Update shadow-4.8-crypt_h.patch with the upstreamed version

Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-24 12:47:17 +02:00 · 2021-06-24 12:47:17 +02:00 · a4f9def9dd
commit a4f9def9dd
parent a6d57fc8a3
3 changed files with 348 additions and 10 deletions
--- a/shadow-4.8-crypt_h.patch
+++ b/shadow-4.8-crypt_h.patch
@ -1,6 +1,24 @@
-diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac
--- shadow-4.8/configure.ac.crypt_h	2020-01-13 10:26:17.400481712 +0100
-+++ shadow-4.8/configure.ac	2020-01-13 10:29:11.563529093 +0100
+From c93897a8d71b9b1790caf3b2dee38dbe62518ae3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Thu, 24 Jun 2021 12:39:27 +0200
+Subject: [PATCH] lib/defines.h: Include <crypt.h> if present on the system.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The functions crypt(3), crypt_gensalt(3), and their
+feature test macros may be defined in there.
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+---
+ configure.ac  |  2 +-
+ lib/defines.h | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+Index: shadow-4.8.1/configure.ac
+===================================================================
+--- shadow-4.8.1.orig/configure.ac
+++ shadow-4.8.1/configure.ac
@@ -32,7 +32,7 @@ AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
 AC_HEADER_STDBOOL
@ -10,9 +28,10 @@ diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac
 	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
 	utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \
 	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
-diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h
--- shadow-4.8/lib/defines.h.crypt_h	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/defines.h	2020-01-13 10:26:17.400481712 +0100
+Index: shadow-4.8.1/lib/defines.h
+===================================================================
+--- shadow-4.8.1.orig/lib/defines.h
+++ shadow-4.8.1/lib/defines.h
@@ -4,6 +4,8 @@
 #ifndef _DEFINES_H_
 #define _DEFINES_H_
@ -22,12 +41,16 @@ diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h
 #if HAVE_STDBOOL_H
 # include <stdbool.h>
 #else
-@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
+@@ -94,6 +96,14 @@ char *strchr (), *strrchr (), *strtok ();
 # include <unistd.h>
 #endif
 
+/*
+ * crypt(3), crypt_gensalt(3), and their
+ * feature test macros may be defined in here.
+ */
 +#if HAVE_CRYPT_H
-+# include <crypt.h>		/* crypt(3) may be defined in here */
+# include <crypt.h>
 +#endif
 +
 #if TIME_WITH_SYS_TIME
--- a/shadow-4.8.1-crypt_gensalt.patch
+++ b/shadow-4.8.1-crypt_gensalt.patch
@ -0,0 +1,310 @@
+From ea04eb301d08c0c58f1120f87d4ec184d3983ce5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Tue, 15 Jun 2021 14:23:42 +0200
+Subject: [PATCH] libmisc/salt.c: Use crypt_gensalt(), if available in
+ libcrypt.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Most Linux distributions, including Fedora and RHEL 8, are shipping
+with libxcrypt >= 4.0.
+
+Since that version of libxcrypt the provided family of crypt_gensalt()
+functions are able to use automatic entropy drawn from secure system
+ressources, like arc4random(), getentropy() or getrandom().
+
+Anyways, the settings generated by crypt_gensalt() are always
+guaranteed to works with the crypt() function.
+
+Using crypt_gensalt() is also needed to make proper use of newer
+hashing methods, like yescrypt, provided by libxcrypt.
