Rebase to version libuser-0.64

2023-01-24 09:17:10 +01:00 · 2023-01-24 09:17:10 +01:00 · a625bf7f7b
commit a625bf7f7b
parent a8ce991f18
7 changed files with 11 additions and 1850 deletions
--- a/.gitignore
+++ b/.gitignore
@ -16,3 +16,4 @@ libuser-0.56.16.tar.xz
 /libuser-0.61.tar.xz
 /libuser-0.62.tar.xz
 /libuser-0.63.tar.xz
+/libuser-0.64.tar.gz
--- a/libuser-0.63-PR49_add_yescrypt.patch
+++ b/libuser-0.63-PR49_add_yescrypt.patch
@ -1,260 +0,0 @@
-From 3b8a2aa52bcee6e03f047840251ae42ab971a8a0 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 07 2021 20:25:41 +0000
-Subject: [PATCH 1/5] lib/util.c: bcrypt should use $2b$ as prefix for setting.
-
-
-This prefix is the recommended one for new bcrypt hashes
-for a long time.
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
---
-
-diff --git a/lib/util.c b/lib/util.c
-index 1b03f7d..e549a35 100644
--- a/lib/util.c
-+++ b/lib/util.c
-@@ -124,7 +124,7 @@ static const struct {
- } salt_type_info[] = {
- 	{"$1$", "$", 8, FALSE },
- 	/* FIXME: number of rounds, base64 of 128 bits */
-	{"$2a$", "$", 8, FALSE },
-+	{"$2b$", "$", 8, FALSE },
- 	{"$5$", "$", 16, TRUE },
- 	{"$6$", "$", 16, TRUE },
- 	{ "", "", 2 },
-@@ -231,7 +231,7 @@ lu_util_default_salt_specifier(struct lu_context *context)
- 	} salt_types[] = {
- 		{ "des", "", FALSE },
- 		{ "md5", "$1$", FALSE },
-		{ "blowfish", "$2a$", FALSE },
-+		{ "blowfish", "$2b$", FALSE },
- 		{ "sha256", "$5$", TRUE },
- 		{ "sha512", "$6$", TRUE },
- 	};
-
-From 9dcc69425677cf510ec6da5ababfdd295f875c1a Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 2/5] lib/util.c: Use crypt_gensalt(), if available in libcrypt.
-
-
-Most Linux distributions, including Fedora and RHEL 8, are shipping
-with libxcrypt >= 4.0.
-
-Since that version of libxcrypt the provided family of crypt_gensalt()
-functions are able to use automatic entropy drawn from secure system
-ressources, like arc4random(), getentropy() or getrandom().
-
-Anyways, the settings generated by crypt_gensalt() are always
-guaranteed to works with the crypt() function.
-
-Using crypt_gesalt() is also needed to make proper use of newer
-hashing methods, like yescrypt, provided by libxcrypt.
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
---
-
-diff --git a/lib/util.c b/lib/util.c
-index e549a35..b6db2af 100644
--- a/lib/util.c
-+++ b/lib/util.c
-@@ -43,6 +43,13 @@
- #define HASH_ROUNDS_MIN 1000
- #define HASH_ROUNDS_MAX 999999999
- 
-+#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \
-+     CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY)
-+#define USE_XCRYPT_GENSALT 1
-+#else
-+#define USE_XCRYPT_GENSALT 0
-+#endif
-+
- struct lu_lock {
- 	int fd;
- 	struct flock lock;
-@@ -66,6 +73,7 @@ lu_strcmp(gconstpointer v1, gconstpointer v2)
- 	return strcmp((char *) v1, (char *) v2);
- }
- 
-+#if !USE_XCRYPT_GENSALT
- /* A list of allowed salt characters, according to SUSv2. */
- #define ACCEPTABLE "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
- 		   "abcdefghijklmnopqrstuvwxyz" \
-@@ -115,6 +123,7 @@ fill_urandom(char *output, size_t length)
- 	close(fd);
- 	return TRUE;
- }
-+#endif
- 
- static const struct {
- 	const char initial[5];
-@@ -135,6 +144,9 @@ lu_make_crypted(const char *plain, const char *previous)
- {
- 	char salt[2048];
- 	size_t i, len = 0;
-+#if USE_XCRYPT_GENSALT
-+	unsigned long rounds = 0;
-+#endif
- 
- 	if (previous == NULL) {
- 		previous = LU_DEFAULT_SALT_TYPE;
-@@ -151,6 +163,23 @@ lu_make_crypted(const char *plain, const char *previous)
- 
- 	if (salt_type_info[i].sha_rounds != FALSE
- 	    && strncmp(previous + len, "rounds=", strlen("rounds=")) == 0) {
-+#if USE_XCRYPT_GENSALT
-+		const char *start;
-+		char *end;
-+
-+		start = previous + len + strlen("rounds=");
-+		rounds = strtoul (start, &end, 10);
-+
-+		if (rounds < HASH_ROUNDS_MIN)
-+			rounds = HASH_ROUNDS_MIN;
-+		else if (rounds > HASH_ROUNDS_MAX)
-+			rounds = HASH_ROUNDS_MAX;
-+	}
-+
-+	g_assert(CRYPT_GENSALT_OUTPUT_SIZE <= sizeof(salt));
