diff options
Diffstat (limited to 'net-nds/389-ds-base')
-rw-r--r-- | net-nds/389-ds-base/389-ds-base-1.4.4.17.ebuild (renamed from net-nds/389-ds-base/389-ds-base-1.4.4.16-r1.ebuild) | 149 | ||||
-rw-r--r-- | net-nds/389-ds-base/Manifest | 5 | ||||
-rw-r--r-- | net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch | 118 |
3 files changed, 76 insertions, 196 deletions
diff --git a/net-nds/389-ds-base/389-ds-base-1.4.4.16-r1.ebuild b/net-nds/389-ds-base/389-ds-base-1.4.4.17.ebuild index e3ef7ffdf4bf..e64239ebf7b6 100644 --- a/net-nds/389-ds-base/389-ds-base-1.4.4.16-r1.ebuild +++ b/net-nds/389-ds-base/389-ds-base-1.4.4.17.ebuild @@ -4,82 +4,82 @@ EAPI=7 CRATES=" -ahash-0.7.2 -ansi_term-0.11.0 -atty-0.2.14 -autocfg-1.0.1 -base64-0.13.0 -bitflags-1.2.1 -byteorder-1.4.3 -cbindgen-0.9.1 -cc-1.0.67 -cfg-if-1.0.0 -clap-2.33.3 -concread-0.2.9 -crossbeam-0.8.0 -crossbeam-channel-0.5.1 -crossbeam-deque-0.8.0 -crossbeam-epoch-0.9.3 -crossbeam-queue-0.3.1 -crossbeam-utils-0.8.3 -fernet-0.1.4 -foreign-types-0.3.2 -foreign-types-shared-0.1.1 -getrandom-0.2.2 -hermit-abi-0.1.18 -instant-0.1.9 -itoa-0.4.7 -jobserver-0.1.21 -lazy_static-1.4.0 -libc-0.2.93 -lock_api-0.4.3 -log-0.4.14 -memoffset-0.6.3 -once_cell-1.7.2 -openssl-0.10.33 -openssl-sys-0.9.61 -parking_lot-0.11.1 -parking_lot_core-0.8.3 -paste-0.1.18 -paste-impl-0.1.18 -pkg-config-0.3.19 -ppv-lite86-0.2.10 -proc-macro-hack-0.5.19 -proc-macro2-1.0.26 -quote-1.0.9 -rand-0.8.3 -rand_chacha-0.3.0 -rand_core-0.6.2 -rand_hc-0.3.0 -redox_syscall-0.2.6 -remove_dir_all-0.5.3 -ryu-1.0.5 -scopeguard-1.1.0 -serde-1.0.125 -serde_derive-1.0.125 -serde_json-1.0.64 -smallvec-1.6.1 -strsim-0.8.0 -syn-1.0.69 -synstructure-0.12.4 -tempfile-3.2.0 -textwrap-0.11.0 -toml-0.5.8 -unicode-width-0.1.8 -unicode-xid-0.2.1 -uuid-0.8.2 -vcpkg-0.2.11 -vec_map-0.8.2 -version_check-0.9.3 -wasi-0.10.2+wasi-snapshot-preview1 -winapi-0.3.9 -winapi-i686-pc-windows-gnu-0.4.0 -winapi-x86_64-pc-windows-gnu-0.4.0 -zeroize-1.2.0 -zeroize_derive-1.0.1 + ahash-0.7.2 + ansi_term-0.11.0 + atty-0.2.14 + autocfg-1.0.1 + base64-0.13.0 + bitflags-1.2.1 + byteorder-1.4.3 + cbindgen-0.9.1 + cc-1.0.67 + cfg-if-1.0.0 + clap-2.33.3 + concread-0.2.9 + crossbeam-0.8.0 + crossbeam-channel-0.5.1 + crossbeam-deque-0.8.0 + crossbeam-epoch-0.9.3 + crossbeam-queue-0.3.1 + crossbeam-utils-0.8.3 + fernet-0.1.4 + foreign-types-0.3.2 + foreign-types-shared-0.1.1 + getrandom-0.2.2 + hermit-abi-0.1.18 + instant-0.1.9 + itoa-0.4.7 + jobserver-0.1.21 + lazy_static-1.4.0 + libc-0.2.93 + lock_api-0.4.3 + log-0.4.14 + memoffset-0.6.3 + once_cell-1.7.2 + openssl-0.10.33 + openssl-sys-0.9.61 + parking_lot-0.11.1 + parking_lot_core-0.8.3 + paste-0.1.18 + paste-impl-0.1.18 + pkg-config-0.3.19 + ppv-lite86-0.2.10 + proc-macro-hack-0.5.19 + proc-macro2-1.0.26 + quote-1.0.9 + rand-0.8.3 + rand_chacha-0.3.0 + rand_core-0.6.2 + rand_hc-0.3.0 + redox_syscall-0.2.6 + remove_dir_all-0.5.3 + ryu-1.0.5 + scopeguard-1.1.0 + serde-1.0.125 + serde_derive-1.0.125 + serde_json-1.0.64 + smallvec-1.6.1 + strsim-0.8.0 + syn-1.0.69 + synstructure-0.12.4 + tempfile-3.2.0 + textwrap-0.11.0 + toml-0.5.8 + unicode-width-0.1.8 + unicode-xid-0.2.1 + uuid-0.8.2 + vcpkg-0.2.11 + vec_map-0.8.2 + version_check-0.9.3 + wasi-0.10.2+wasi-snapshot-preview1 + winapi-0.3.9 + winapi-i686-pc-windows-gnu-0.4.0 + winapi-x86_64-pc-windows-gnu-0.4.0 + zeroize-1.2.0 + zeroize_derive-1.0.1 " -PYTHON_COMPAT=( python3_{8,9} ) +PYTHON_COMPAT=( python3_{8,9,10} ) DISTUTILS_SINGLE_IMPL=1 DISTUTILS_USE_SETUPTOOLS=rdepend @@ -173,7 +173,6 @@ RDEPEND="${DEPEND} S="${WORKDIR}/${PN}-${P}" PATCHES=( - "${FILESDIR}/${P}-crypt-import.patch" "${FILESDIR}/${PN}-db-gentoo.patch" ) diff --git a/net-nds/389-ds-base/Manifest b/net-nds/389-ds-base/Manifest index adadfd47f7c9..defa53edc7c7 100644 --- a/net-nds/389-ds-base/Manifest +++ b/net-nds/389-ds-base/Manifest @@ -1,9 +1,8 @@ -AUX 389-ds-base-1.4.4.16-crypt-import.patch 4527 BLAKE2B b5063cd2a3492ff1f50e64ca1f71305b11536d7fe70346879995a37f68927d9d02e65405dccb8765643fa56e66a55f9113afd991048462f6e4dc2a3eab8bf3d5 SHA512 93c4deaae0427f0641857e9a90bde96d249951eec9f6c683f3ec4abd6dccf572c65ee7932c862afb8aa7ad31d6f7c1fba4070e74fe37d598ce298e4af82bc481 AUX 389-ds-base-db-gentoo.patch 838 BLAKE2B 88ba5e7b2868b9e790fd2b326e4ceddbbb5d82f8f598ab8a41c4f1acb79d3796a9e17f20fc9fd282a801e761612bf568947657f46001fd7d3fa76daadac44cfb SHA512 e37a1ca80cbd733e01bd077cb05cc656b725a3f596221946198a34b9e62f231642d5e10b09e40dd02564cab9e01593225b622c70d49b456054f9fcfd762f597d AUX 389-ds-base.conf 118 BLAKE2B 48d1ef0410b57658508544aa8826ff8e12a17aaf5de1c1ea3346414d6f16ea3b44d14e300b23b82441ae6272df36089892aabfd027c73a3ce70e6a3c9ec9d358 SHA512 69ed8b8f3bdbf9098088b0c92c41a238f16d14ba9f86ebc2b5debe5f001b4d8e235f7cff4731d72b30b5ac70486b0f4300b99646aa3926a3fa59515a64f16402 AUX 389-ds-snmp.initd 951 BLAKE2B 5598a35b1368cce330d314e335d8fe624ed318c3363f32e9128968cc23de9f87a253b4790673c7557325a395961490ee4918d9a9d9bce4efd23d616418735aaf SHA512 ce58938ac13efb74e3a70def3a44c267095aae4c2e47e65ff176e9cc7e65f4210af230dc52738b5dcd3d831c9ba97cb030f8e5c5f0eaccb6bc6a1a379383f3a4 AUX 389-ds.initd-r1 2339 BLAKE2B 81094cc67b907d5b864c816b14b550ce90cecb526804ecee136074d338fad14eb44d715ca502fe1e631d982a534405c76616863e1c0d21afc6d9b3ae41cd8f34 SHA512 79d51de1ae25883b6f3a6fdd808bd06bedc5bf7c0d2ce0d090184a1d69fd2f6a031a6230158639fa592a5b4712a6fd063f43154d7e9525e4eccf274e5cc67f22 -DIST 389-ds-base-1.4.4.16.tar.gz 5456272 BLAKE2B bb157de3ebfdf214a56a56cd991255080890b28ca5fbd4ce5437e1ab4ca03181b7c2a58630ee26112771aaf9037cff8102926f48da136d6af43024c70ca1eeb8 SHA512 2c8d446dd26f67345351a6ea5f6095d89ed5eb26df09e09b19d625fb01418c5354b93ac0272e68b2d444a70b63180ce53042e0e43b6ea826948f6c93f4c22fc0 +DIST 389-ds-base-1.4.4.17.tar.gz 5356426 BLAKE2B 4972d7a7a7d12fb13f76db5cb2c8b896d5bb02c9f1e4bfbfae709f5fc01b9f662b5557710ca52d9f0a6ac3dc9e36bfab594e597db90ab146a5a5f252e11b4175 SHA512 83cc20915d59d4a45febad1462103c51108deee271cae7f98ff28e0a939451060edca28046719a417b3d3b956a74687a288880d64a6ab201e682ad577bf70583 DIST ahash-0.7.2.crate 37192 BLAKE2B a2ea98d408f6ac72b96a7e14b22999d52a6839d724f3e8fc82f67ea985a110d8dc17847087e6aaeca477ef93afadda3488ee77cc5425cab5f77c00cd67ff4463 SHA512 77886a994102c1edf93b133e27658e3c84152c83597191d58c571dc7dfc765d41c2879ea55d64e04e3af804a4f10aeb1c10e33a924fd967b288e6d0b12728b34 DIST ansi_term-0.11.0.crate 17087 BLAKE2B 9bd35c045a01ce4c6c4a5db1b4f15e9412bb97426eec19d4421dffbec633de8d13452c13c1dc1b30998690b78d7ed38311aca700087f13a81f66bd1d5d7300c4 SHA512 