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+---
+ libmisc/salt.c | 132 +++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 105 insertions(+), 27 deletions(-)
+
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index 13408a53..9fd34332 100644
+--- a/libmisc/salt.c
+++ b/libmisc/salt.c
+@@ -22,6 +22,13 @@
+ #include "defines.h"
+ #include "getdef.h"
+ 
+#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \
+     CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY)
+#define USE_XCRYPT_GENSALT 1
+#else
+#define USE_XCRYPT_GENSALT 0
+#endif
+
+ /* Add the salt prefix. */
+ #define MAGNUM(array,ch)	(array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0'
+ 
+@@ -77,21 +84,26 @@
+ 
+ /* local function prototypes */
+ static long read_random_bytes (void);
+#if !USE_XCRYPT_GENSALT
+ static /*@observer@*/const char *gensalt (size_t salt_size);
+#endif /* !USE_XCRYPT_GENSALT */
+ #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
+ static long shadow_random (long min, long max);
+ #endif /* USE_SHA_CRYPT || USE_BCRYPT */
+ #ifdef USE_SHA_CRYPT
+-static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds);
+static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds);
+ #endif /* USE_SHA_CRYPT */
+ #ifdef USE_BCRYPT
+-static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds);
+static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds);
+ #endif /* USE_BCRYPT */
+ #ifdef USE_YESCRYPT
+-static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *prefered_cost);
+static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost);
+static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long cost);
+ #endif /* USE_YESCRYPT */
+ 
+-#ifndef HAVE_L64A
+#if !USE_XCRYPT_GENSALT && !defined(HAVE_L64A)
+ static /*@observer@*/char *l64a (long value)
+ {
+ 	static char buf[8];
+@@ -125,7 +137,7 @@ static /*@observer@*/char *l64a (long value)
+ 
+ 	return buf;
+ }
+-#endif /* !HAVE_L64A */
+#endif /* !USE_XCRYPT_GENSALT && !defined(HAVE_L64A) */
+ 
+ /* Read sizeof (long) random bytes from /dev/urandom. */
+ static long read_random_bytes (void)
+@@ -199,14 +211,10 @@ static long shadow_random (long min, long max)
+ #endif /* USE_SHA_CRYPT || USE_BCRYPT */
+ 
+ #ifdef USE_SHA_CRYPT
+-/*
+- * Fill a salt prefix specifying the rounds number for the SHA crypt methods
+- * to a buffer.
+- */
+-static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds)
+/* Return the the rounds number for the SHA crypt methods. */
+static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds)
+ {
+ 	unsigned long rounds;
+-	const size_t buf_begin = strlen (buf);
+ 
+ 	if (NULL == prefered_rounds) {
+ 		long min_rounds = getdef_long ("SHA_CRYPT_MIN_ROUNDS", -1);
+@@ -245,6 +253,17 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *pref
+ 		rounds = SHA_ROUNDS_MAX;
+ 	}
+ 
+	return rounds;
+}
+
+/*
+ * Fill a salt prefix specifying the rounds number for the SHA crypt methods
+ * to a buffer.
+ */
+static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds)
+{
+	const size_t buf_begin = strlen (buf);
+
+ 	/* Nothing to do here if SHA_ROUNDS_DEFAULT is used. */
+ 	if (rounds == SHA_ROUNDS_DEFAULT) {
+ 		return;
+@@ -265,14 +284,10 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, /*@null@*/int *pref
+ #endif /* USE_SHA_CRYPT */
+ 
+ #ifdef USE_BCRYPT
+-/*
+- * Fill a salt prefix specifying the rounds number for the BCRYPT method
+- * to a buffer.
+- */
+-static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *prefered_rounds)
+/* Return the the rounds number for the BCRYPT method. */
+static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds)
+ {
+ 	unsigned long rounds;
+-	const size_t buf_begin = strlen (buf);
+ 
+ 	if (NULL == prefered_rounds) {
+ 		long min_rounds = getdef_long ("BCRYPT_MIN_ROUNDS", -1);
+@@ -306,6 +321,11 @@ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *p
+ 		rounds = B_ROUNDS_MIN;
+ 	}
+ 
+#if USE_XCRYPT_GENSALT
+	if (rounds > B_ROUNDS_MAX) {
+		rounds = B_ROUNDS_MAX;
+	}
+#else /* USE_XCRYPT_GENSALT */
+ 	/*
+ 	 * Use 19 as an upper bound for now,
+ 	 * because musl doesn't allow rounds >= 20.
+@@ -314,6 +334,18 @@ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *p
+ 		/* rounds = B_ROUNDS_MAX; */
+ 		rounds = 19;
+ 	}
+#endif /* USE_XCRYPT_GENSALT */
+
+	return rounds;
+}
+
+/*
+ * Fill a salt prefix specifying the rounds number for the BCRYPT method
+ * to a buffer.