-+
-+	crypt_gensalt_rn(previous, rounds, NULL, 0, salt, sizeof(salt));
-+#else
- 		const char *start, *end;
- 
- 		start = previous + len + strlen("rounds=");
-@@ -168,6 +197,7 @@ lu_make_crypted(const char *plain, const char *previous)
- 		return NULL;
- 	strcpy(salt + len + salt_type_info[i].salt_length,
- 	       salt_type_info[i].separator);
-+#endif
- 
- 	return crypt(plain, salt);
- }
-@@ -251,13 +281,18 @@ lu_util_default_salt_specifier(struct lu_context *context)
- 
- found:
- 	if (salt_types[i].sha_rounds != FALSE) {
-		unsigned long rounds;
-+		unsigned long rounds = 0;
- 
- 		rounds = select_hash_rounds(context);
-+#if USE_XCRYPT_GENSALT
-+		return g_strdup(crypt_gensalt(salt_types[i].initializer,
-+					      rounds, NULL, 0));
-+#else
- 		if (rounds != 0)
- 			return g_strdup_printf("%srounds=%lu$",
- 					       salt_types[i].initializer,
- 					       rounds);
-+#endif
- 	}
- 	return g_strdup(salt_types[i].initializer);
- }
-
-From 2d40503977df3855f1415db995833ae4231e7944 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 3/5] lib/util.c: Add yescrypt hashing method for user passwords.
-
-
-The yescrypt hashing method is considered to be much stronger than
-sha512crypt and fully supported by libxcrypt >= 4.3.  It is based
-on NIST-approved primitives and on par with argon2 in strength.
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
---
-
-diff --git a/lib/util.c b/lib/util.c
-index b6db2af..bba9420 100644
--- a/lib/util.c
-+++ b/lib/util.c
-@@ -50,6 +50,14 @@
- #define USE_XCRYPT_GENSALT 0
- #endif
- 
-+#if ((defined XCRYPT_VERSION_NUM && \
-+      XCRYPT_VERSION_NUM >= ((4 << 16) | 3)) && \
-+      USE_XCRYPT_GENSALT)
-+#define HAVE_YESCRYPT 1
-+#else
-+#define HAVE_YESCRYPT 0
-+#endif
-+
- struct lu_lock {
- 	int fd;
- 	struct flock lock;
-@@ -136,6 +144,9 @@ static const struct {
- 	{"$2b$", "$", 8, FALSE },
- 	{"$5$", "$", 16, TRUE },
- 	{"$6$", "$", 16, TRUE },
-+#if HAVE_YESCRYPT
-+	{"$y$", "$", 24, FALSE },
-+#endif
- 	{ "", "", 2 },
- };
- 
-@@ -264,6 +275,9 @@ lu_util_default_salt_specifier(struct lu_context *context)
- 		{ "blowfish", "$2b$", FALSE },
- 		{ "sha256", "$5$", TRUE },
- 		{ "sha512", "$6$", TRUE },
-+#if HAVE_YESCRYPT
-+		{ "yescrypt", "$y$", FALSE },
-+#endif
- 	};
- 
- 	const char *salt_type;
-
-From 71ef71fe1878a321612e1995cb5c59dcb501ff01 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 4/5] docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
-
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
---
-
-diff --git a/docs/libuser.conf.5.in b/docs/libuser.conf.5.in
-index 2af0828..bd1daa7 100644
--- a/docs/libuser.conf.5.in
-+++ b/docs/libuser.conf.5.in
-@@ -69,8 +69,8 @@ The current algorithm may be retained
- when changing a password of an existing user, depending on the application.
- 
- Possible values are \fBdes\fR, \fBmd5\fR, \fBblowfish\fR,
-.B sha256
-and \fBsha512\fR, all case-insensitive.
-+.B sha256,
-+\fBsha512\fR, and \fByescrypt\fR, all case-insensitive.
- Unrecognized values are treated as \fBdes\fR.
- Default value is \fBdes\fR.
- 
-
-From 284b3195393688105b112b905069e0225c3046d2 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 5/5] libuser.conf: Use yescrypt as default value for crypt_style.
-
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
---
-
-diff --git a/libuser.conf b/libuser.conf
-index 8ff5b2e..cd25eb2 100644
--- a/libuser.conf
-+++ b/libuser.conf
-@@ -17,7 +17,7 @@ default_useradd = /etc/default/useradd
- # skeleton = /etc/skel
- # mailspooldir = /var/mail
- 
-crypt_style = sha512
-+crypt_style = yescrypt
- modules = files shadow
- create_modules = files shadow
- # modules = files shadow ldap
-
--- a/libuser-0.63-PR55_popt.patch
+++ b/libuser-0.63-PR55_popt.patch
--- a/libuser-0.63-downstream_test_xcrypt.patch
+++ b/libuser-0.63-downstream_test_xcrypt.patch
@ -1,27 +0,0 @@
-diff --git a/tests/pwhash_test b/tests/pwhash_test
-index ff89d60..525885e 100755
--- a/tests/pwhash_test
