fix-ldap-test-because-openldap-was-upgraded.patch

@@ -0,0 +1,67 @@
+From 85bcf0efc3d3e6453f6e50da877dc7eb1a4d1ae1 Mon Sep 17 00:00:00 2001
+From: panxiaohe <panxiaohe@huawei.com>
+Date: Mon, 10 Jan 2022 13:17:22 +0800
+Subject: [PATCH] fix ldap test because openldap was upgraded to 2.6.0
+
+The new version of openldap has removed deprecated -h and -p options
+to client tools. And it has deleted back-bdb, so this patch uses mdb.
+---
+ tests/default_pw_test | 6 ++++--
+ tests/ldap_test       | 3 ++-
+ tests/slapd.conf.in   | 2 +-
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tests/default_pw_test b/tests/default_pw_test
+index 733c85c..932dcb2 100755
+--- a/tests/default_pw_test
++++ b/tests/default_pw_test
+@@ -69,7 +69,8 @@ get_file_password() # file under $workdir/files, entry name
+ get_ldap_password() # entry filter
+ {
+     echo "Checking $1 ..." >&2
+-    ldapsearch -LLL -h 127.0.0.1 -p "$ldap_port" -x -b 'dc=libuser' "$1" \
++    URI="ldap://127.0.0.1:$ldap_port/"
++    ldapsearch -LLL -H "$URI" -x -b 'dc=libuser' "$1" \
+ 	userPassword | sed -n 's/userPassword:: //p'
+ }
+ 
+@@ -103,7 +104,8 @@ for modules in \
+ 	    tests/wait_for_slapd_start "$workdir"/slapd.pid "$ldap_port"
+ 	    slapd_pid=$(cat "$workdir"/slapd.pid)
+ 	    trap 'status=$?; kill $slapd_pid; rm -rf "$workdir"; exit $status' 0
+-	    ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \
++	    URI="ldap://127.0.0.1:$ldap_port/"
++	    ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \
+ 		-D cn=Manager,dc=libuser -w password
+ 	    ;;
+     esac
+diff --git a/tests/ldap_test b/tests/ldap_test
+index 54609b1..de9308c 100755
+--- a/tests/ldap_test
++++ b/tests/ldap_test
+@@ -56,7 +56,8 @@ slapd_pid=$(cat "$workdir"/slapd.pid)
+ trap 'status=$?; kill $slapd_pid
+ 	tests/wait_for_slapd_exit "$workdir"/slapd.pid "$ldap_port"
+ 	rm -rf "$workdir"; exit $status' 0
+-ldapadd -h 127.0.0.1 -p "$ldap_port" -f "$srcdir/ldap_skel.ldif" -x \
++URI="ldap://127.0.0.1:$ldap_port/"
++ldapadd -H "$URI" -f "$srcdir/ldap_skel.ldif" -x \
+     -D cn=Manager,dc=libuser -w password
+ 
+ 
+diff --git a/tests/slapd.conf.in b/tests/slapd.conf.in
+index 06ef10d..8e49a36 100644
+--- a/tests/slapd.conf.in
++++ b/tests/slapd.conf.in
+@@ -10,7 +10,7 @@ pidfile @WORKDIR@/slapd.pid
+ TLSCertificateFile @WORKDIR@/key.pem
+ TLSCertificateKeyFile @WORKDIR@/key.pem
+ 
+-database bdb
++database mdb
+ suffix "dc=libuser"
+ rootdn "cn=Manager,dc=libuser"
+ rootpw {SSHA}ABgelmLFZQ/OJzVEp3OM5MzWQ9rt3b4F
+-- 
+1.8.3.1
+