+ */
+static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds)
+{
+	const size_t buf_begin = strlen (buf);
+ 
+ 	/*
+ 	 * Check if the result buffer is long enough.
+@@ -330,14 +362,10 @@ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, /*@null@*/int *p
+ #endif /* USE_BCRYPT */
+ 
+ #ifdef USE_YESCRYPT
+-/*
+- * Fill a salt prefix specifying the cost for the YESCRYPT method
+- * to a buffer.
+- */
+-static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *prefered_cost)
+/* Return the the cost number for the YESCRYPT method. */
+static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost)
+ {
+ 	unsigned long cost;
+-	const size_t buf_begin = strlen (buf);
+ 
+ 	if (NULL == prefered_cost) {
+ 		cost = getdef_num ("YESCRYPT_COST_FACTOR", Y_COST_DEFAULT);
+@@ -356,6 +384,17 @@ static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *p
+ 		cost = Y_COST_MAX;
+ 	}
+ 
+	return cost;
+}
+
+/*
+ * Fill a salt prefix specifying the cost for the YESCRYPT method
+ * to a buffer.
+ */
+static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long cost)
+{
+	const size_t buf_begin = strlen (buf);
+
+ 	/*
+ 	 * Check if the result buffer is long enough.
+ 	 * We are going to write four bytes,
+@@ -380,6 +419,7 @@ static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, /*@null@*/int *p
+ }
+ #endif /* USE_YESCRYPT */
+ 
+#if !USE_XCRYPT_GENSALT
+ static /*@observer@*/const char *gensalt (size_t salt_size)
+ {
+ 	static char salt[MAX_SALT_SIZE + 6];
+@@ -397,6 +437,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 
+ 	return salt;
+ }
+#endif /* !USE_XCRYPT_GENSALT */
+ 
+ /*
+  * Generate 8 base64 ASCII characters of random salt.  If MD5_CRYPT_ENAB
+@@ -420,6 +461,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 	static char result[GENSALT_SETTING_SIZE];
+ 	size_t salt_len = MAX_SALT_SIZE;
+ 	const char *method;
+	unsigned long rounds = 0;
+ 
+ 	memset (result, '\0', GENSALT_SETTING_SIZE);
+ 
+@@ -435,27 +477,32 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 	if (0 == strcmp (method, "MD5")) {
+ 		MAGNUM(result, '1');
+ 		salt_len = MD5_CRYPT_SALT_SIZE;
+		rounds = 0;
+ #ifdef USE_BCRYPT
+ 	} else if (0 == strcmp (method, "BCRYPT")) {
+ 		BCRYPTMAGNUM(result);
+ 		salt_len = BCRYPT_SALT_SIZE;
+-		BCRYPT_salt_rounds_to_buf (result, (int *) arg);
+		rounds = BCRYPT_get_salt_rounds ((int *) arg);
+		BCRYPT_salt_rounds_to_buf (result, rounds);
+ #endif /* USE_BCRYPT */
+ #ifdef USE_YESCRYPT
+ 	} else if (0 == strcmp (method, "YESCRYPT")) {
+ 		MAGNUM(result, 'y');
+ 		salt_len = YESCRYPT_SALT_SIZE;
+-		YESCRYPT_salt_cost_to_buf (result, (int *) arg);
+		rounds = YESCRYPT_get_salt_cost ((int *) arg);
+		YESCRYPT_salt_cost_to_buf (result, rounds);
+ #endif /* USE_YESCRYPT */
+ #ifdef USE_SHA_CRYPT
+ 	} else if (0 == strcmp (method, "SHA256")) {
+ 		MAGNUM(result, '5');
+ 		salt_len = SHA_CRYPT_SALT_SIZE;
+-		SHA_salt_rounds_to_buf (result, (int *) arg);
+		rounds = SHA_get_salt_rounds ((int *) arg);
+		SHA_salt_rounds_to_buf (result, rounds);
+ 	} else if (0 == strcmp (method, "SHA512")) {
+ 		MAGNUM(result, '6');
+ 		salt_len = SHA_CRYPT_SALT_SIZE;
+-		SHA_salt_rounds_to_buf (result, (int *) arg);
+		rounds = SHA_get_salt_rounds ((int *) arg);
+		SHA_salt_rounds_to_buf (result, rounds);
+ #endif /* USE_SHA_CRYPT */
+ 	} else if (0 != strcmp (method, "DES")) {
+ 		fprintf (shadow_logfd,
+@@ -463,9 +510,39 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 			   "Defaulting to DES.\n"),
+ 			 method);
+ 		salt_len = MAX_SALT_SIZE;
+		rounds = 0;
+ 		memset (result, '\0', GENSALT_SETTING_SIZE);
+ 	}
+ 
+#if USE_XCRYPT_GENSALT
+	/*
+	 * Prepare DES setting for crypt_gensalt(), if result
+	 * has not been filled with anything previously.
