From a4f9def9dd72b299fd4a036f399bb8510c4ae252 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Thu, 24 Jun 2021 12:47:17 +0200 Subject: [PATCH] Update shadow-4.8-crypt_h.patch with the upstreamed version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Esser --- shadow-4.8-crypt_h.patch | 39 +++- shadow-4.8.1-crypt_gensalt.patch | 310 +++++++++++++++++++++++++++++++ shadow-utils.spec | 9 +- 3 files changed, 348 insertions(+), 10 deletions(-) create mode 100644 shadow-4.8.1-crypt_gensalt.patch diff --git a/shadow-4.8-crypt_h.patch b/shadow-4.8-crypt_h.patch index e2704e8..6d36376 100644 --- a/shadow-4.8-crypt_h.patch +++ b/shadow-4.8-crypt_h.patch @@ -1,6 +1,24 @@ -diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac ---- shadow-4.8/configure.ac.crypt_h 2020-01-13 10:26:17.400481712 +0100 -+++ shadow-4.8/configure.ac 2020-01-13 10:29:11.563529093 +0100 +From c93897a8d71b9b1790caf3b2dee38dbe62518ae3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= +Date: Thu, 24 Jun 2021 12:39:27 +0200 +Subject: [PATCH] lib/defines.h: Include if present on the system. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The functions crypt(3), crypt_gensalt(3), and their +feature test macros may be defined in there. + +Signed-off-by: Björn Esser +--- + configure.ac | 2 +- + lib/defines.h | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +Index: shadow-4.8.1/configure.ac +=================================================================== +--- shadow-4.8.1.orig/configure.ac ++++ shadow-4.8.1/configure.ac @@ -32,7 +32,7 @@ AC_HEADER_STDC AC_HEADER_SYS_WAIT AC_HEADER_STDBOOL @@ -10,9 +28,10 @@ diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \ locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ -diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h ---- shadow-4.8/lib/defines.h.crypt_h 2019-07-23 17:26:08.000000000 +0200 -+++ shadow-4.8/lib/defines.h 2020-01-13 10:26:17.400481712 +0100 +Index: shadow-4.8.1/lib/defines.h +=================================================================== +--- shadow-4.8.1.orig/lib/defines.h ++++ shadow-4.8.1/lib/defines.h @@ -4,6 +4,8 @@ #ifndef _DEFINES_H_ #define _DEFINES_H_ @@ -22,12 +41,16 @@ diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h #if HAVE_STDBOOL_H # include #else -@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () +@@ -94,6 +96,14 @@ char *strchr (), *strrchr (), *strtok (); # include #endif ++/* ++ * crypt(3), crypt_gensalt(3), and their ++ * feature test macros may be defined in here. ++ */ +#if HAVE_CRYPT_H -+# include /* crypt(3) may be defined in here */ ++# include +#endif + #if TIME_WITH_SYS_TIME diff --git a/shadow-4.8.1-crypt_gensalt.patch b/shadow-4.8.1-crypt_gensalt.patch new file mode 100644 index 0000000..25198e6 --- /dev/null +++ b/shadow-4.8.1-crypt_gensalt.patch @@ -0,0 +1,310 @@ +From ea04eb301d08c0c58f1120f87d4ec184d3983ce5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= +Date: Tue, 15 Jun 2021 14:23:42 +0200 +Subject: [PATCH] libmisc/salt.c: Use crypt_gensalt(), if available in + libcrypt. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Most Linux distributions, including Fedora and RHEL 8, are shipping +with libxcrypt >= 4.0. + +Since that version of libxcrypt the provided family of crypt_gensalt() +functions are able to use automatic entropy drawn from secure system +ressources, like arc4random(), getentropy() or getrandom(). + +Anyways, the settings generated by crypt_gensalt() are always +guaranteed to works with the crypt() function. + +Using crypt_gensalt() is also needed to make proper use of newer +hashing methods, like yescrypt, provided by