7 +201,7 @@ end: - return randval; - } - --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) - /* - * Return a random number between min and max (both included). - * -@@ -208,7 +223,7 @@ static long shadow_random (long min, long max) - } - return ret; - } --#endif /* USE_SHA_CRYPT || USE_BCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_SM3_CRYPT*/ - - #ifdef USE_SHA_CRYPT - /* Return the the rounds number for the SHA crypt methods. */ -@@ -284,6 +299,80 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round - } - #endif /* USE_SHA_CRYPT */ - -+#ifdef USE_SM3_CRYPT -+/* Return the the rounds number for the SM3 crypt methods. */ -+static /*@observer@*/const unsigned long SM3_get_salt_rounds (/*@null@*/int *prefered_rounds) -+{ -+ unsigned long rounds; -+ -+ if (NULL == prefered_rounds) { -+ long min_rounds = getdef_long ("SM3_CRYPT_MIN_ROUNDS", -1); -+ long max_rounds = getdef_long ("SM3_CRYPT_MAX_ROUNDS", -1); -+ -+ if ((-1 == min_rounds) && (-1 == max_rounds)) { -+ rounds = SM3_ROUNDS_DEFAULT; -+ } -+ else { -+ if (-1 == min_rounds) { -+ min_rounds = max_rounds; -+ } -+ -+ if (-1 == max_rounds) { -+ max_rounds = min_rounds; -+ } -+ -+ if (min_rounds > max_rounds) { -+ max_rounds = min_rounds; -+ } -+ -+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds); -+ } -+ } else if (0 == *prefered_rounds) { -+ rounds = SM3_ROUNDS_DEFAULT; -+ } else { -+ rounds = (unsigned long) *prefered_rounds; -+ } -+ -+ /* Sanity checks. The libc should also check this, but this -+ * protects against a rounds_prefix overflow. */ -+ if (rounds < SM3_ROUNDS_MIN) { -+ rounds = SM3_ROUNDS_MIN; -+ } -+ -+ if (rounds > SM3_ROUNDS_MAX) { -+ rounds = SM3_ROUNDS_MAX; -+ } -+ -+ return rounds; -+} -+ -+/* -+ * Fill a salt prefix specifying the rounds number for the SM3 crypt methods -+ * to a buffer. -+ */ -+static /*@observer@*/void SM3_salt_rounds_to_buf (char *buf, unsigned long rounds) -+{ -+ const size_t buf_begin = strlen (buf); -+ -+ /* Nothing to do here if SM3_ROUNDS_DEFAULT is used. */ -+ if (rounds == SM3_ROUNDS_DEFAULT) { -+ return; -+ } -+ -+ /* -+ * Check if the result buffer is long enough. -+ * We are going to write a maximum of 17 bytes, -+ * plus one byte for the terminator. -+ * rounds=XXXXXXXXX$ -+ * 00000000011111111 -+ * 12345678901234567 -+ */ -+ assert (GENSALT_SETTING_SIZE > buf_begin + 17); -+ -+ (void) snprintf (buf + buf_begin, 18, "rounds=%lu$", rounds); -+} -+#endif /* USE_SM3_CRYPT */ -+ - #ifdef USE_BCRYPT - /* Return the the rounds number for the BCRYPT method. */ - static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds) -@@ -453,7 +542,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size) - * which can both be set inside the login.defs file. - * - * If meth is specified, an additional parameter can be provided. -- * * For the SHA256 and SHA512 method, this specifies the number of rounds -+ * * For the SHA256 and SHA512 and SM3 method, this specifies the number of rounds - * (if not NULL). - * * For the YESCRYPT method, this specifies the cost factor (if not NULL). - */ -@@ -505,6 +594,13 @@ static /*@observer@*/const char *gensalt (size_t salt_size) - rounds = SHA_get_salt_rounds ((int *) arg); - SHA_salt_rounds_to_buf (result, rounds); - #endif /* USE_SHA_CRYPT */ -+#ifdef USE_SM3_CRYPT -+ } else if (0 == strcmp (method, "SM3")) { -+ strcpy(result, "$sm3$"); -+ salt_len = SM3_CRYPT_SALT_SIZE; -+ rounds = SM3_get_salt_rounds ((int *) arg); -+ SM3_salt_rounds_to_buf (result, rounds); -+#endif /* USE_SM3_CRYPT */ - } else if (0 != strcmp (method, "DES")) { - fprintf (shadow_logfd, - _("Invalid ENCRYPT_METHOD value: '%s'.\n" -diff --git a/src/chgpasswd.c b/src/chgpasswd.c -index 56f3e88..f019d99 100644 ---- a/src/chgpasswd.c -+++ b/src/chgpasswd.c -@@ -62,15 +62,18 @@ const char *Prog; - FILE *shadow_logfd = NULL; - static bool eflg = false; - static bool md5flg = false; --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - static bool sflg = false; --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - - static /*@null@*//*@observer@*/const char *crypt_method = NULL; - #define cflg (NULL != crypt_method) - #ifdef USE_SHA_CRYPT - static long sha_rounds = 5000; - #endif -+#ifdef USE_SM3_CRYPT -+static long sm3_rounds = 5000; -+#endif - #ifdef USE_BCRYPT - static long bcrypt_rounds = 13; - #endif -@@ -141,6 +144,9 @@ static /*@noreturn@*/void usage (int status) - #endif - #if defined(USE_YESCRYPT) - " YESCRYPT" -+#endif -+#if defined(USE_SM3_CRYPT) -+ " SM3" - #endif - ); - (void) fputs (_(" -e, --encrypted supplied passwords are encrypted\n"), usageout); -@@ -149,11 +155,11 @@ static /*@noreturn@*/void usage (int status) - " the MD5 algorithm\n"), - usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) -+ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n" - " or YESCRYPT crypt algorithms\n"), - usageout); --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - (void) fputs ("\n", usageout); - - exit (status); -@@ -167,22 +173,22 @@ static /*@noreturn@*/void usage (int status) - static void process_flags (int argc, char **argv) - { - int c; --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - int bad_s; --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - static struct option long_options[] = { - {"crypt-method", required_argument, NULL, 'c'}, - {"encrypted", no_argument, NULL, 'e'}, - {"help", no_argument, NULL, 'h'}, - {"md5", no_argument, NULL, 'm'}, - {"root", required_argument, NULL, 'R'}, --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - {"sha-rounds", required_argument, NULL, 's'}, --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - {NULL, 0, NULL, '\0'} - }; - while ((c = getopt_long (argc, argv, --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - "c:ehmR:s:", - #else - "c:ehmR:", -@@ -203,7 +209,7 @@ static void process_flags (int argc, char **argv) - break; - case 'R': /* no-op, handled in process_root_flag () */ - break; --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - case 's': - sflg = true; - bad_s = 0; -@@ -225,6 +231,12 @@ static void process_flags (int argc, char **argv) - bad_s = 1; - } - #endif /* USE_YESCRYPT */ -+#if defined(USE_SM3_CRYPT) -+ if (( (0 == strcmp (crypt_method, "SM3")) -+ && (0 == getlong(optarg, &sm3_rounds)))) { -+ bad_s = 1; -+ } -+#endif /* USE_SM3_CRYPT */ - if (bad_s != 0) { - fprintf (stderr, - _("%s: invalid numeric argument '%s'\n"), -@@ -232,7 +244,7 @@ static void process_flags (int argc, char **argv) - usage (E_USAGE); - } - break; --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - - default: - usage (E_USAGE); -@@ -251,7 +263,7 @@ static void process_flags (int argc, char **argv) - */ - static void check_flags (void) - { --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - if (sflg && !cflg) { - fprintf (stderr, - _("%s: %s flag is only allowed with the %s flag\n"), -@@ -282,6 +294,9 @@ static void check_flags (void) - #ifdef USE_YESCRYPT - && (0 != strcmp (crypt_method, "YESCRYPT")) - #endif /* USE_YESCRYPT */ -+#ifdef USE_SM3_CRYPT -+ && (0 != strcmp (crypt_method, "SM3")) -+#endif /* USE_SM3_CRYPT */ - ) { - fprintf (stderr, - _("%s: unsupported crypt method: %s\n"), -@@ -505,7 +520,7 @@ int main (int argc, char **argv) - if (md5flg) { - crypt_method = "MD5"; - } --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - if (sflg) { - #if defined(USE_SHA_CRYPT) - if ( (0 == strcmp (crypt_method, "SHA256")) -@@ -523,6 +538,11 @@ int main (int argc, char **argv) - arg = &yescrypt_cost; - } - #endif /* USE_YESCRYPT */ -+#if defined(USE_SM3_CRYPT) -+ if (0 == strcmp (crypt_method, "SM3")) { -+ arg = &sm3_rounds; -+ } -+#endif /* USE_SM3_CRYPT */ - } - #endif - salt = crypt_make_salt (crypt_method, arg); -diff --git a/src/chpasswd.c b/src/chpasswd.c -index 8a01227..5dfb995 100644 ---- a/src/chpasswd.c -+++ b/src/chpasswd.c -@@ -59,7 +59,7 @@ const char *Prog; - FILE *shadow_logfd = NULL; - static bool eflg = false; - static bool md5flg = false; --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - static bool sflg = false; - #endif - -@@ -68,6 +68,9 @@ static /*@null@*//*@observer@*/const char *crypt_method = NULL; - #ifdef USE_SHA_CRYPT - static long sha_rounds = 5000; - #endif -+#ifdef USE_SM3_CRYPT -+static long sm3_rounds = 5000; -+#endif - #ifdef USE_BCRYPT - static long bcrypt_rounds = 13; - #endif -@@ -134,6 +137,9 @@ static /*@noreturn@*/void usage (int status) - #endif - #if defined(USE_YESCRYPT) - " YESCRYPT" -+#endif -+#if defined(USE_SM3_CRYPT) -+ " SM3" - #endif - ); - (void) fputs (_(" -e, --encrypted supplied passwords are encrypted\n"), usageout); -@@ -142,11 +148,11 @@ static /*@noreturn@*/void usage (int status) - " the MD5 algorithm\n"), - usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) -+ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n" - " or YESCRYPT crypt algorithms\n"), - usageout); --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - (void) fputs ("\n", usageout); - - exit (status); -@@ -160,23 +166,23 @@ static /*@noreturn@*/void usage (int status) - static void process_flags (int argc, char **argv) - { - int c; --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - int bad_s; --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - static struct option long_options[] = { - {"crypt-method", required_argument, NULL, 'c'}, - {"encrypted", no_argument, NULL, 'e'}, - {"help", no_argument, NULL, 'h'}, - {"md5", no_argument, NULL, 'm'}, - {"root", required_argument, NULL, 'R'}, --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - {"sha-rounds", required_argument, NULL, 's'}, --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - {NULL, 0, NULL, '\0'} - }; - - while ((c = getopt_long (argc, argv, --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - "c:ehmR:s:", - #else - "c:ehmR:", -@@ -197,7 +203,7 @@ static void process_flags (int argc, char **argv) - break; - case 'R': /* no-op, handled in process_root_flag () */ - break; --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - case 's': - sflg = true; - bad_s = 0; -@@ -219,6 +225,12 @@ static void process_flags (int argc, char **argv) - bad_s = 1; - } - #endif /* USE_YESCRYPT */ -+#if defined(USE_SM3_CRYPT) -+ if (( (0 == strcmp (crypt_method, "SM3")) -+ && (0 == getlong(optarg, &sm3_rounds)))) { -+ bad_s = 1; -+ } -+#endif /* USE_SM3_CRYPT */ - if (bad_s != 0) { - fprintf (stderr, - _("%s: invalid numeric argument '%s'\n"), -@@ -226,7 +238,7 @@ static void process_flags (int argc, char **argv) - usage (E_USAGE); - } - break; --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - - default: - usage (E_USAGE); -@@ -245,7 +257,7 @@ static void process_flags (int argc, char **argv) - */ - static void check_flags (void) - { --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - if (sflg && !cflg) { - fprintf (stderr, - _("%s: %s flag is only allowed with the %s flag\n"), -@@ -270,6 +282,9 @@ static void check_flags (void) - && (0 != strcmp (crypt_method, "SHA256")) - && (0 != strcmp (crypt_method, "SHA512")) - #endif /* USE_SHA_CRYPT */ -+#ifdef USE_SM3_CRYPT -+ && (0 != strcmp (crypt_method, "SM3")) -+#endif /* USE_SM3_CRYPT */ - #ifdef USE_BCRYPT - && (0 != strcmp (crypt_method, "BCRYPT")) - #endif /* USE_BCRYPT */ -@@ -556,6 +571,11 @@ int main (int argc, char **argv) - arg = &yescrypt_cost; - } - #endif /* USE_YESCRYPT */ -+#if defined(USE_SM3_CRYPT) -+ if (0 == strcmp (crypt_method, "SM3")) { -+ arg = &sm3_rounds; -+ } -+#endif /* USE_SM3_CRYPT */ - } - #endif - salt = crypt_make_salt (crypt_method, arg); -diff --git a/src/newusers.c b/src/newusers.c -index 16bf722..dd101fb 100644 ---- a/src/newusers.c -+++ b/src/newusers.c -@@ -81,12 +81,15 @@ static bool rflg = false; /* create a system account */ - #ifndef USE_PAM - static /*@null@*//*@observer@*/char *crypt_method = NULL; - #define cflg (NULL != crypt_method) --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) - static bool sflg = false; - #endif - #ifdef USE_SHA_CRYPT - static long sha_rounds = 5000; - #endif /* USE_SHA_CRYPT */ -+#ifdef USE_SM3_CRYPT -+static long sm3_rounds = 5000; -+#endif /* USE_SM3_CRYPT */ - #ifdef USE_BCRYPT - static long bcrypt_rounds = 13; - #endif /* USE_BCRYPT */ -@@ -152,6 +155,9 @@ static void usage (int status) - #endif - #if defined(USE_YESCRYPT) - " YESCRYPT" -+#endif -+#if defined(USE_SM3_CRYPT) -+ " SM3" - #endif - ); - #endif /* !USE_PAM */ -@@ -159,11 +165,11 @@ static void usage (int status) - (void) fputs (_(" -r, --system create system accounts\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); - #ifndef USE_PAM --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) -+ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n" - " or YESCRYPT crypt algorithms\n"), - usageout); --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - #endif /* !USE_PAM */ - (void) fputs ("\n", usageout); - -@@ -460,6 +466,13 @@ static int update_passwd (struct passwd *pwd, const char *password) - } - } - #endif /* USE_YESCRYPT */ -+#if defined(USE_SM3_CRYPT) -+ if (sflg) { -+ if (0 == strcmp (crypt_method, "SM3")) { -+ crypt_arg = &sm3_rounds; -+ } -+ } -+#endif /* USE_SM3_CRYPT */ - } - - if ((NULL != crypt_method) && (0 == strcmp(crypt_method, "NONE"))) { -@@ -514,6 +527,13 @@ static int add_passwd (struct passwd *pwd, const char *password) - } - } - #endif /* USE_PAM */ -+#if defined(USE_SM3_CRYPT) -+ if (sflg) { -+ if (0 == strcmp (crypt_method, "SM3")) { -+ crypt_arg = &sm3_rounds; -+ } -+ } -+#endif /* USE_SM3_CRYPT */ - } - - /* -@@ -630,9 +650,9 @@ static int add_passwd (struct passwd *pwd, const char *password) - static void process_flags (int argc, char **argv) - { - int c; --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - int bad_s; --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - static struct option long_options[] = { - {"badnames", no_argument, NULL, 'b'}, - #ifndef USE_PAM -@@ -642,20 +662,20 @@ static void process_flags (int argc, char **argv) - {"system", no_argument, NULL, 'r'}, - {"root", required_argument, NULL, 'R'}, - #ifndef USE_PAM --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - {"sha-rounds", required_argument, NULL, 's'}, --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - #endif /* !USE_PAM */ - {NULL, 0, NULL, '\0'} - }; - - while ((c = getopt_long (argc, argv, - #ifndef USE_PAM --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - "c:bhrs:", --#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT */ -+#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT && !USE_SM3_CRYPT*/ - "c:bhr", --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - #else /* USE_PAM */ - "bhr", - #endif -@@ -678,7 +698,7 @@ static void process_flags (int argc, char **argv) - case 'R': /* no-op, handled in process_root_flag () */ - break; - #ifndef USE_PAM --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - case 's': - sflg = true; - bad_s = 0; -@@ -700,6 +720,12 @@ static void process_flags (int argc, char **argv) - bad_s = 1; - } - #endif /* USE_YESCRYPT */ -+#if defined(USE_SM3_CRYPT) -+ if (( (0 == strcmp (crypt_method, "SM3")) -+ && (0 == getlong(optarg, &sm3_rounds)))) { -+ bad_s = 1; -+ } -+#endif /* USE_SM3_CRYPT */ - if (bad_s != 0) { - fprintf (stderr, - _("%s: invalid numeric argument '%s'\n"), -@@ -707,7 +733,7 @@ static void process_flags (int argc, char **argv) - usage (EXIT_FAILURE); - } - break; --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - #endif /* !USE_PAM */ - default: - usage (EXIT_FAILURE); -@@ -741,14 +767,14 @@ static void process_flags (int argc, char **argv) - static void check_flags (void) - { - #ifndef USE_PAM --#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) -+#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) - if (sflg && !cflg) { - fprintf (stderr, - _("%s: %s flag is only allowed with the %s flag\n"), - Prog, "-s", "-c"); - usage (EXIT_FAILURE); - } --#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ -+#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ - - if (cflg) { - if ( (0 != strcmp (crypt_method, "DES")) -@@ -758,6 +784,9 @@ static void check_flags (void) - && (0 != strcmp (crypt_method, "SHA256")) - && (0 != strcmp (crypt_method, "SHA512")) - #endif /* USE_SHA_CRYPT */ -+#ifdef USE_SM3_CRYPT -+ && (0 != strcmp (crypt_method, "SM3")) -+#endif /* USE_SM3_CRYPT */ - #ifdef USE_BCRYPT - && (0 != strcmp (crypt_method, "BCRYPT")) - #endif /* USE_BCRYPT */ -diff --git a/src/passwd.c b/src/passwd.c -index 00cbef6..aa4eb5e 100644 ---- a/src/passwd.c -+++ b/src/passwd.c -@@ -107,7 +107,7 @@ static bool spw_locked = false; - #ifndef USE_PAM - /* - * Size of the biggest passwd: -- * $6$ 3 -+ * $sm3$ 5 - * rounds= 7 - * 999999999 9 - * $ 1 -@@ -116,7 +116,7 @@ static bool spw_locked = false; - * SHA512 123 - * nul 1 - * -- * total 161 -+ * total 163 - */ - static char crypt_passwd[256]; - static bool do_update_pwd = false; -@@ -287,6 +287,9 @@ static int new_password (const struct passwd *pw) - #ifdef USE_YESCRYPT - || (strcmp (method, "YESCRYPT") == 0) - #endif /* USE_YESCRYPT*/ -+#ifdef USE_SM3_CRYPT -+ || (strcmp (method, "SM3") == 0) -+#endif /* USE_SM3_CRYPT*/ - - ) { - pass_max_len = -1; --- -2.27.0 - +From d7fa75bbd22a08b4e0b8c7e3ccab588c87d23835 Mon Sep 17 00:00:00 2001 +From: root +Date: Wed, 29 Dec 2021 16:05:56 +0800 +Subject: [PATCH] shadow add sm3 crypt support + +--- + configure.ac | 9 ++++ + etc/login.defs | 17 ++++++++ + lib/encrypt.c | 3 ++ + lib/getdef.c | 4 ++ + libmisc/obscure.c | 3 ++ + libmisc/salt.c | 106 +++++++++++++++++++++++++++++++++++++++++++--- + src/chgpasswd.c | 48 +++++++++++++++------ + src/chpasswd.c | 46 ++++++++++++++------ + src/newusers.c | 61 +++++++++++++++++++------- + src/passwd.c | 7 ++- + 10 files changed, 254 insertions(+), 50 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 924254a..dde1de8 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -274,6 +274,9 @@ AC_ARG_WITH(libcrack, + AC_ARG_WITH(sha-crypt, + [AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])], + [with_sha_crypt=$withval], [with_sha_crypt=yes]) ++AC_ARG_WITH(sm3-crypt, ++ [AC_HELP_STRING([--with-sm3-crypt], [allow the SM3 password encryption algorithms @<:@default=yes@:>@])], ++ [with_sm3_crypt=$withval], [with_sm3_crypt=yes]) + AC_ARG_WITH(bcrypt, + [AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])], + [with_bcrypt=$withval], [with_bcrypt=no]) +@@ -307,6 +310,11 @@ if test "$with_sha_crypt" = "yes"; then + AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms]) + fi + ++AM_CONDITIONAL(USE_SM3_CRYPT, test "x$with_sm3_crypt" = "xyes") ++if test "$with_sm3_crypt" = "yes"; then ++ AC_DEFINE(USE_SM3_CRYPT, 1, [Define to allow the SM3 password encryption algorithms]) ++fi ++ + AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes") + if test "$with_bcrypt" = "yes"; then + AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm]) +@@ -752,6 +760,7 @@ echo " tcb support (incomplete): $with_tcb" + echo " shadow group support: $enable_shadowgrp" + echo " S/Key support: $with_skey" + echo " SHA passwords encryption: $with_sha_crypt" ++echo " SM3 passwords encryption: $with_sm3_crypt" + echo " bcrypt passwords encryption: $with_bcrypt" + echo " yescrypt passwords encryption: $with_yescrypt" + echo " nscd support: $with_nscd" +diff --git a/etc/login.defs b/etc/login.defs +index 114dbcd..fd310b7 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -353,6 +353,23 @@ CHFN_RESTRICT rwh + #SHA_CRYPT_MIN_ROUNDS 5000 + #SHA_CRYPT_MAX_ROUNDS 5000 + ++# ++# Only works if ENCRYPT_METHOD is set to SM3. ++# ++# Define the number of SM3 rounds. ++# With a lot of rounds, it is more difficult to brute-force the password. ++# However, more CPU resources will be needed to authenticate users if ++# this value is increased. ++# ++# If not specified, the libc will choose the default number of rounds (5000), ++# which is orders of magnitude too low for modern hardware. ++# The values must be within the 1000-999999999 range. ++# If only one of the MIN or MAX values is set, then this value will be used. ++# If MIN > MAX, the highest value will be used. ++# ++#SM3_CRYPT_MAX_ROUNDS 5000 ++#SM3_CRYPT_MIN_ROUNDS 5000 ++ + # + # Only works if ENCRYPT_METHOD is set to BCRYPT. + # +diff --git a/lib/encrypt.c b/lib/encrypt.c +index c84a255..11b301b 100644 +--- a/lib/encrypt.c ++++ b/lib/encrypt.c +@@ -52,6 +52,9 @@ + case '6': + method = "SHA512"; + break; ++ case 's': // salt = $sm3$... ++ method = "SM3"; ++ break; + case 'y': + method = "YESCRYPT"; + break; +diff --git a/lib/getdef.c b/lib/getdef.c +index dcd1fe7..9a8089a 100644 +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -102,6 +102,10 @@ static struct itemdef def_table[] = { + {"SHA_CRYPT_MAX_ROUNDS", NULL}, + {"SHA_CRYPT_MIN_ROUNDS", NULL}, + #endif ++#ifdef USE_SM3_CRYPT ++ {"SM3_CRYPT_MAX_ROUNDS", NULL}, ++ {"SM3_CRYPT_MIN_ROUNDS", NULL}, ++#endif + #ifdef USE_BCRYPT + {"BCRYPT_MAX_ROUNDS", NULL}, + {"BCRYPT_MIN_ROUNDS", NULL}, +diff --git a/libmisc/obscure.c b/libmisc/obscure.c +index 3daaa95..644259d 100644 +--- a/libmisc/obscure.c ++++ b/libmisc/obscure.c +@@ -246,6 +246,9 @@ static /*@observer@*//*@null@*/const char *obscure_msg ( + || (strcmp (result, "SHA256") == 0) + || (strcmp (result, "SHA512") == 0) + #endif ++#ifdef USE_SM3_CRYPT ++ || (strcmp (result, "SM3") == 0) ++#endif + #ifdef USE_BCRYPT + || (strcmp (result, "BCRYPT") == 0) + #endif +diff --git a/libmisc/salt.c b/libmisc/salt.c +index e5f633a..df4b328 100644 +--- a/libmisc/salt.c ++++ b/libmisc/salt.c +@@ -63,6 +63,17 @@ + #define SHA_ROUNDS_MAX 999999999 + #endif + ++#ifdef USE_SM3_CRYPT ++/* Fixed salt len for sm3 crypt. */ ++#define SM3_CRYPT_SALT_SIZE 16 ++/* Default number of rounds if not explicitly specified. */ ++#define SM3_ROUNDS_DEFAULT 5000 ++/* Minimum number of rounds. */ ++#define SM3_ROUNDS_MIN 1000 ++/* Maximum number of rounds. */ ++#define SM3_ROUNDS_MAX 999999999 ++#endif ++ + #ifdef USE_YESCRYPT + /* + * Default number of base64 characters used for the salt. +@@ -95,13 +106,17 @@ static long read_random_bytes (void); + #if !USE_XCRYPT_GENSALT + static /*@observer@*/const char *gensalt (size_t salt_size); + #endif /* !USE_XCRYPT_GENSALT */ +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) + static long shadow_random (long min, long max); +-#endif /* USE_SHA_CRYPT || USE_BCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_SM3_CRYPT*/ + #ifdef USE_SHA_CRYPT + static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds); + static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds); + #endif /* USE_SHA_CRYPT */ ++#ifdef USE_SM3_CRYPT ++static /*@observer@*/const unsigned long SM3_get_salt_rounds (/*@null@*/int *prefered_rounds); ++static /*@observer@*/void SM3_salt_rounds_to_buf (char *buf, unsigned long rounds); ++#endif + #ifdef USE_BCRYPT + static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds); + static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds); +@@ -195,7 +210,7 @@ end: + return randval; + } + +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) + /* + * Return a random number between min and max (both included). + * +@@ -217,7 +232,7 @@ static long shadow_random (long min, long max) + } + return ret; + } +-#endif /* USE_SHA_CRYPT || USE_BCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_SM3_CRYPT*/ + + #ifdef USE_SHA_CRYPT + /* Return the the rounds number for the SHA crypt methods. */ +@@ -293,6 +308,80 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round + } + #endif /* USE_SHA_CRYPT */ + ++#ifdef USE_SM3_CRYPT ++/* Return the the rounds number for the SM3 crypt methods. */ ++static /*@observer@*/const unsigned long SM3_get_salt_rounds (/*@null@*/int *prefered_rounds) ++{ ++ unsigned long rounds; ++ ++ if (NULL == prefered_rounds) { ++ long min_rounds = getdef_long ("SM3_CRYPT_MIN_ROUNDS", -1); ++ long max_rounds = getdef_long ("SM3_CRYPT_MAX_ROUNDS", -1); ++ ++ if ((-1 == min_rounds) && (-1 == max_rounds)) { ++ rounds = SM3_ROUNDS_DEFAULT; ++ } ++ else { ++ if (-1 == min_rounds) { ++ min_rounds = max_rounds; ++ } ++ ++ if (-1 == max_rounds) { ++ max_rounds = min_rounds; ++ } ++ ++ if (min_rounds > max_rounds) { ++ max_rounds = min_rounds; ++ } ++ ++ rounds = (unsigned long) shadow_random (min_rounds, max_rounds); ++ } ++ } else if (0 == *prefered_rounds) { ++ rounds = SM3_ROUNDS_DEFAULT; ++ } else { ++ rounds = (unsigned long) *prefered_rounds; ++ } ++ ++ /* Sanity checks. The libc should also check this, but this ++ * protects against a rounds_prefix overflow. */ ++ if (rounds < SM3_ROUNDS_MIN) { ++ rounds = SM3_ROUNDS_MIN; ++ } ++ ++ if (rounds > SM3_ROUNDS_MAX) { ++ rounds = SM3_ROUNDS_MAX; ++ } ++ ++ return rounds; ++} ++ ++/* ++ * Fill a salt prefix specifying the rounds number for the SM3 crypt methods ++ * to a buffer. ++ */ ++static /*@observer@*/void SM3_salt_rounds_to_buf (char *buf, unsigned long rounds) ++{ ++ const size_t buf_begin = strlen (buf); ++ ++ /* Nothing to do here if SM3_ROUNDS_DEFAULT is used. */ ++ if (rounds == SM3_ROUNDS_DEFAULT) { ++ return; ++ } ++ ++ /* ++ * Check if the result buffer is long enough. ++ * We are going to write a maximum of 17 bytes, ++ * plus one byte for the terminator. ++ * rounds=XXXXXXXXX$ ++ * 00000000011111111 ++ * 12345678901234567 ++ */ ++ assert (GENSALT_SETTING_SIZE > buf_begin + 17); ++ ++ (void) snprintf (buf + buf_begin, 18, "rounds=%lu$", rounds); ++} ++#endif /* USE_SM3_CRYPT */ ++ + #ifdef USE_BCRYPT + /* Return the the rounds number for the BCRYPT method. */ + static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds) +@@ -463,7 +552,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + * which can both be set inside the login.defs file. + * + * If meth is specified, an additional parameter can be provided. +- * * For the SHA256 and SHA512 method, this specifies the number of rounds ++ * * For the SHA256 and SHA512 and SM3 method, this specifies the number of rounds + * (if not NULL). + * * For the YESCRYPT method, this specifies the cost factor (if not NULL). + */ +@@ -515,6 +604,13 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + rounds = SHA_get_salt_rounds ((int *) arg); + SHA_salt_rounds_to_buf (result, rounds); + #endif /* USE_SHA_CRYPT */ ++#ifdef USE_SM3_CRYPT ++ } else if (0 == strcmp (method, "SM3")) { ++ strcpy(result, "$sm3$"); ++ salt_len = SM3_CRYPT_SALT_SIZE; ++ rounds = SM3_get_salt_rounds ((int *) arg); ++ SM3_salt_rounds_to_buf (result, rounds); ++#endif /* USE_SM3_CRYPT */ + } else if (0 != strcmp (method, "DES")) { + fprintf (log_get_logfd(), + _("Invalid ENCRYPT_METHOD value: '%s'.\n" +diff --git a/src/chgpasswd.c b/src/chgpasswd.c +index d17acb6..9b00520 100644 +--- a/src/chgpasswd.c ++++ b/src/chgpasswd.c +@@ -39,15 +39,18 @@ + const char *Prog; + static bool eflg = false; + static bool md5flg = false; +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + static bool sflg = false; +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ + + static /*@null@*//*@observer@*/const char *crypt_method = NULL; + #define cflg (NULL != crypt_method) + #ifdef USE_SHA_CRYPT + static long sha_rounds = 5000; + #endif ++#ifdef USE_SM3_CRYPT ++static long sm3_rounds = 5000; ++#endif + #ifdef USE_BCRYPT + static long bcrypt_rounds = 13; + #endif +@@ -119,6 +122,9 @@ static /*@noreturn@*/void usage (int status) + #if defined(USE_YESCRYPT) + " YESCRYPT" + #endif ++#if defined(USE_SM3_CRYPT) ++ " SM3" ++ #endif + ); + (void) fputs (_(" -e, --encrypted supplied passwords are encrypted\n"), usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); +@@ -126,11 +132,11 @@ static /*@noreturn@*/void usage (int status) + " the MD5 algorithm\n"), + usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) +- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) ++ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n" + " or YESCRYPT crypt algorithms\n"), + usageout); +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ + (void) fputs ("\n", usageout); + + exit (status); +@@ -144,22 +150,22 @@ static /*@noreturn@*/void usage (int status) + static void process_flags (int argc, char **argv) + { + int c; +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + int bad_s; +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ + static struct option long_options[] = { + {"crypt-method", required_argument, NULL, 'c'}, + {"encrypted", no_argument, NULL, 'e'}, + {"help", no_argument, NULL, 'h'}, + {"md5", no_argument, NULL, 'm'}, + {"root", required_argument, NULL, 'R'}, +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + {"sha-rounds", required_argument, NULL, 's'}, +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ + {NULL, 0, NULL, '\0'} + }; + while ((c = getopt_long (argc, argv, +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + "c:ehmR:s:", + #else + "c:ehmR:", +@@ -180,7 +186,7 @@ static void process_flags (int argc, char **argv) + break; + case 'R': /* no-op, handled in process_root_flag () */ + break; +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + case 's': + sflg = true; + bad_s = 0; +@@ -202,6 +208,12 @@ static void process_flags (int argc, char **argv) + bad_s = 1; + } + #endif /* USE_YESCRYPT */ ++#if defined(USE_SM3_CRYPT) ++ if (( (0 == strcmp (crypt_method, "SM3")) ++ && (0 == getlong(optarg, &sm3_rounds)))) { ++ bad_s = 1; ++ } ++#endif /* USE_SM3_CRYPT */ + if (bad_s != 0) { + fprintf (stderr, + _("%s: invalid numeric argument '%s'\n"), +@@ -209,7 +221,7 @@ static void process_flags (int argc, char **argv) + usage (E_USAGE); + } + break; +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ + + default: + usage (E_USAGE); +@@ -228,7 +240,7 @@ static void process_flags (int argc, char **argv) + */ + static void check_flags (void) + { +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + if (sflg && !cflg) { + fprintf (stderr, + _("%s: %s flag is only allowed with the %s flag\n"), +@@ -259,6 +271,9 @@ static void check_flags (void) + #ifdef USE_YESCRYPT + && (0 != strcmp (crypt_method, "YESCRYPT")) + #endif /* USE_YESCRYPT */ ++#ifdef USE_SM3_CRYPT ++ && (0 != strcmp (crypt_method, "SM3")) ++#endif /* USE_SM3_CRYPT */ + ) { + fprintf (stderr, + _("%s: unsupported crypt method: %s\n"), +@@ -483,7 +498,7 @@ int main (int argc, char **argv) + if (md5flg) { + crypt_method = "MD5"; + } +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + if (sflg) { + #if defined(USE_SHA_CRYPT) + if ( (0 == strcmp (crypt_method, "SHA256")) +@@ -501,6 +516,11 @@ int main (int argc, char **argv) + arg = &yescrypt_cost; + } + #endif /* USE_YESCRYPT */ ++#if defined(USE_SM3_CRYPT) ++ if (0 == strcmp (crypt_method, "SM3")) { ++ arg = &sm3_rounds; ++ } ++#endif /* USE_SM3_CRYPT */ + } + #endif + salt = crypt_make_salt (crypt_method, arg); +diff --git a/src/chpasswd.c b/src/chpasswd.c +index 48d5178..9003c18 100644 +--- a/src/chpasswd.c ++++ b/src/chpasswd.c +@@ -38,7 +38,7 @@ + const char *Prog; + static bool eflg = false; + static bool md5flg = false; +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + static bool sflg = false; + #endif + +@@ -47,6 +47,9 @@ static /*@null@*//*@observer@*/const char *crypt_method = NULL; + #ifdef USE_SHA_CRYPT + static long sha_rounds = 5000; + #endif ++#ifdef USE_SM3_CRYPT ++static long sm3_rounds = 5000; ++#endif + #ifdef USE_BCRYPT + static long bcrypt_rounds = 13; + #endif +@@ -113,6 +116,9 @@ static /*@noreturn@*/void usage (int status) + #endif + #if defined(USE_YESCRYPT) + " YESCRYPT" ++#endif ++#if defined(USE_SM3_CRYPT) ++ " SM3" + #endif + ); + (void) fputs (_(" -e, --encrypted supplied passwords are encrypted\n"), usageout); +@@ -121,11 +127,11 @@ static /*@noreturn@*/void usage (int status) + " the MD5 algorithm\n"), + usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) +- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) ++ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n" + " or YESCRYPT crypt algorithms\n"), + usageout); +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + (void) fputs ("\n", usageout); + + exit (status); +@@ -139,23 +145,23 @@ static /*@noreturn@*/void usage (int status) + static void process_flags (int argc, char **argv) + { + int c; +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + int bad_s; +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + static struct option long_options[] = { + {"crypt-method", required_argument, NULL, 'c'}, + {"encrypted", no_argument, NULL, 'e'}, + {"help", no_argument, NULL, 'h'}, + {"md5", no_argument, NULL, 'm'}, + {"root", required_argument, NULL, 'R'}, +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + {"sha-rounds", required_argument, NULL, 's'}, +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + {NULL, 0, NULL, '\0'} + }; + + while ((c = getopt_long (argc, argv, +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + "c:ehmR:s:", + #else + "c:ehmR:", +@@ -176,7 +182,7 @@ static void process_flags (int argc, char **argv) + break; + case 'R': /* no-op, handled in process_root_flag () */ + break; +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + case 's': + sflg = true; + bad_s = 0; +@@ -198,14 +204,20 @@ static void process_flags (int argc, char **argv) + bad_s = 1; + } + #endif /* USE_YESCRYPT */ +- if (bad_s != 0) { ++#if defined(USE_SM3_CRYPT) ++ if (( (0 == strcmp (crypt_method, "SM3")) ++ && (0 == getlong(optarg, &sm3_rounds)))) { ++ bad_s = 1; ++ } ++#endif /* USE_SM3_CRYPT */ ++ if (bad_s != 0) { + fprintf (stderr, + _("%s: invalid numeric argument '%s'\n"), + Prog, optarg); + usage (E_USAGE); + } + break; +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT*/ + + default: + usage (E_USAGE); +@@ -224,7 +236,7 @@ static void process_flags (int argc, char **argv) + */ + static void check_flags (void) + { +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + if (sflg && !cflg) { + fprintf (stderr, + _("%s: %s flag is only allowed with the %s flag\n"), +@@ -249,6 +261,9 @@ static void check_flags (void) + &&(!IS_CRYPT_METHOD("SHA256")) + &&(!IS_CRYPT_METHOD("SHA512")) + #endif /* USE_SHA_CRYPT */ ++#ifdef USE_SM3_CRYPT ++ && (0 != strcmp (crypt_method, "SM3")) ++#endif /* USE_SM3_CRYPT */ + #ifdef USE_BCRYPT + &&(!IS_CRYPT_METHOD("BCRYPT")) + #endif /* USE_BCRYPT */ +@@ -422,6 +437,11 @@ static const char *get_salt(void) + arg = &yescrypt_cost; + } + #endif /* USE_YESCRYPT */ ++#if defined(USE_SM3_CRYPT) ++ if (0 == strcmp (crypt_method, "SM3")) { ++ arg = &sm3_rounds; ++ } ++#endif /* USE_SM3_CRYPT */ + } + #endif + return crypt_make_salt (crypt_method, arg); +diff --git a/src/newusers.c b/src/newusers.c +index deeb361..149670e 100644 +--- a/src/newusers.c ++++ b/src/newusers.c +@@ -58,12 +58,15 @@ static bool rflg = false; /* create a system account */ + #ifndef USE_PAM + static /*@null@*//*@observer@*/char *crypt_method = NULL; + #define cflg (NULL != crypt_method) +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT) + static bool sflg = false; + #endif + #ifdef USE_SHA_CRYPT + static long sha_rounds = 5000; + #endif /* USE_SHA_CRYPT */ ++#ifdef USE_SM3_CRYPT ++static long sm3_rounds = 5000; ++#endif /* USE_SM3_CRYPT */ + #ifdef USE_BCRYPT + static long bcrypt_rounds = 13; + #endif /* USE_BCRYPT */ +@@ -129,6 +132,9 @@ static void usage (int status) + #endif + #if defined(USE_YESCRYPT) + " YESCRYPT" ++#endif ++#if defined(USE_SM3_CRYPT) ++ " SM3" + #endif + ); + #endif /* !USE_PAM */ +@@ -136,11 +142,11 @@ static void usage (int status) + (void) fputs (_(" -r, --system create system accounts\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + #ifndef USE_PAM +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) +- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) ++ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n" + " or YESCRYPT crypt algorithms\n"), + usageout); +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + #endif /* !USE_PAM */ + (void) fputs ("\n", usageout); + +@@ -436,6 +442,13 @@ static int update_passwd (struct passwd *pwd, const char *password) + } + } + #endif /* USE_YESCRYPT */ ++#if defined(USE_SM3_CRYPT) ++ if (sflg) { ++ if (0 == strcmp (crypt_method, "SM3")) { ++ crypt_arg = &sm3_rounds; ++ } ++ } ++#endif /* USE_SM3_CRYPT */ + } + + if ((NULL != crypt_method) && (0 == strcmp(crypt_method, "NONE"))) { +@@ -492,6 +505,13 @@ static int add_passwd (struct passwd *pwd, const char *password) + } + } + #endif /* USE_PAM */ ++#if defined(USE_SM3_CRYPT) ++ if (sflg) { ++ if (0 == strcmp (crypt_method, "SM3")) { ++ crypt_arg = &sm3_rounds; ++ } ++ } ++#endif /* USE_SM3_CRYPT */ + } + + /* +@@ -609,9 +629,9 @@ static void process_flags (int argc, char **argv) + { + int c; + #ifndef USE_PAM +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + int bad_s; +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + #endif /* !USE_PAM */ + static struct option long_options[] = { + {"badname", no_argument, NULL, 'b'}, +@@ -622,20 +642,20 @@ static void process_flags (int argc, char **argv) + {"system", no_argument, NULL, 'r'}, + {"root", required_argument, NULL, 'R'}, + #ifndef USE_PAM +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + {"sha-rounds", required_argument, NULL, 's'}, +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + #endif /* !USE_PAM */ + {NULL, 0, NULL, '\0'} + }; + + while ((c = getopt_long (argc, argv, + #ifndef USE_PAM +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + "c:bhrs:", +-#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT */ ++#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT && !USE_SM3_CRYPT */ + "c:bhr", +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + #else /* USE_PAM */ + "bhr", + #endif +@@ -658,7 +678,7 @@ static void process_flags (int argc, char **argv) + case 'R': /* no-op, handled in process_root_flag () */ + break; + #ifndef USE_PAM +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + case 's': + sflg = true; + bad_s = 0; +@@ -680,14 +700,20 @@ static void process_flags (int argc, char **argv) + bad_s = 1; + } + #endif /* USE_YESCRYPT */ +- if (bad_s != 0) { ++#if defined(USE_SM3_CRYPT) ++ if (( (0 == strcmp (crypt_method, "SM3")) ++ && (0 == getlong(optarg, &sm3_rounds)))) { ++ bad_s = 1; ++ } ++#endif /* USE_SM3_CRYPT */ ++ if (bad_s != 0) { + fprintf (stderr, + _("%s: invalid numeric argument '%s'\n"), + Prog, optarg); + usage (EXIT_FAILURE); + } + break; +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + #endif /* !USE_PAM */ + default: + usage (EXIT_FAILURE); +@@ -721,14 +747,14 @@ static void process_flags (int argc, char **argv) + static void check_flags (void) + { + #ifndef USE_PAM +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT) + if (sflg && !cflg) { + fprintf (stderr, + _("%s: %s flag is only allowed with the %s flag\n"), + Prog, "-s", "-c"); + usage (EXIT_FAILURE); + } +-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ ++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */ + + if (cflg) { + if ( (0 != strcmp (crypt_method, "DES")) +@@ -738,6 +764,9 @@ static void check_flags (void) + && (0 != strcmp (crypt_method, "SHA256")) + && (0 != strcmp (crypt_method, "SHA512")) + #endif /* USE_SHA_CRYPT */ ++#ifdef USE_SM3_CRYPT ++ && (0 != strcmp (crypt_method, "SM3")) ++#endif /* USE_SM3_CRYPT */ + #ifdef USE_BCRYPT + && (0 != strcmp (crypt_method, "BCRYPT")) + #endif /* USE_BCRYPT */ +diff --git a/src/passwd.c b/src/passwd.c +index 8c6f81a..00711da 100644 +--- a/src/passwd.c ++++ b/src/passwd.c +@@ -84,7 +84,7 @@ static bool spw_locked = false; + #ifndef USE_PAM + /* + * Size of the biggest passwd: +- * $6$ 3 ++ * $sm3$ 5 + * rounds= 7 + * 999999999 9 + * $ 1 +@@ -93,7 +93,7 @@ static bool spw_locked = false; + * SHA512 123 + * nul 1 + * +- * total 161 ++ * total 163 + */ + static char crypt_passwd[256]; + static bool do_update_pwd = false; +@@ -263,6 +263,9 @@ static int new_password (const struct passwd *pw) + #ifdef USE_YESCRYPT + || (strcmp (method, "YESCRYPT") == 0) + #endif /* USE_YESCRYPT*/ ++#ifdef USE_SM3_CRYPT ++ || (strcmp (method, "SM3") == 0) ++#endif /* USE_SM3_CRYPT*/ + + ) { + pass_max_len = -1; +-- +2.27.0 + diff --git a/shadow.spec b/shadow.spec index a4e18d6..6c8d180 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,11 +1,11 @@ Name: shadow -Version: 4.9 -Release: 8 +Version: 4.13 +Release: 1 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files URL: http://pkg-shadow.alioth.debian.org/ -Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz +Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz Source2: shadow-utils.useradd Source3: shadow-utils.login.defs Source4: shadow-bsd.txt @@ -16,39 +16,9 @@ Source7: newusers %global includesubiddir %{_includedir}/shadow # fix unknown item 'LASTLOG_MAX_UID' -Patch0: shadow-4.8-goodname.patch -Patch1: shadow-4.9-null-tm.patch -Patch2: shadow-4.8-long-entry.patch -Patch3: usermod-unlock.patch -Patch4: useradd-create-directories-after-the-SELinux-user.patch -Patch5: Makefile-include-libeconf-dependency-in-new-idmap.patch -Patch6: usermod-allow-all-group-types-with-G-option.patch -Patch7: useradd-avoid-generating-an-empty-subid-range.patch -Patch8: libmisc-fix-default-value-in-SHA_get_salt_rounds.patch -Patch9: semanage-close-the-selabel-handle.patch -Patch10: Revert-useradd.c-fix-memleaks-of-grp.patch -Patch11: useradd-change-SELinux-labels-for-home-files.patch -Patch12: libsubid-link-to-PAM-libraries.patch -Patch13: Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch -Patch14: Respect-enable-static-no-in-libsubid.patch -Patch15: Fixes-the-linking-issues-when-libsubid-is-static-and.patch -Patch16: pwck-fix-segfault-when-calling-fprintf.patch -Patch17: newgrp-fix-segmentation-fault.patch -Patch18: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch -Patch19: backport-useradd-modify-check-ID-range-for-system-users.patch -Patch20: shadow-add-sm3-crypt-support.patch -Patch21: backport-Add-header-guards.patch -Patch22: backport-Change-to-strncat.patch -Patch23: backport-Do-not-return-garbage-in-run_parts.patch -Patch24: backport-Handle-ERANGE-error-correctly.patch -Patch25: backport-Initialize-local-variables.patch -Patch26: backport-Remove-commented-out-code-and-FIXMEs.patch -Patch27: backport-Remove-redeclared-variable.patch -Patch28: backport-libmisc-add-check-fopen-return-value-in-read_random_.patch -Patch29: backport-passwd-erase-password-copy-on-all-error-branches.patch -Patch30: backport-chpasswd-add-get_salt-for-generating-salt-value.patch -Patch31: backport-chpasswd-fix-function-problem-with-R-parameter.patch -Patch32: backport-useradd-check-if-subid-range-exists-for-user.patch +Patch0: usermod-unlock.patch +Patch1: backport-useradd-check-if-subid-range-exists-for-user.patch +Patch2: shadow-add-sm3-crypt-support.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -61,8 +31,8 @@ Requires(pre): coreutils Requires(post): coreutils Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Provides: shadow-utils -Obsoletes: shadow-utils +Provides: shadow-utils = %{version}-%{release} +Obsoletes: shadow-utils < %{version}-%{release} %description This package includes the necessary programs for converting plain @@ -176,7 +146,7 @@ mkdir -p $RPM_BUILD_ROOT/%{includesubiddir} install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/ # Remove .la files created by libsubid -rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la +rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %files -f shadow.lang %doc NEWS doc/HOWTO README @@ -194,6 +164,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_sbindir}/adduser %attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/group* +%{_bindir}/getsubids %{_sbindir}/grpck %{_sbindir}/pwck %{_sbindir}/*conv @@ -215,7 +186,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_mandir}/*/* %changelog -* Thu Dec 1 2022 xiongshenglan - 2:4.9-8 +* Wed Feb 8 2023 yunjia_w - 2:4.13-1 +- update version to 4.13 + +* Thu Dec 1 2022 xiongshenglan - 2:4.9-8 - backport useradd check if subid range exists for user * Tue Nov 22 2022 yunjia_w - 2:4.9-7 @@ -224,7 +198,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la * Mon Oct 31 2022 yunjia_w - 2:4.9-6 - add some backport to optimize some functions -* Sat Mar 26 2022 fushanqing - 2:4.9-5 +* Tue Aug 23 2022 fushanqing - 2:4.9-5 - remove patch 'shadow-4.1.5.1-var-lock.patch' and 'shadow-utils-fix-lock-file-residue.patch' * Tue Aug 2 2022 zhengxiaoxiao - 2:4.9-4 diff --git a/useradd-avoid-generating-an-empty-subid-range.patch b/useradd-avoid-generating-an-empty-subid-range.patch deleted file mode 100644 index 7f0ffb2..0000000 --- a/useradd-avoid-generating-an-empty-subid-range.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 9dd720a28578eef5be8171697aae0906e4c53249 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Tue, 10 Aug 2021 09:07:03 +0200 -Subject: [PATCH] useradd: avoid generating an empty subid range - -useradd generates an empty subid range when adding a new user. This is -caused because there are two variables, one local and the other one -global, that have a very similar name and they are used indistinctly in -the code. The local variable loads the SUB_*ID_COUNT configuration from -the login.defs file, while the global variable, which holds a value of -0, is used to generate the subid range. Causing the empty subid range -problem. - -I've merged the two variables in the local one and removed the global -variable. I prefer to do it this way to reduce the scope of it but I'm -open to doing it the other way round. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1990653 - -Signed-off-by: Iker Pedrosa -Conflict: context adaptation ---- - src/useradd.c | 20 +++++++++----------- - 1 file changed, 9 insertions(+), 11 deletions(-) - -diff --git a/src/useradd.c b/src/useradd.c -index baeffb3..9abeea6 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -142,9 +142,7 @@ static bool is_sub_gid = false; - static bool sub_uid_locked = false; - static bool sub_gid_locked = false; - static uid_t sub_uid_start; /* New subordinate uid range */ --static unsigned long sub_uid_count; - static gid_t sub_gid_start; /* New subordinate gid range */ --static unsigned long sub_gid_count; - #endif /* ENABLE_SUBIDS */ - static bool pw_locked = false; - static bool gr_locked = false; -@@ -234,7 +232,7 @@ static void open_shadow (void); - static void faillog_reset (uid_t); - static void lastlog_reset (uid_t); - static void tallylog_reset (const char *); --static void usr_update (void); -+static void usr_update (unsigned long subuid_count, unsigned long subgid_count); - static void create_home (void); - static void create_mail (void); - static void check_uid_range(int rflg, uid_t user_id); -@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name) - * usr_update() creates the password file entries for this user - * and will update the group entries if required. - */ --static void usr_update (void) -+static void usr_update (unsigned long subuid_count, unsigned long subgid_count) - { - struct passwd pwent; - struct spwd spent; -@@ -2155,14 +2153,14 @@ static void usr_update (void) - } - #ifdef ENABLE_SUBIDS - if (is_sub_uid && -- (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) { -+ (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry\n"), - Prog, sub_uid_dbname ()); - fail_exit (E_SUB_UID_UPDATE); - } - if (is_sub_gid && -- (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) { -+ (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry\n"), - Prog, sub_uid_dbname ()); -@@ -2624,16 +2622,16 @@ int main (int argc, char **argv) - } - - #ifdef ENABLE_SUBIDS -- if (is_sub_uid && sub_uid_count != 0) { -- if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) { -+ if (is_sub_uid && subuid_count != 0) { -+ if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) { - fprintf (stderr, - _("%s: can't create subordinate user IDs\n"), - Prog); - fail_exit(E_SUB_UID_UPDATE); - } - } -- if (is_sub_gid && sub_gid_count != 0) { -- if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) { -+ if (is_sub_gid && subgid_count != 0) { -+ if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) { - fprintf (stderr, - _("%s: can't create subordinate group IDs\n"), - Prog); -@@ -2642,7 +2640,7 @@ int main (int argc, char **argv) - } - #endif /* ENABLE_SUBIDS */ - -- usr_update (); -+ usr_update (subuid_count, subgid_count); - - close_files (); - --- -1.8.3.1 - diff --git a/useradd-change-SELinux-labels-for-home-files.patch b/useradd-change-SELinux-labels-for-home-files.patch deleted file mode 100644 index 700b1f1..0000000 --- a/useradd-change-SELinux-labels-for-home-files.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Fri, 12 Nov 2021 15:23:30 +0100 -Subject: [PATCH] useradd: change SELinux labels for home files - -Change SELinux labels for files copied from the skeleton directory to -the home directory. - -This could cause gnome's graphical user adding to fail without copying -the full skeleton files. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2022658 - -Signed-off-by: Iker Pedrosa ---- - src/useradd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/useradd.c b/src/useradd.c -index b463a17..f7c9795 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2704,7 +2704,7 @@ int main (int argc, char **argv) - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, prefix_user_home, false, false, -+ copy_tree (def_template, prefix_user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, --- -1.8.3.1 - diff --git a/useradd-create-directories-after-the-SELinux-user.patch b/useradd-create-directories-after-the-SELinux-user.patch deleted file mode 100644 index 36bd2a6..0000000 --- a/useradd-create-directories-after-the-SELinux-user.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Fri, 8 Oct 2021 13:09:59 +0200 -Subject: [PATCH] useradd: create directories after the SELinux user - -Create the home and mail folders after the SELinux user has been set for -the added user. This will allow the folders to be created with the -SELinux user label. - -Signed-off-by: Iker Pedrosa -Conflict: context adaptation ---- - src/useradd.c | 46 +++++++++++++++++++++++----------------------- - 1 file changed, 23 insertions(+), 23 deletions(-) - -diff --git a/src/useradd.c b/src/useradd.c -index 6269c01..b463a17 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2670,27 +2670,12 @@ int main (int argc, char **argv) - - usr_update (); - -- if (mflg) { -- create_home (); -- if (home_added) { -- copy_tree (def_template, prefix_user_home, false, false, -- (uid_t)-1, user_id, (gid_t)-1, user_gid); -- } else { -- fprintf (stderr, -- _("%s: warning: the home directory %s already exists.\n" -- "%s: Not copying any file from skel directory into it.\n"), -- Prog, user_home, Prog); -- } -- -- } -- -- /* Do not create mail directory for system accounts */ -- if (!rflg) { -- create_mail (); -- } -- - close_files (); - -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); -+ - /* - * tallylog_reset needs to be able to lookup - * a valid existing user name, -@@ -2716,15 +2701,30 @@ int main (int argc, char **argv) - } - #endif /* WITH_SELINUX */ - -+ if (mflg) { -+ create_home (); -+ if (home_added) { -+ copy_tree (def_template, prefix_user_home, false, false, -+ (uid_t)-1, user_id, (gid_t)-1, user_gid); -+ } else { -+ fprintf (stderr, -+ _("%s: warning: the home directory %s already exists.\n" -+ "%s: Not copying any file from skel directory into it.\n"), -+ Prog, user_home, Prog); -+ } -+ -+ } -+ -+ /* Do not create mail directory for system accounts */ -+ if (!rflg) { -+ create_mail (); -+ } -+ - if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name, - "useradd")) { - exit(1); - } - -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); -- - return E_SUCCESS; - } - --- -1.8.3.1 - diff --git a/usermod-allow-all-group-types-with-G-option.patch b/usermod-allow-all-group-types-with-G-option.patch deleted file mode 100644 index 0ac899f..0000000 --- a/usermod-allow-all-group-types-with-G-option.patch +++ /dev/null @@ -1,322 +0,0 @@ -From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Tue, 3 Aug 2021 08:57:20 +0200 -Subject: [PATCH] usermod: allow all group types with -G option - -The only way of removing a group from the supplementary list is to use --G option, and list all groups that the user is a member of except for -the one that wants to be removed. The problem lies when there's a user -that contains both local and remote groups, and the group to be removed -is a local one. As we need to include the remote group with -G option -the command will fail. - -This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way, -it would be possible to remove the remote groups from the supplementary -list. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641 -Resolves: https://github.com/shadow-maint/shadow/issues/338 - -Signed-off-by: Iker Pedrosa ---- - src/usermod.c | 220 ++++++++++++++++++++-------------------------------------- - 1 file changed, 77 insertions(+), 143 deletions(-) - -diff --git a/src/usermod.c b/src/usermod.c -index 03bb9b9..a0c03af 100644 ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -187,7 +187,6 @@ static bool sub_gid_locked = false; - static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize, - long int date); - static int get_groups (char *); --static struct group * get_local_group (char * grp_name); - static /*@noreturn@*/void usage (int status); - static void new_pwent (struct passwd *); - static void new_spent (struct spwd *); -@@ -201,9 +200,7 @@ static void grp_update (void); - - static void process_flags (int, char **); - static void close_files (void); --static void close_group_files (void); - static void open_files (void); --static void open_group_files (void); - static void usr_update (void); - static void move_home (void); - static void update_lastlog (void); -@@ -261,11 +258,6 @@ static int get_groups (char *list) - } - - /* -- * Open the group files -- */ -- open_group_files (); -- -- /* - * So long as there is some data to be converted, strip off each - * name and look it up. A mix of numerical and string values for - * group identifiers is permitted. -@@ -284,7 +276,7 @@ static int get_groups (char *list) - * Names starting with digits are treated as numerical GID - * values, otherwise the string is looked up as is. - */ -- grp = get_local_group (list); -+ grp = prefix_getgr_nam_gid (list); - - /* - * There must be a match, either by GID value or by -@@ -334,8 +326,6 @@ static int get_groups (char *list) - gr_free ((struct group *)grp); - } while (NULL != list); - -- close_group_files (); -- - user_groups[ngroups] = (char *) 0; - - /* -@@ -348,44 +338,6 @@ static int get_groups (char *list) - return 0; - } - --/* -- * get_local_group - checks if a given group name exists locally -- * -- * get_local_group() checks if a given group name exists locally. -- * If the name exists the group information is returned, otherwise NULL is -- * returned. -- */ --static struct group * get_local_group(char * grp_name) --{ -- const struct group *grp; -- struct group *result_grp = NULL; -- long long int gid; -- char *endptr; -- -- gid = strtoll (grp_name, &endptr, 10); -- if ( ('\0' != *grp_name) -- && ('\0' == *endptr) -- && (ERANGE != errno) -- && (gid == (gid_t)gid)) { -- grp = gr_locate_gid ((gid_t) gid); -- } -- else { -- grp = gr_locate(grp_name); -- } -- -- if (grp != NULL) { -- result_grp = __gr_dup (grp); -- if (NULL == result_grp) { -- fprintf (stderr, -- _("%s: Out of memory. Cannot find group '%s'.\n"), -- Prog, grp_name); -- fail_exit (E_GRP_UPDATE); -- } -- } -- -- return result_grp; --} -- - #ifdef ENABLE_SUBIDS - struct ulong_range - { -@@ -1523,7 +1475,50 @@ static void close_files (void) - } - - if (Gflg || lflg) { -- close_group_files (); -+ if (gr_close () == 0) { -+ fprintf (stderr, -+ _("%s: failure while writing changes to %s\n"), -+ Prog, gr_dbname ()); -+ SYSLOG ((LOG_ERR, -+ "failure while writing changes to %s", -+ gr_dbname ())); -+ fail_exit (E_GRP_UPDATE); -+ } -+#ifdef SHADOWGRP -+ if (is_shadow_grp) { -+ if (sgr_close () == 0) { -+ fprintf (stderr, -+ _("%s: failure while writing changes to %s\n"), -+ Prog, sgr_dbname ()); -+ SYSLOG ((LOG_ERR, -+ "failure while writing changes to %s", -+ sgr_dbname ())); -+ fail_exit (E_GRP_UPDATE); -+ } -+ } -+#endif -+#ifdef SHADOWGRP -+ if (is_shadow_grp) { -+ if (sgr_unlock () == 0) { -+ fprintf (stderr, -+ _("%s: failed to unlock %s\n"), -+ Prog, sgr_dbname ()); -+ SYSLOG ((LOG_ERR, -+ "failed to unlock %s", -+ sgr_dbname ())); -+ /* continue */ -+ } -+ } -+#endif -+ if (gr_unlock () == 0) { -+ fprintf (stderr, -+ _("%s: failed to unlock %s\n"), -+ Prog, gr_dbname ()); -+ SYSLOG ((LOG_ERR, -+ "failed to unlock %s", -+ gr_dbname ())); -+ /* continue */ -+ } - } - - if (is_shadow_pwd) { -@@ -1593,60 +1588,6 @@ static void close_files (void) - } - - /* -- * close_group_files - close all of the files that were opened -- * -- * close_group_files() closes all of the files that were opened related -- * with groups. This causes any modified entries to be written out. -- */ --static void close_group_files (void) --{ -- if (gr_close () == 0) { -- fprintf (stderr, -- _("%s: failure while writing changes to %s\n"), -- Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, -- "failure while writing changes to %s", -- gr_dbname ())); -- fail_exit (E_GRP_UPDATE); -- } --#ifdef SHADOWGRP -- if (is_shadow_grp) { -- if (sgr_close () == 0) { -- fprintf (stderr, -- _("%s: failure while writing changes to %s\n"), -- Prog, sgr_dbname ()); -- SYSLOG ((LOG_ERR, -- "failure while writing changes to %s", -- sgr_dbname ())); -- fail_exit (E_GRP_UPDATE); -- } -- } --#endif --#ifdef SHADOWGRP -- if (is_shadow_grp) { -- if (sgr_unlock () == 0) { -- fprintf (stderr, -- _("%s: failed to unlock %s\n"), -- Prog, sgr_dbname ()); -- SYSLOG ((LOG_ERR, -- "failed to unlock %s", -- sgr_dbname ())); -- /* continue */ -- } -- } --#endif -- if (gr_unlock () == 0) { -- fprintf (stderr, -- _("%s: failed to unlock %s\n"), -- Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, -- "failed to unlock %s", -- gr_dbname ())); -- /* continue */ -- } --} -- --/* - * open_files - lock and open the password files - * - * open_files() opens the two password files. -@@ -1681,7 +1622,38 @@ static void open_files (void) - } - - if (Gflg || lflg) { -- open_group_files (); -+ /* -+ * Lock and open the group file. This will load all of the -+ * group entries. -+ */ -+ if (gr_lock () == 0) { -+ fprintf (stderr, -+ _("%s: cannot lock %s; try again later.\n"), -+ Prog, gr_dbname ()); -+ fail_exit (E_GRP_UPDATE); -+ } -+ gr_locked = true; -+ if (gr_open (O_CREAT | O_RDWR) == 0) { -+ fprintf (stderr, -+ _("%s: cannot open %s\n"), -+ Prog, gr_dbname ()); -+ fail_exit (E_GRP_UPDATE); -+ } -+#ifdef SHADOWGRP -+ if (is_shadow_grp && (sgr_lock () == 0)) { -+ fprintf (stderr, -+ _("%s: cannot lock %s; try again later.\n"), -+ Prog, sgr_dbname ()); -+ fail_exit (E_GRP_UPDATE); -+ } -+ sgr_locked = true; -+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) { -+ fprintf (stderr, -+ _("%s: cannot open %s\n"), -+ Prog, sgr_dbname ()); -+ fail_exit (E_GRP_UPDATE); -+ } -+#endif - } - #ifdef ENABLE_SUBIDS - if (vflg || Vflg) { -@@ -1718,44 +1690,6 @@ static void open_files (void) - } - - /* -- * open_group_files - lock and open the group files -- * -- * open_group_files() loads all of the group entries. -- */ --static void open_group_files (void) --{ -- if (gr_lock () == 0) { -- fprintf (stderr, -- _("%s: cannot lock %s; try again later.\n"), -- Prog, gr_dbname ()); -- fail_exit (E_GRP_UPDATE); -- } -- gr_locked = true; -- if (gr_open (O_CREAT | O_RDWR) == 0) { -- fprintf (stderr, -- _("%s: cannot open %s\n"), -- Prog, gr_dbname ()); -- fail_exit (E_GRP_UPDATE); -- } -- --#ifdef SHADOWGRP -- if (is_shadow_grp && (sgr_lock () == 0)) { -- fprintf (stderr, -- _("%s: cannot lock %s; try again later.\n"), -- Prog, sgr_dbname ()); -- fail_exit (E_GRP_UPDATE); -- } -- sgr_locked = true; -- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) { -- fprintf (stderr, -- _("%s: cannot open %s\n"), -- Prog, sgr_dbname ()); -- fail_exit (E_GRP_UPDATE); -- } --#endif --} -- --/* - * usr_update - create the user entries - * - * usr_update() creates the password file entries for this user and --- -1.8.3.1 -