+	 */
+	if ('\0' == result[0]) {
+		/* Avoid -Wunused-but-set-variable. */
+		salt_len = GENSALT_SETTING_SIZE - 1;
+		rounds = 0;
+		memset (result, '.', salt_len);
+		result[salt_len] = '\0';
+	}
+
+	char *retval = crypt_gensalt (result, rounds, NULL, 0);
+
+	/* Should not happen, but... */
+	if (NULL == retval) {
+		fprintf (shadow_logfd,
+			 _("Unable to generate a salt from setting "
+			   "\"%s\", check your settings in "
+			   "ENCRYPT_METHOD and the corresponding "
+			   "configuration for your selected hash "
+			   "method.\n"), result);
+
+		exit (1);
+	}
+
+	return retval;
+#else /* USE_XCRYPT_GENSALT */
+ 	/* Check if the result buffer is long enough. */
+ 	assert (GENSALT_SETTING_SIZE > strlen (result) + salt_len);
+ 
+@@ -474,4 +551,5 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 		 GENSALT_SETTING_SIZE - strlen (result) - 1);
+ 
+ 	return result;
+#endif /* USE_XCRYPT_GENSALT */
+ }
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.8.1
-Release: 16%{?dist}
+Release: 17%{?dist}
 Epoch: 2
 URL: https://github.com/shadow-maint/shadow
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -48,7 +48,7 @@ Patch28: shadow-4.8-selinux-perms.patch
 Patch29: shadow-4.2.1-null-tm.patch
 # SElinux related - upstreamability unknown
 Patch31: shadow-4.6-getenforce.patch
-# Handle include of crypt.h - could be upstreamed
+# https://github.com/shadow-maint/shadow/commit/c93897a8d71b9b1790caf3b2dee38dbe62518ae3
 Patch32: shadow-4.8-crypt_h.patch
 # Handle /etc/passwd corruption - could be upstreamed
 Patch33: shadow-4.8-long-entry.patch
@ -118,6 +118,8 @@ Patch64: shadow-4.8.1-salt_c_use_dev_urandom.patch
 Patch65: shadow-4.8.1-useradd_create_relative_home_path_correctly.patch
 # https://github.com/shadow-maint/shadow/commit/c82ed0c15e0e9e47df0b4c22672b72e35f061a9d
 Patch66: shadow-4.8.1-getentropy_random_bytes.patch
+# https://github.com/shadow-maint/shadow/commit/ea04eb301d08c0c58f1120f87d4ec184d3983ce5
+Patch67: shadow-4.8.1-crypt_gensalt.patch

 License: BSD and GPLv2+
 BuildRequires: make
@ -209,6 +211,7 @@ Development files for shadow-utils-subid.
 %patch64 -p1 -b .use_dev_urandom
 %patch65 -p1 -b .useradd_create_relative_home_path_correctly
 %patch66 -p1 -b .getentropy_random_bytes
+%patch67 -p1 -b .crypt_gensalt

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -380,6 +383,8 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %changelog
 * Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
 - Add a patch to obtain random bytes using getentropy()
+- Update shadow-4.8-crypt_h.patch with the upstreamed version
+- Add a patch to make use of crypt_gensalt() from libxcrypt

 * Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
 - useradd: free correct pointer (#1976809)