libuser-0.63-PR49_add_yescrypt.patch

@@ -0,0 +1,260 @@
+From 3b8a2aa52bcee6e03f047840251ae42ab971a8a0 Mon Sep 17 00:00:00 2001
+From: Björn Esser <besser82@fedoraproject.org>
+Date: Jun 07 2021 20:25:41 +0000
+Subject: [PATCH 1/5] lib/util.c: bcrypt should use $2b$ as prefix for setting.
+
+
+This prefix is the recommended one for new bcrypt hashes
+for a long time.
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+
+---
+
+diff --git a/lib/util.c b/lib/util.c
+index 1b03f7d..e549a35 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -124,7 +124,7 @@ static const struct {
+ } salt_type_info[] = {
+ 	{"$1$", "$", 8, FALSE },
+ 	/* FIXME: number of rounds, base64 of 128 bits */
+-	{"$2a$", "$", 8, FALSE },
++	{"$2b$", "$", 8, FALSE },
+ 	{"$5$", "$", 16, TRUE },
+ 	{"$6$", "$", 16, TRUE },
+ 	{ "", "", 2 },
+@@ -231,7 +231,7 @@ lu_util_default_salt_specifier(struct lu_context *context)
+ 	} salt_types[] = {
+ 		{ "des", "", FALSE },
+ 		{ "md5", "$1$", FALSE },
+-		{ "blowfish", "$2a$", FALSE },
++		{ "blowfish", "$2b$", FALSE },
+ 		{ "sha256", "$5$", TRUE },
+ 		{ "sha512", "$6$", TRUE },
+ 	};
+
+From 9dcc69425677cf510ec6da5ababfdd295f875c1a Mon Sep 17 00:00:00 2001
+From: Björn Esser <besser82@fedoraproject.org>
+Date: Jun 17 2021 15:34:02 +0000
+Subject: [PATCH 2/5] lib/util.c: Use crypt_gensalt(), if available in libcrypt.
+
+
+Most Linux distributions, including Fedora and RHEL 8, are shipping
+with libxcrypt >= 4.0.
+
+Since that version of libxcrypt the provided family of crypt_gensalt()
+functions are able to use automatic entropy drawn from secure system
+ressources, like arc4random(), getentropy() or getrandom().
+
+Anyways, the settings generated by crypt_gensalt() are always
+guaranteed to works with the crypt() function.
+
+Using crypt_gesalt() is also needed to make proper use of newer
+hashing methods, like yescrypt, provided by libxcrypt.
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+
+---
+
+diff --git a/lib/util.c b/lib/util.c
+index e549a35..b6db2af 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -43,6 +43,13 @@
+ #define HASH_ROUNDS_MIN 1000
+ #define HASH_ROUNDS_MAX 999999999
+ 
++#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \
++     CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY)
++#define USE_XCRYPT_GENSALT 1
++#else
++#define USE_XCRYPT_GENSALT 0
++#endif
++
+ struct lu_lock {
+ 	int fd;
+ 	struct flock lock;
+@@ -66,6 +73,7 @@ lu_strcmp(gconstpointer v1, gconstpointer v2)
+ 	return strcmp((char *) v1, (char *) v2);
+ }
+ 
++#if !USE_XCRYPT_GENSALT
+ /* A list of allowed salt characters, according to SUSv2. */
+ #define ACCEPTABLE "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
+ 		   "abcdefghijklmnopqrstuvwxyz" \
+@@ -115,6 +123,7 @@ fill_urandom(char *output, size_t length)
+ 	close(fd);
+ 	return TRUE;
+ }
++#endif
+ 
+ static const struct {
+ 	const char initial[5];
+@@ -135,6 +144,9 @@ lu_make_crypted(const char *plain, const char *previous)
+ {
+ 	char salt[2048];
+ 	size_t i, len = 0;
++#if USE_XCRYPT_GENSALT
++	unsigned long rounds = 0;
++#endif
+ 
+ 	if (previous == NULL) {
+ 		previous = LU_DEFAULT_SALT_TYPE;
+@@ -151,6 +163,23 @@ lu_make_crypted(const char *plain, const char *previous)
+ 
+ 	if (salt_type_info[i].sha_rounds != FALSE
+ 	    && strncmp(previous + len, "rounds=", strlen("rounds=")) == 0) {
++#if USE_XCRYPT_GENSALT
++		const char *start;
++		char *end;
++
++		start = previous + len + strlen("rounds=");
++		rounds = strtoul (start, &end, 10);
++
++		if (rounds < HASH_ROUNDS_MIN)
++			rounds = HASH_ROUNDS_MIN;
++		else if (rounds > HASH_ROUNDS_MAX)
++			rounds = HASH_ROUNDS_MAX;
++	}
++
++	g_assert(CRYPT_GENSALT_OUTPUT_SIZE <= sizeof(salt));
++
++	crypt_gensalt_rn(previous, rounds, NULL, 0, salt, sizeof(salt));
++#else
+ 		const char *start, *end;
