commit: 67ab0251459d99b0e383c958c1fbe0ec11980c0a Author: Robert Förster <Dessa <AT> gmake <DOT> de> AuthorDate: Fri Sep 24 15:49:58 2021 +0000 Commit: Florian Schmaus <flow <AT> gentoo <DOT> org> CommitDate: Fri Sep 24 16:29:42 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67ab0251
net-nds/389-ds-base: remove old Package-Manager: Portage-3.0.23, Repoman-3.0.3 Signed-off-by: Robert Förster <Dessa <AT> gmake.de> Closes: https://github.com/gentoo/gentoo/pull/22388 Signed-off-by: Florian Schmaus <flow <AT> gentoo.org> net-nds/389-ds-base/389-ds-base-1.4.4.16-r1.ebuild | 300 --------------------- net-nds/389-ds-base/Manifest | 1 - .../files/389-ds-base-1.4.4.16-crypt-import.patch | 118 -------- 3 files changed, 419 deletions(-) diff --git a/net-nds/389-ds-base/389-ds-base-1.4.4.16-r1.ebuild b/net-nds/389-ds-base/389-ds-base-1.4.4.16-r1.ebuild deleted file mode 100644 index e3ef7ffdf4b..00000000000 --- a/net-nds/389-ds-base/389-ds-base-1.4.4.16-r1.ebuild +++ /dev/null @@ -1,300 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -CRATES=" -ahash-0.7.2 -ansi_term-0.11.0 -atty-0.2.14 -autocfg-1.0.1 -base64-0.13.0 -bitflags-1.2.1 -byteorder-1.4.3 -cbindgen-0.9.1 -cc-1.0.67 -cfg-if-1.0.0 -clap-2.33.3 -concread-0.2.9 -crossbeam-0.8.0 -crossbeam-channel-0.5.1 -crossbeam-deque-0.8.0 -crossbeam-epoch-0.9.3 -crossbeam-queue-0.3.1 -crossbeam-utils-0.8.3 -fernet-0.1.4 -foreign-types-0.3.2 -foreign-types-shared-0.1.1 -getrandom-0.2.2 -hermit-abi-0.1.18 -instant-0.1.9 -itoa-0.4.7 -jobserver-0.1.21 -lazy_static-1.4.0 -libc-0.2.93 -lock_api-0.4.3 -log-0.4.14 -memoffset-0.6.3 -once_cell-1.7.2 -openssl-0.10.33 -openssl-sys-0.9.61 -parking_lot-0.11.1 -parking_lot_core-0.8.3 -paste-0.1.18 -paste-impl-0.1.18 -pkg-config-0.3.19 -ppv-lite86-0.2.10 -proc-macro-hack-0.5.19 -proc-macro2-1.0.26 -quote-1.0.9 -rand-0.8.3 -rand_chacha-0.3.0 -rand_core-0.6.2 -rand_hc-0.3.0 -redox_syscall-0.2.6 -remove_dir_all-0.5.3 -ryu-1.0.5 -scopeguard-1.1.0 -serde-1.0.125 -serde_derive-1.0.125 -serde_json-1.0.64 -smallvec-1.6.1 -strsim-0.8.0 -syn-1.0.69 -synstructure-0.12.4 -tempfile-3.2.0 -textwrap-0.11.0 -toml-0.5.8 -unicode-width-0.1.8 -unicode-xid-0.2.1 -uuid-0.8.2 -vcpkg-0.2.11 -vec_map-0.8.2 -version_check-0.9.3 -wasi-0.10.2+wasi-snapshot-preview1 -winapi-0.3.9 -winapi-i686-pc-windows-gnu-0.4.0 -winapi-x86_64-pc-windows-gnu-0.4.0 -zeroize-1.2.0 -zeroize_derive-1.0.1 -" - -PYTHON_COMPAT=( python3_{8,9} ) - -DISTUTILS_SINGLE_IMPL=1 -DISTUTILS_USE_SETUPTOOLS=rdepend - -inherit multilib flag-o-matic autotools distutils-r1 systemd tmpfiles db-use cargo - -DESCRIPTION="389 Directory Server (core libraries and daemons)" -HOMEPAGE="https://directory.fedoraproject.org/"; -SRC_URI="https://github.com/389ds/${PN}/archive/refs/tags/${P}.tar.gz - $(cargo_crate_uris ${CRATES})" -LICENSE="GPL-3+ Apache-2.0 BSD MIT MPL-2.0" -SLOT="$(ver_cut 1-2)/0" -KEYWORDS="~amd64" -IUSE_PLUGINS="+accountpolicy +bitwise +dna +pam-passthru" -IUSE="${IUSE_PLUGINS} +autobind auto-dn-suffix debug doc +ldapi selinux systemd" - -REQUIRED_USE="${PYTHON_REQUIRED_USE}" - -# lib389 tests (which is most of the suite) can't find their own modules. -RESTRICT="test" - -# always list newer first -# Do not add any AGPL-3 BDB here! -# See bug 525110, comment 15. -BERKDB_SLOTS=( 5.3 4.8 ) - -DEPEND=" - >=app-crypt/mit-krb5-1.7-r100[openldap] - >=dev-libs/cyrus-sasl-2.1.19[kerberos] - >=dev-libs/icu-60.2:= - dev-libs/nspr - >=dev-libs/nss-3.22[utils] - dev-libs/libevent:= - dev-libs/libpcre:3 - dev-libs/openssl:0= - >=net-analyzer/net-snmp-5.1.2:= - net-nds/openldap[sasl] - || ( - $(for slot in ${BERKDB_SLOTS[@]} ; do printf '%s\n' "sys-libs/db:${slot}" ; done) - ) - sys-libs/cracklib - sys-fs/e2fsprogs - sys-libs/zlib - pam-passthru? ( sys-libs/pam ) - selinux? ( - $(python_gen_cond_dep ' - sys-libs/libselinux[python,${PYTHON_USEDEP}] - ') - ) - systemd? ( >=sys-apps/systemd-244 ) - virtual/libcrypt:= - " - -BDEPEND=">=sys-devel/autoconf-2.69-r5 - virtual/pkgconfig - ${PYTHON_DEPS} - $(python_gen_cond_dep ' - dev-python/argparse-manpage[${PYTHON_USEDEP}] - ') - doc? ( app-doc/doxygen ) - test? ( dev-util/cmocka ) -" - -# perl dependencies are for logconv.pl -RDEPEND="${DEPEND} - !dev-libs/svrcore - !net-nds/389-ds-base:0 - acct-user/dirsrv - acct-group/dirsrv - ${PYTHON_DEPS} - $(python_gen_cond_dep ' - dev-python/pyasn1[${PYTHON_USEDEP}] - dev-python/pyasn1-modules[${PYTHON_USEDEP}] - dev-python/argcomplete[${PYTHON_USEDEP}] - dev-python/python-dateutil[${PYTHON_USEDEP}] - dev-python/python-ldap[sasl,${PYTHON_USEDEP}] - dev-python/distro[${PYTHON_USEDEP}] - ') - virtual/perl-Archive-Tar - virtual/perl-DB_File - virtual/perl-IO - virtual/perl-Getopt-Long - virtual/perl-IO-Compress - virtual/perl-MIME-Base64 - virtual/perl-Scalar-List-Utils - virtual/perl-Time-Local - virtual/logger - selinux? ( sec-policy/selinux-dirsrv ) -" - -S="${WORKDIR}/${PN}-${P}" - -PATCHES=( - "${FILESDIR}/${P}-crypt-import.patch" - "${FILESDIR}/${PN}-db-gentoo.patch" -) - -distutils_enable_tests pytest - -src_prepare() { - # this is for upstream GitHub issue 4292 - if use !systemd; then - sed -i \ - -e 's|WITH_SYSTEMD = 1|WITH_SYSTEMD = 0|' \ - Makefile.am || die - fi - - # GH issue 4092 - sed -i \ - -e 's|@localstatedir@/run|/run|' \ - ldap/admin/src/defaults.inf.in || die - - default - - eautoreconf -} - -src_configure() { - local myeconfargs=( - $(use_enable accountpolicy acctpolicy) - $(use_enable bitwise) - $(use_enable dna) - $(use_enable pam-passthru) - $(use_enable autobind) - $(use_enable auto-dn-suffix) - $(use_enable debug) - $(use_enable ldapi) - $(use_with selinux) - $(use_with systemd) - $(use_with systemd systemdgroupname "dirsrv.target") - $(use_with systemd tmpfiles-d "/usr/lib/tmpfiles.d") - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" - $(use_with !systemd initddir "/etc/init.d") - $(use_enable test cmocka) - --enable-rust - --enable-rust-offline - --with-pythonexec="${PYTHON}" - --with-fhs - --with-openldap - --with-db-inc="$(db_includedir)" - --disable-cockpit - ) - - econf "${myeconfargs[@]}" - - rm "${S}"/.cargo/config || die -} - -src_compile() { - export CARGO_HOME="${ECARGO_HOME}" - - default - - if use doc; then - doxygen "${S}"/docs/slapi.doxy || die - fi - - cd "${S}"/src/lib389 || die - distutils-r1_src_compile - - # argparse-manpage dynamic man pages have hardcoded man v1 in header - sed -i \ - "1s/\"1\"/\"8\"/" \ - "${S}"/src/lib389/man/{openldap_to_ds,ds{conf,ctl,idm,create}}.8 || die -} - -src_test () { - emake check - cd "${S}"/src/lib389 || die - distutils-r1_src_test -} - -src_install() { - # -j1 is a temporary workaround for bug #605432 - emake -j1 DESTDIR="${D}" install - - # Install gentoo style