libxcrypt. + +Signed-off-by: Björn Esser +--- + libmisc/salt.c | 132 +++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 105 insertions(+), 27 deletions(-) + +diff --git a/libmisc/salt.c b/libmisc/salt.c +index 13408a53..9fd34332 100644 +--- a/libmisc/salt.c ++++ b/libmisc/salt.c +@@ -22,6 +22,13 @@ + #include "defines.h" + #include "getdef.h" + ++#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \ ++ CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) ++#define USE_XCRYPT_GENSALT 1 ++#else ++#define USE_XCRYPT_GENSALT 0 ++#endif ++ + /* Add the salt prefix. */ + #define MAGNUM(array,ch) (array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0' + +@@ -77,21 +84,26 @@ + + /* local function prototypes */ + static long read_random_bytes (void); ++#if !USE_XCRYPT_GENSALT + static /*@observer@*/const char *gensalt (size_t salt_size); ++#endif /* !USE_XCRYPT_GENSALT */ + #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) + static long shadow_random (long min, long max); + #endif /* USE_SHA_CRYPT || USE_BCRYPT */ + #ifdef USE_SHA_CRYPT +-static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds); ++static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds); ++static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds); + #endif /* USE_SHA_CRYPT */ + #ifdef USE_BCRYPT +-static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds); ++static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds); ++static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds); + #endif /* USE_BCRYPT */ + #ifdef USE_YESCRYPT +-static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *prefered_cost); ++static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost); ++static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long cost); + #endif /* USE_YESCRYPT */ + +-#ifndef HAVE_L64A ++#if !USE_XCRYPT_GENSALT && !defined(HAVE_L64A) + static /*@observer@*/char *l64a (long value) + { + static char buf[8]; +@@ -125,7 +137,7 @@ static /*@observer@*/char *l64a (long value) + + return buf; + } +-#endif /* !HAVE_L64A */ ++#endif /* !USE_XCRYPT_GENSALT && !defined(HAVE_L64A) */ + + /* Read sizeof (long) random bytes from /dev/urandom. */ + static long read_random_bytes (void) +@@ -199,14 +211,10 @@ static long shadow_random (long min, long max) + #endif /* USE_SHA_CRYPT || USE_BCRYPT */ + + #ifdef USE_SHA_CRYPT +-/* +- * Fill a salt prefix specifying the rounds number for the SHA crypt methods +- * to a buffer. +- */ +-static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds) ++/* Return the the rounds number for the SHA crypt methods. */ ++static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds) + { + unsigned long rounds; +- const size_t buf_begin = strlen (buf); + + if (NULL == prefered_rounds) { + long min_rounds = getdef_long ("SHA_CRYPT_MIN_ROUNDS", -1); +@@ -245,6 +253,17 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *pref + rounds = SHA_ROUNDS_MAX; + } + ++ return rounds; ++} ++ ++/* ++ * Fill a salt prefix specifying the rounds number for the SHA crypt methods ++ * to a buffer. ++ */ ++static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds) ++{ ++ const size_t buf_begin = strlen (buf); ++ + /* Nothing to do here if SHA_ROUNDS_DEFAULT is used. */ + if (rounds == SHA_ROUNDS_DEFAULT) { + return; +@@ -265,14 +284,10 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *pref + #endif /* USE_SHA_CRYPT */ + + #ifdef USE_BCRYPT +-/* +- * Fill a salt prefix specifying the rounds number for the BCRYPT method +- * to a buffer. +- */ +-static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds) ++/* Return the the rounds number for the BCRYPT