-+++ b/tests/pwhash_test
-@@ -77,6 +77,22 @@ if [ "x${pw#\$6\$}" = "x$pw" ]; then
-     exit 1
- fi
- 
-+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
-+echo 'crypt_style = blowfish' >> "$LIBUSER_CONF"
-+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
-+if [ "x${pw#\$2b\$}" = "x$pw" ]; then
-+    echo "Invalid BLOWFISH hash" >&2
-+    exit 1
-+fi
-+
-+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
-+echo 'crypt_style = yescrypt' >> "$LIBUSER_CONF"
-+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
-+if [ "x${pw#\$y\$}" = "x$pw" ]; then
-+    echo "Invalid YESCRYPT hash" >&2
-+    exit 1
-+fi
-+
- cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
- cat >> "$LIBUSER_CONF" <<\EOF
- crypt_style = sha256
--- a/libuser-0.63-test-ldif-backend.patch
+++ b/libuser-0.63-test-ldif-backend.patch
@ -1,68 +0,0 @@
-From b854e3da65dbf264511579b93c0e001d9ef03371 Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Wed, 23 Feb 2022 15:18:57 +0100
-Subject: [PATCH] tests: fix ldap test for new Fedora
-
-Openldap has changed in fedora and command line option -h is
-no longer available in utilities like ldapadd. Solution here is
-to switch to URI (-H)
-
-Support for bdb backend is dropped, test are using mdb backend since
-this update
---
- tests/default_pw_test | 4 ++--
- tests/ldap_test       | 2 +-
- tests/slapd.conf.in   | 2 +-
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tests/default_pw_test b/tests/default_pw_test
-index 733c85c..9c76b95 100755
--- a/tests/default_pw_test
-+++ b/tests/default_pw_test
-@@ -69,7 +69,7 @@ get_file_password() # file under $workdir/files, entry name
- get_ldap_password() # entry filter
- {
-     echo "Checking $1 ..." >&2
-    ldapsearch -LLL -h 127.0.0.1 -p "$ldap_port" -x -b 'dc=libuser' "$1" \
-+    ldapsearch -LLL -H ldap://127.0.0.1:$ldap_port -x -b 'dc=libuser' "$1" \
- 	userPassword | sed -n 's/userPassword:: //p'
- }
- 
-@@ -103,7 +103,7 @@ for modules in \
- 	    tests/wait_for_slapd_start "$workdir"/slapd.pid "$ldap_port"
- 	    slapd_pid=$(cat "$workdir"/slapd.pid)
- 	    trap 'status=$?; kill $slapd_pid; rm -rf "$workdir"; exit $status' 0
-	    ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \
-+	    ldapadd -H ldap://127.0.0.1:$ldap_port -f "$srcdir/ldap_skel.ldif" -x \
- 		-D cn=Manager,dc=libuser -w password
- 	    ;;
-     esac
-diff --git a/tests/ldap_test b/tests/ldap_test
-index 54609b1..c7ac377 100755
--- a/tests/ldap_test
-+++ b/tests/ldap_test
-@@ -56,7 +56,7 @@ slapd_pid=$(cat "$workdir"/slapd.pid)
- trap 'status=$?; kill $slapd_pid
- 	tests/wait_for_slapd_exit "$workdir"/slapd.pid "$ldap_port"
- 	rm -rf "$workdir"; exit $status' 0
-ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \
-+ldapadd -H "ldap://127.0.0.1:$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \
-     -D cn=Manager,dc=libuser -w password
- 
- 
-diff --git a/tests/slapd.conf.in b/tests/slapd.conf.in
-index 06ef10d..8e49a36 100644
--- a/tests/slapd.conf.in
-+++ b/tests/slapd.conf.in
-@@ -10,7 +10,7 @@ pidfile @WORKDIR@/slapd.pid
- TLSCertificateFile @WORKDIR@/key.pem
- TLSCertificateKeyFile @WORKDIR@/key.pem
- 
-database bdb
-+database mdb
- suffix "dc=libuser"
- rootdn "cn=Manager,dc=libuser"
- rootpw {SSHA}ABgelmLFZQ/OJzVEp3OM5MzWQ9rt3b4F
-- 
-2.35.1
-
--- a/libuser.spec
+++ b/libuser.spec
@ -1,9 +1,9 @@
 Name: libuser
-Version: 0.63
-Release: 14%{?dist}
+Version: 0.64
+Release: 1%{?dist}
 License: LGPLv2+
 URL: https://pagure.io/libuser
-Source: https://releases.pagure.org/libuser/libuser-%{version}.tar.xz
+Source: libuser-%{version}.tar.gz
 BuildRequires: glib2-devel
 BuildRequires: linuxdoc-tools
 BuildRequires: pam-devel
@ -15,7 +15,7 @@ BuildRequires: python3-devel
 # To make sure the configure script can find it
 BuildRequires: gcc
 # For %%check
-#BuildRequires: fakeroot
+BuildRequires: pseudo
 BuildRequires: openldap-clients
 BuildRequires: openldap-servers
 BuildRequires: openssl
@ -28,11 +28,6 @@ BuildRequires: audit-libs-devel