init script - # Get these merged upstream - newinitd "${FILESDIR}"/389-ds.initd-r1 389-ds - newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp - - dotmpfiles "${FILESDIR}"/389-ds-base.conf - - # cope with libraries being in /usr/lib/dirsrv - dodir /etc/env.d - echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${ED}"/etc/env.d/08dirsrv || die - - if use doc; then - cd "${S}" || die - docinto html/ - dodoc -r html/. - fi - - cd "${S}"/src/lib389 || die - distutils-r1_src_install - python_fix_shebang "${ED}" - - find "${ED}" -type f \( -name "*.a" -o -name "*.la" \) -delete || die -} - -pkg_postinst() { - tmpfiles_process 389-ds-base.conf - - echo - elog "If you are planning to use 389-ds-snmp (ldap-agent)," - elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf" - elog "adding proper 'server' entries, and adding the lines below to" - elog " => /etc/snmp/snmpd.conf" - elog - elog "master agentx" - elog "agentXSocket /var/agentx/master" - elog - elog "To start 389 Directory Server (LDAP service) at boot:" - elog - elog " rc-update add 389-ds default" - elog - echo -} diff --git a/net-nds/389-ds-base/Manifest b/net-nds/389-ds-base/Manifest index 6a79ee183ac..2074aba01af 100644 --- a/net-nds/389-ds-base/Manifest +++ b/net-nds/389-ds-base/Manifest @@ -1,4 +1,3 @@ -DIST 389-ds-base-1.4.4.16.tar.gz 5456272 BLAKE2B bb157de3ebfdf214a56a56cd991255080890b28ca5fbd4ce5437e1ab4ca03181b7c2a58630ee26112771aaf9037cff8102926f48da136d6af43024c70ca1eeb8 SHA512 2c8d446dd26f67345351a6ea5f6095d89ed5eb26df09e09b19d625fb01418c5354b93ac0272e68b2d444a70b63180ce53042e0e43b6ea826948f6c93f4c22fc0 DIST 389-ds-base-1.4.4.17.tar.gz 5356426 BLAKE2B 4972d7a7a7d12fb13f76db5cb2c8b896d5bb02c9f1e4bfbfae709f5fc01b9f662b5557710ca52d9f0a6ac3dc9e36bfab594e597db90ab146a5a5f252e11b4175 SHA512 83cc20915d59d4a45febad1462103c51108deee271cae7f98ff28e0a939451060edca28046719a417b3d3b956a74687a288880d64a6ab201e682ad577bf70583 DIST ahash-0.7.2.crate 37192 BLAKE2B a2ea98d408f6ac72b96a7e14b22999d52a6839d724f3e8fc82f67ea985a110d8dc17847087e6aaeca477ef93afadda3488ee77cc5425cab5f77c00cd67ff4463 SHA512 77886a994102c1edf93b133e27658e3c84152c83597191d58c571dc7dfc765d41c2879ea55d64e04e3af804a4f10aeb1c10e33a924fd967b288e6d0b12728b34 DIST ansi_term-0.11.0.crate 17087 BLAKE2B 9bd35c045a01ce4c6c4a5db1b4f15e9412bb97426eec19d4421dffbec633de8d13452c13c1dc1b30998690b78d7ed38311aca700087f13a81f66bd1d5d7300c4 SHA512 a637466a380748f939b3af090b8c0333f35581925bc03f4dda9b3f95d338836403cf5487ae3af9ff68f8245a837f8ab061aabe57a126a6a2c20f2e972c77d1fa diff --git a/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch b/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch deleted file mode 100644 index cf8c7d9b452..00000000000 --- a/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch +++ /dev/null @@ -1,118 +0,0 @@ -From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001 -From: Firstyear <[email protected]> -Date: Fri, 9 Jul 2021 11:53:35 +1000 -Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow - all passwords (#4819) - -Bug Description: Due to mishanding of short dbpwd hashes, the -crypt_r algorithm was misused and was only comparing salts -in some cases, rather than checking the actual content -of the password. - -Fix Description: Stricter checks on dbpwd lengths to ensure -that content passed to crypt_r has at least 