+ 
+ 		start = previous + len + strlen("rounds=");
+@@ -168,6 +197,7 @@ lu_make_crypted(const char *plain, const char *previous)
+ 		return NULL;
+ 	strcpy(salt + len + salt_type_info[i].salt_length,
+ 	       salt_type_info[i].separator);
++#endif
+ 
+ 	return crypt(plain, salt);
+ }
+@@ -251,13 +281,18 @@ lu_util_default_salt_specifier(struct lu_context *context)
+ 
+ found:
+ 	if (salt_types[i].sha_rounds != FALSE) {
+-		unsigned long rounds;
++		unsigned long rounds = 0;
+ 
+ 		rounds = select_hash_rounds(context);
++#if USE_XCRYPT_GENSALT
++		return g_strdup(crypt_gensalt(salt_types[i].initializer,
++					      rounds, NULL, 0));
++#else
+ 		if (rounds != 0)
+ 			return g_strdup_printf("%srounds=%lu$",
+ 					       salt_types[i].initializer,
+ 					       rounds);
++#endif
+ 	}
+ 	return g_strdup(salt_types[i].initializer);
+ }
+
+From 2d40503977df3855f1415db995833ae4231e7944 Mon Sep 17 00:00:00 2001
+From: Björn Esser <besser82@fedoraproject.org>
+Date: Jun 17 2021 15:34:02 +0000
+Subject: [PATCH 3/5] lib/util.c: Add yescrypt hashing method for user passwords.
+
+
+The yescrypt hashing method is considered to be much stronger than
+sha512crypt and fully supported by libxcrypt >= 4.3.  It is based
+on NIST-approved primitives and on par with argon2 in strength.
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+
+---
+
+diff --git a/lib/util.c b/lib/util.c
+index b6db2af..bba9420 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -50,6 +50,14 @@
+ #define USE_XCRYPT_GENSALT 0
+ #endif
+ 
++#if ((defined XCRYPT_VERSION_NUM && \
++      XCRYPT_VERSION_NUM >= ((4 << 16) | 3)) && \
++      USE_XCRYPT_GENSALT)
++#define HAVE_YESCRYPT 1
++#else
++#define HAVE_YESCRYPT 0
++#endif
++
+ struct lu_lock {
+ 	int fd;
+ 	struct flock lock;
+@@ -136,6 +144,9 @@ static const struct {
+ 	{"$2b$", "$", 8, FALSE },
+ 	{"$5$", "$", 16, TRUE },
+ 	{"$6$", "$", 16, TRUE },
++#if HAVE_YESCRYPT
++	{"$y$", "$", 24, FALSE },
++#endif
+ 	{ "", "", 2 },
+ };
+ 
+@@ -264,6 +275,9 @@ lu_util_default_salt_specifier(struct lu_context *context)
+ 		{ "blowfish", "$2b$", FALSE },
+ 		{ "sha256", "$5$", TRUE },
+ 		{ "sha512", "$6$", TRUE },
++#if HAVE_YESCRYPT
++		{ "yescrypt", "$y$", FALSE },
++#endif
+ 	};
+ 
+ 	const char *salt_type;
+
+From 71ef71fe1878a321612e1995cb5c59dcb501ff01 Mon Sep 17 00:00:00 2001
+From: Björn Esser <besser82@fedoraproject.org>
+Date: Jun 17 2021 15:34:02 +0000
+Subject: [PATCH 4/5] docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
+
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+
+---
+
+diff --git a/docs/libuser.conf.5.in b/docs/libuser.conf.5.in
+index 2af0828..bd1daa7 100644
+--- a/docs/libuser.conf.5.in
++++ b/docs/libuser.conf.5.in
+@@ -69,8 +69,8 @@ The current algorithm may be retained
+ when changing a password of an existing user, depending on the application.
+ 
+ Possible values are \fBdes\fR, \fBmd5\fR, \fBblowfish\fR,
+-.B sha256
+-and \fBsha512\fR, all case-insensitive.
++.B sha256,
++\fBsha512\fR, and \fByescrypt\fR, all case-insensitive.
+ Unrecognized values are treated as \fBdes\fR.
+ Default value is \fBdes\fR.
+ 
+
+From 284b3195393688105b112b905069e0225c3046d2 Mon Sep 17 00:00:00 2001
+From: Björn Esser <besser82@fedoraproject.org>
+Date: Jun 17 2021 15:34:02 +0000
+Subject: [PATCH 5/5] libuser.conf: Use yescrypt as default value for crypt_style.
+
+
+Signed-off-by: Björn Esser <besser82@fedoraproject.org>
+
+---
+
+diff --git a/libuser.conf b/libuser.conf
+index 8ff5b2e..cd25eb2 100644
+--- a/libuser.conf
++++ b/libuser.conf
+@@ -17,7 +17,7 @@ default_useradd = /etc/default/useradd
+ # skeleton = /etc/skel
+ # mailspooldir = /var/mail
+ 
+-crypt_style = sha512
++crypt_style = yescrypt
+ modules = files shadow
+ create_modules = files shadow
+ # modules = files shadow ldap
+

