import UBI shadow-utils-4.6-22.el8

2024-05-22 13:19:44 +00:00 · 2024-05-22 13:19:44 +00:00 · f918213805
commit f918213805
parent 0860cf4d83
3 changed files with 41 additions and 2 deletions
--- a/SOURCES/shadow-4.6-salt-remove-rounds.patch
+++ b/SOURCES/shadow-4.6-salt-remove-rounds.patch
@ -0,0 +1,15 @@
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index c72447ea..4940d76e 100644
+--- a/libmisc/salt.c
+++ b/libmisc/salt.c
+@@ -248,6 +248,10 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 		result[0] = '\0';
+ 	}
+ 
+	if (strstr(result, "rounds=") != NULL) {
+		result[3] = '\0';
+	}
+
+ 	/*
+ 	 * Concatenate a pseudo random salt.
+ 	 */
--- a/SOURCES/shadow-utils.login.defs
+++ b/SOURCES/shadow-utils.login.defs
@ -77,6 +77,22 @@ CREATE_HOME	yes
 #
 USERGROUPS_ENAB yes

-# Use SHA512 to encrypt password.
+#
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+#
 ENCRYPT_METHOD SHA512

+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# The values must be within the 1000-999999999 range.
+#
+SHA_CRYPT_MAX_ROUNDS 5000
+
--- a/SPECS/shadow-utils.spec
+++ b/SPECS/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.6
-Release: 19%{?dist}
+Release: 22%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
@ -100,6 +100,7 @@ Patch65: shadow-4.6-useradd-check-if-subid-range-exists.patch
 Patch66: shadow-4.6-skip-over-reserved-ids.patch
 # https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
 Patch67: shadow-4.6-gpasswd-fix-password-leak.patch
+Patch68: shadow-4.6-salt-remove-rounds.patch

 License: BSD and GPLv2+
 Group: System Environment/Base
@ -203,6 +204,7 @@ Development files for shadow-utils-subid.
 %patch65 -p1 -b .useradd-check-if-subid-range-exists
 %patch66 -p1 -b .skip-over-reserved-ids
 %patch67 -p1 -b .gpasswd-fix-password-leak
+%patch68 -p1 -b .salt-remove-rounds

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -373,6 +375,12 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so

 %changelog
+* Tue Nov 21 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-22
+- salt: remove rounds from salt string. Resolves: RHEL-16668
+
+* Thu Nov  2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-21
+- login.defs: include SHA_CRYPT_MAX_ROUNDS. Resolves: RHEL-15024
+
 * Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-19
 - gpasswd: fix password leak. Resolves: #2215947