2 salt bytes and -1 hash byte, as well as stricter checks on ct_memcmp to ensure -that compared values are the same length, rather than potentially -allowing overruns/short comparisons. - -fixes: https://github.com/389ds/389-ds-base/issues/4817 - -Author: William Brown <[email protected]> - -Review by: @mreynolds389 ---- - .../password/pwd_crypt_asterisk_test.py | 50 +++++++++++++++++++ - ldap/servers/plugins/pwdstorage/crypt_pwd.c | 20 +++++--- - 2 files changed, 64 insertions(+), 6 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py - -diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py -new file mode 100644 -index 000000000..d76614db1 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py -@@ -0,0 +1,50 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2021 William Brown <[email protected]> -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import ldap -+import pytest -+from lib389.topologies import topology_st -+from lib389.idm.user import UserAccounts -+from lib389._constants import (DEFAULT_SUFFIX, PASSWORD) -+ -+pytestmark = pytest.mark.tier1 -+ -+def test_password_crypt_asterisk_is_rejected(topology_st): -+ """It was reported that {CRYPT}* was allowing all passwords to be -+ valid in the bind process. This checks that we should be rejecting -+ these as they should represent locked accounts. Similar, {CRYPT}! -+ -+ :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3 -+ :setup: Single instance -+ :steps: 1. Set a password hash in with CRYPT and the content * -+ 2. Test a bind -+ 3. Set a password hash in with CRYPT and the content ! -+ 4. Test a bind -+ :expectedresults: -+ 1. Successfully set the values -+ 2. The bind fails -+ 3. Successfully set the values -+ 4. The bind fails -+ """ -+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on') -+ topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off') -+ -+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) -+ user = users.create_test_user() -+ -+ user.set('userPassword', "{CRYPT}*") -+ -+ # Attempt to bind with incorrect password. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ badconn = user.bind('badpassword') -+ -+ user.set('userPassword', "{CRYPT}!") -+ # Attempt to bind with incorrect password. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ badconn = user.bind('badpassword') -+ -diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -index 9031b2199..1b37d41ed 100644 ---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - int - crypt_pw_cmp(const char *userpwd, const char *dbpwd) - { -- int rc; -- char *cp; -+ int rc = -1; -+ char *cp = NULL; -+ size_t dbpwd_len = strlen(dbpwd); - struct crypt_data data; - data.initialized = 0; - -- /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ -- cp = crypt_r(userpwd, dbpwd, &data); -- if (cp) { -- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd)); -+ /* -+ * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will -+ * allow any password to bind as we then only compare SALTS. -+ */ -+ if (dbpwd_len >= 3) { -+ /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ -+ cp = crypt_r(userpwd, dbpwd, &data); -+ } -+ /* If these are not the same length, we can not proceed safely with memcmp. */ -+ if (cp && dbpwd_len == strlen(cp)) { -+ rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len); - } else { - rc = -1; - }