libuser-0.63-downstream_test_xcrypt.patch

@@ -0,0 +1,27 @@
+diff --git a/tests/pwhash_test b/tests/pwhash_test
+index ff89d60..525885e 100755
+--- a/tests/pwhash_test
++++ b/tests/pwhash_test
+@@ -77,6 +77,22 @@ if [ "x${pw#\$6\$}" = "x$pw" ]; then
+     exit 1
+ fi
+ 
++cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
++echo 'crypt_style = blowfish' >> "$LIBUSER_CONF"
++pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
++if [ "x${pw#\$2b\$}" = "x$pw" ]; then
++    echo "Invalid BLOWFISH hash" >&2
++    exit 1
++fi
++
++cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
++echo 'crypt_style = yescrypt' >> "$LIBUSER_CONF"
++pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
++if [ "x${pw#\$y\$}" = "x$pw" ]; then
++    echo "Invalid YESCRYPT hash" >&2
++    exit 1
++fi
++
+ cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
+ cat >> "$LIBUSER_CONF" <<\EOF
+ crypt_style = sha256

libuser.spec

@@ -1,14 +1,18 @@
 Name:    libuser
-Version: 0.64
+Version: 0.63
 Release: 2
 Summary: A user and group account administration library
 License: LGPLv2+
 URL:     https://pagure.io/libuser
-Source:  http://releases.pagure.org/libuser/libuser-%{version}.tar.gz
+Source:  http://releases.pagure.org/libuser/libuser-%{version}.tar.xz
+
+Patch0:  libuser-0.63-PR49_add_yescrypt.patch
+Patch1:  libuser-0.63-downstream_test_xcrypt.patch
+Patch2:  fix-ldap-test-because-openldap-was-upgraded.patch
 
 Patch9000:  add-sm3-crypt-support.patch
 
-BuildRequires: cyrus-sasl-devel, linuxdoc-tools, pam-devel, popt-devel, gcc
+BuildRequires: cyrus-sasl-devel, nscd, linuxdoc-tools, pam-devel, popt-devel, gcc
 BuildRequires: libselinux-devel, openldap-devel, python3-devel, glib2-devel
 BuildRequires: openldap-clients, openldap-servers, openssl
 BuildRequires: bison, make, libtool, gettext-devel, gtk-doc, audit-libs-devel
@@ -39,7 +43,6 @@ and group accounts.
 
 %package help
 Summary:        Documents files for %{name}
-Buildarch:      noarch
 Requires:       man, info
 
 %description help
@@ -52,10 +55,10 @@ Man pages and other related documents for %{name}
 ./autogen.sh
 %configure --with-ldap --with-selinux --with-html-dir=%{_prefix}/share/gtk-doc/html \
 	PYTHON=%{_bindir}/python3
-make %{?_smp_mflags}
+make
 
 %install
-make %{?_smp_mflags} install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p' || :
+make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p' || :
 
 %find_lang %{name}
 
@@ -101,24 +104,6 @@ python3 -c "import libuser"
 %{_mandir}/man5/*
 
 %changelog
-* Mon Apr 29 2024 fuanan <fuanan3@h-partners.com> - 0.64-2
-- Added 'Buildarch: noarch' to the help subpackage
-
-* Mon Jul 17 2023 fuanan <fuanan3@h-partners.com> - 0.64-1
-- update version to 0.64
-
-* Wed Oct 19 2022 fuanan <fuanan3@h-partners.com> - 0.63-5
-- DESC:optimize compilation by running make in parallel
-
-* Thu Jul 28 2022 fuanan <fuanan3@h-partners.com> - 0.63-4
-- Type:requirements
-- ID:NA
-- SUG:NA
-- DESC:Bump release and Minor revise format
-
-* Tue Feb 22 2022 jiangheng <jiangheng12@huawei.com> - 0.63-3
-- remove nscd dependency
-
 * Mon Jan 17 2022 luhuaxin <luhuaxin1@huawei.com> - 0.63-2
 - add sm3 crypt support