method. */ ++static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds) + { + unsigned long rounds; +- const size_t buf_begin = strlen (buf); + + if (NULL == prefered_rounds) { + long min_rounds = getdef_long ("BCRYPT_MIN_ROUNDS", -1); +@@ -306,6 +321,11 @@ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *p + rounds = B_ROUNDS_MIN; + } + ++#if USE_XCRYPT_GENSALT ++ if (rounds > B_ROUNDS_MAX) { ++ rounds = B_ROUNDS_MAX; ++ } ++#else /* USE_XCRYPT_GENSALT */ + /* + * Use 19 as an upper bound for now, + * because musl doesn't allow rounds >= 20. +@@ -314,6 +334,18 @@ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *p + /* rounds = B_ROUNDS_MAX; */ + rounds = 19; + } ++#endif /* USE_XCRYPT_GENSALT */ ++ ++ return rounds; ++} ++ ++/* ++ * Fill a salt prefix specifying the rounds number for the BCRYPT method ++ * to a buffer. ++ */ ++static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds) ++{ ++ const size_t buf_begin = strlen (buf); + + /* + * Check if the result buffer is long enough. +@@ -330,14 +362,10 @@ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *p + #endif /* USE_BCRYPT */ + + #ifdef USE_YESCRYPT +-/* +- * Fill a salt prefix specifying the cost for the YESCRYPT method +- * to a buffer. +- */ +-static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *prefered_cost) ++/* Return the the cost number for the YESCRYPT method. */ ++static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost) + { + unsigned long cost; +- const size_t buf_begin = strlen (buf); + + if (NULL == prefered_cost) { + cost = getdef_num ("YESCRYPT_COST_FACTOR", Y_COST_DEFAULT); +@@ -356,6 +384,17 @@ static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *p + cost = Y_COST_MAX; + } + ++ return cost; ++} ++ ++/* ++ * Fill a salt prefix specifying the cost for the YESCRYPT method ++ * to a buffer. ++ */ ++static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long cost) ++{ ++ const size_t buf_begin = strlen (buf); ++ + /* + * Check if the result buffer is long enough. + * We are going to write four bytes, +@@ -380,6 +419,7 @@ static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *p + } + #endif /* USE_YESCRYPT */ + ++#if !USE_XCRYPT_GENSALT + static /*@observer@*/const char *gensalt (size_t salt_size) + { + static char salt[MAX_SALT_SIZE + 6]; +@@ -397,6 +437,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + + return salt; + } ++#endif /* !USE_XCRYPT_GENSALT */ + + /* + * Generate 8 base64 ASCII characters of random salt. If MD5_CRYPT_ENAB +@@ -420,6 +461,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + static char result[GENSALT_SETTING_SIZE]; + size_t salt_len = MAX_SALT_SIZE; + const char *method; ++ unsigned long rounds = 0; + + memset (result, '\0', GENSALT_SETTING_SIZE); + +@@ -435,27 +477,32 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + if (0 == strcmp (method, "MD5")) { + MAGNUM(result, '1'); + salt_len = MD5_CRYPT_SALT_SIZE; ++ rounds = 0; + #ifdef USE_BCRYPT + } else if (0 == strcmp (method, "BCRYPT")) { + BCRYPTMAGNUM(result); + salt_len = BCRYPT_SALT_SIZE; +- BCRYPT_salt_rounds_to_buf (result, (int *) arg); ++ rounds = BCRYPT_get_salt_rounds ((int *) arg); ++ BCRYPT_salt_rounds_to_buf (result, rounds); + #endif /* USE_BCRYPT */ + #ifdef USE_YESCRYPT + } else if (0 == strcmp (method, "YESCRYPT")) { + MAGNUM(result, 'y'); + salt_len = YESCRYPT_SALT_SIZE; +- YESCRYPT_salt_cost_to_buf (result, (int *) arg); ++ rounds = YESCRYPT_get_salt_cost ((int *) arg); ++ YESCRYPT_salt_cost_to_buf (result, rounds); + #endif /* USE_YESCRYPT */ + #ifdef USE_SHA_CRYPT + } else if (0 == strcmp (method, "SHA256")) { + MAGNUM(result, '5'); + salt_len = SHA_CRYPT_SALT_SIZE; +- SHA_salt_rounds_to_buf (result, (int *) arg); ++ rounds = SHA_get_salt_rounds ((int *) arg); ++ SHA_salt_rounds_to_buf (result, rounds); + } else if (0 == strcmp (method, "SHA512")) { + MAGNUM(result, '6'); + salt_len = SHA_CRYPT_SALT_SIZE; +- SHA_salt_rounds_to_buf (result, (int *) arg); ++ rounds = SHA_get_salt_rounds ((int *) arg); ++ SHA_salt_rounds_to_buf (result, rounds); + #endif /* USE_SHA_CRYPT */ + } else if (0 != strcmp (method, "DES")) { + fprintf (shadow_logfd, +@@ -463,9 +510,39 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + "Defaulting to DES.\n"), + method); + salt_len = MAX_SALT_SIZE; ++ rounds = 0; + memset (result, '\0', GENSALT_SETTING_SIZE); + } + ++#if USE_XCRYPT_GENSALT ++ /* ++ * Prepare DES setting for crypt_gensalt(), if result ++ * has not been filled with anything previously. ++ */ ++ if ('\0' == result[0]) { ++ /* Avoid -Wunused-but-set-variable. */ ++ salt_len = GENSALT_SETTING_SIZE - 1; ++ rounds = 0; ++ memset (result, '.', salt_len); ++ result[salt_len] = '\0'; ++ } ++ ++ char *retval = crypt_gensalt (result, rounds, NULL, 0); ++ ++ /* Should not happen, but... */ ++ if (NULL == retval) { ++ fprintf (shadow_logfd, ++ _("Unable to generate a salt from setting " ++ "\"%s\", check your settings in " ++ "ENCRYPT_METHOD and the corresponding " ++ "configuration for your selected hash " ++ "method.\n"), result); ++ ++ exit (1); ++ } ++ ++ return retval; ++#else /* USE_XCRYPT_GENSALT */ + /* Check if the result buffer is long enough. */ + assert (GENSALT_SETTING_SIZE > strlen (result) + salt_len); + +@@ -474,4 +551,5 @@ static /*@observer@*/const char *gensalt (size_t salt_size) + GENSALT_SETTING_SIZE - strlen (result) - 1); + + return result; ++#endif /* USE_XCRYPT_GENSALT */ + } diff --git a/shadow-utils.spec b/shadow-utils.spec index 7923c7b..7e5b216 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.8.1 -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 2 URL: https://github.com/shadow-maint/shadow Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -48,7 +48,7 @@ Patch28: shadow-4.8-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch # SElinux related - upstreamability unknown Patch31: shadow-4.6-getenforce.patch -# Handle include of crypt.h - could be upstreamed +# https://github.com/shadow-maint/shadow/commit/c93897a8d71b9b1790caf3b2dee38dbe62518ae3 Patch32: shadow-4.8-crypt_h.patch # Handle /etc/passwd corruption - could be upstreamed Patch33: shadow-4.8-long-entry.patch @@ -118,6 +118,8 @@ Patch64: shadow-4.8.1-salt_c_use_dev_urandom.patch Patch65: shadow-4.8.1-useradd_create_relative_home_path_correctly.patch # https://github.com/shadow-maint/shadow/commit/c82ed0c15e0e9e47df0b4c22672b72e35f061a9d Patch66: shadow-4.8.1-getentropy_random_bytes.patch +# https://github.com/shadow-maint/shadow/commit/ea04eb301d08c0c58f1120f87d4ec184d3983ce5 +Patch67: shadow-4.8.1-crypt_gensalt.patch License: BSD and GPLv2+ BuildRequires: make @@ -209,6 +211,7 @@ Development files for shadow-utils-subid. %patch64 -p1 -b .use_dev_urandom %patch65 -p1 -b .useradd_create_relative_home_path_correctly %patch66 -p1 -b .getentropy_random_bytes +%patch67 -p1 -b .crypt_gensalt iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -380,6 +383,8 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %changelog * Sun Jul 04 2021 Björn Esser - 2:4.8.1-16 - Add a patch to obtain random bytes using getentropy() +- Update shadow-4.8-crypt_h.patch with the upstreamed version +- Add a patch to make use of crypt_gensalt() from libxcrypt * Tue Jun 29 2021 Iker Pedrosa - 2:4.8.1-15 - useradd: free correct pointer (#1976809)