a637466a380748f939b3af090b8c0333f35581925bc03f4dda9b3f95d338836403cf5487ae3af9ff68f8245a837f8ab061aabe57a126a6a2c20f2e972c77d1fa DIST atty-0.2.14.crate 5470 BLAKE2B 2db856a9e898a430258f059aeaf7c844a153293e8856d90ac81f7d91a888c89198768ad5cb09303c23241fe85c560a55148fa56a303651a82b0edb895616bfab SHA512 d7b6c4b9a0f898d91ddbc41a5ee45bbf45d1d269508c8cc87ee3e3990500e41e0ec387afb1f3bc7db55bedac396dd86c6509f4bf9e5148d809c3802edcc5e1d9 @@ -77,5 +76,5 @@ DIST winapi-i686-pc-windows-gnu-0.4.0.crate 2918815 BLAKE2B 4d357e4d30f955297217 DIST winapi-x86_64-pc-windows-gnu-0.4.0.crate 2947998 BLAKE2B 2ad1ea8b5fa07d544e910ccba043ae925269b76b26c9da356305b34b86741dd8b9aff0b9ffe3d562db4fcd7d7c46a11ce9e3168b782b1d89ae6881742b7ede82 SHA512 4a654af6a5d649dc87e00497245096b35a2894ae66f155cb62389902c3b93ddcc5cf7d0d8b9dd97b291d2d80bc686af2298e80abef6ac69883f4a54e79712513 DIST zeroize-1.2.0.crate 15450 BLAKE2B 1f3c2688cf84d8bc22f777cc06673c29c9306b2c246bec67404729dac01570dd550c4ebe1f9cbd04c3d6a2711bf7106c45a34d01bb0ab7b73d3a15a65bf66eb7 SHA512 9bc0242824908909669e473029990a582efb884ce8f37d153d3a92083f64afe7b3bb26821dff8f39af74ea7935024d9414d458cf61c2e6291ca3611e896ae390 DIST zeroize_derive-1.0.1.crate 8047 BLAKE2B c43d99d7f80d104ec43708742d2c13080a3b96d0b8ffac099f86c82bce33d263313a42ebec42ed5dbeaeac397d1717e6cf089980dd7934b1efc7228b737a5f21 SHA512 cbb7fe8d9ecb38c0f6fd11e491afa289cc9d8719f2460f4569816d7d55ec17fc88aa9a167aafb83809e2122481e016039b055e3bc4edfdeaf009fc0d65212dc7 -EBUILD 389-ds-base-1.4.4.16-r1.ebuild 6583 BLAKE2B 4f73a5ed48192f5b0449b71eea70b4b9c65e828a04a731066369aee0a802db5b26d94fa2b54a7818342ce671c0dad725e0d22e13fcaabf266920486085e40860 SHA512 b6628b6e28f6b6998d59336e2b1e845ee2cf8d3fdef60b877aef12ee8fbd60bdb949a5f72603dd10c17e49faf51f99ef440b7164e9e8b2f5daec286749ab1887 +EBUILD 389-ds-base-1.4.4.17.ebuild 6620 BLAKE2B d9527bed34a2fb3b5d2b50341bff0976b007a5de463958e21e573e2f9d125578adbc27e2de0ae4e698d2a904a8cc62d0782558dc3c5804c2c1155b469698247c SHA512 a1a81e585fb4b7a46f7ff24fd20612dc4fc510870ae2e3d7f30c63bd274d14fb5b77a0fcd25118f55dbd161d831ce08d2841d21b3a6d07c194005a76607f2040 MISC metadata.xml 1460 BLAKE2B c3c5e271a36f665015758b047f9e533dc0c593c2b8a241ed560afb3d54e2798ad08c98586dadafdcc5dc44b249db95f510022ace1a71167004d8dd721f2ec513 SHA512 6397b47a23a4bdb197b9298b08e7f9c3cf86c2ec4102170e49619b4e636d55837b4e28782cfda0790d9d2824903fd6169fe125052bf4efde2df1f3968c06476e diff --git a/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch b/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch deleted file mode 100644 index cf8c7d9b4524..000000000000 --- a/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch +++ /dev/null @@ -1,118 +0,0 @@ -From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001 -From: Firstyear <william@blackhats.net.au> -Date: Fri, 9 Jul 2021 11:53:35 +1000 -Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow - all passwords (#4819) - -Bug Description: Due to mishanding of short dbpwd hashes, the -crypt_r algorithm was misused and was only comparing salts -in some cases, rather than checking the actual content -of the password. - -Fix Description: Stricter checks on dbpwd lengths to ensure -that content passed to crypt_r has at least 2 salt bytes and -1 hash byte, as well as stricter checks on ct_memcmp to ensure -that compared values are the same length, rather than potentially -allowing overruns/short comparisons. - -fixes: https://github.com/389ds/389-ds-base/issues/4817 - -Author: William Brown <william@blackhats.net.au> - -Review by: @mreynolds389 ---- - .../password/pwd_crypt_asterisk_test.py | 50 +++++++++++++++++++ - ldap/servers/plugins/pwdstorage/crypt_pwd.c | 20 +++++--- - 2 files changed, 64 insertions(+), 6 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py - -diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py -new file mode 100644 -index 000000000..d76614db1 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py -@@ -0,0 +1,50 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2021 William Brown <william@blackhats.net.au> -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import ldap -+import pytest -+from lib389.topologies import topology_st -+from lib389.idm.user import UserAccounts -+from lib389._constants import (DEFAULT_SUFFIX, PASSWORD) -+ -+pytestmark = pytest.mark.tier1 -+ -+def test_password_crypt_asterisk_is_rejected(topology_st): -+ """It was reported that {CRYPT}* was allowing all passwords to be -+ valid in the bind process. This checks that we should be rejecting -+ these as they should represent locked accounts. Similar, {CRYPT}! -+ -+ :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3 -+ :setup: Single instance -+ :steps: 1. Set a password hash in with CRYPT and the content * -+ 2. Test a bind -+ 3. Set a password hash in with CRYPT and the content ! -+ 4. Test a bind -+ :expectedresults: -+ 1. Successfully set the values -+ 2. The bind fails -+ 3. Successfully set the values -+ 4. The bind fails -+ """ -+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on') -+ topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off') -+ -+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) -+ user = users.create_test_user() -+ -+ user.set('userPassword', "{CRYPT}*") -+ -+ # Attempt to bind with incorrect password. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ badconn = user.bind('badpassword') -+ -+ user.set('userPassword', "{CRYPT}!") -+ # Attempt to bind with incorrect password. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ badconn = user.bind('badpassword') -+ -diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -index 9031b2199..1b37d41ed 100644 ---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - int - crypt_pw_cmp(const char *userpwd, const char *dbpwd) - { -- int rc; -- char *cp; -+ int rc = -1; -+ char *cp = NULL; -+ size_t dbpwd_len = strlen(dbpwd); - struct crypt_data data; - data.initialized = 0; - -- /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ -- cp = crypt_r(userpwd, dbpwd, &data); -- if (cp) { -- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd)); -+ /* -+ * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will -+ * allow any password to bind as we then only compare SALTS. -+ */ -+ if (dbpwd_len >= 3) { -+ /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ -+ cp = crypt_r(userpwd, dbpwd, &data); -+ } -+ /* If these are not the same length, we can not proceed safely with memcmp. */ -+ if (cp && dbpwd_len == strlen(cp)) { -+ rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len); - } else { - rc = -1; - } |