 Summary: A user and group account administration library

-Patch0: %{url}/pull-request/49.patch#/libuser-0.63-PR49_add_yescrypt.patch
-Patch1: libuser-0.63-downstream_test_xcrypt.patch
-Patch2: libuser-0.63-test-ldif-backend.patch
-Patch3: libuser-0.63-PR55_popt.patch
-
 %global __provides_exclude_from ^(%{_libdir}/%{name}|%{python3_sitearch})/.*$

 %description
@ -82,7 +77,7 @@ make
 %find_lang %{name}

 %check
-%make_build check || { cat test-suite.log; false; }
+PSEUDO_LOCALSTATEDIR=/tmp/pseudo.$$ %make_build check || { cat test-suite.log; false; }

 # Verify that all python modules load, just in case.
 LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir}:${LD_LIBRARY_PATH}
@ -122,6 +117,10 @@ export PYTHONPATH
 %{_datadir}/gtk-doc/html/*

 %changelog
+* Mon Jan 23 2023 Tomas Halman <thalman@redhat.com>
+- Rebase to version 0.64
+- Enable tests
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.63-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libuser-0.63.tar.xz) = 5a8d261cea62d7d67da84acd263955eca10b876d3bb0cbbf8f15c2a4ad813f3d16361f90060a8ca77f7d97da4aaceaa0549985c06e9cabefeb10451bbb93a9d2
+SHA512 (libuser-0.64.tar.gz) = 8a2536f8f37538e60a4d0eb072c69d56d6d27d39a34078576b33b6eff55e60534b3fdee6432fe591a1bfbd521a6a447746e42756e34f77e369d057d79562f74b