From 1c9d25d6410d1f999480468bd3c93427124f3a50 Mon Sep 17 00:00:00 2001 From: Paweł Hajdan Date: Sun, 17 Jan 2010 14:55:16 +0000 Subject: Drop dependency on libxcrypt, provide better upgrade path by supporting hash functions present in unpatched glibc. (Portage version: 2.1.6.13/cvs/Linux i686) --- sys-auth/tcb/ChangeLog | 9 ++- sys-auth/tcb/files/tcb-gentoo.patch | 126 ++++++++++++++++++++++++++++++++++++ sys-auth/tcb/tcb-1.0.3-r2.ebuild | 52 +++++++++++++++ 3 files changed, 186 insertions(+), 1 deletion(-) create mode 100644 sys-auth/tcb/files/tcb-gentoo.patch create mode 100644 sys-auth/tcb/tcb-1.0.3-r2.ebuild (limited to 'sys-auth') diff --git a/sys-auth/tcb/ChangeLog b/sys-auth/tcb/ChangeLog index 87b1e77407b5..9351794bef96 100644 --- a/sys-auth/tcb/ChangeLog +++ b/sys-auth/tcb/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-auth/tcb # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/tcb/ChangeLog,v 1.4 2010/01/12 17:59:48 phajdan.jr Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/tcb/ChangeLog,v 1.5 2010/01/17 14:55:16 phajdan.jr Exp $ + +*tcb-1.0.3-r2 (17 Jan 2010) + + 17 Jan 2010; Pawel Hajdan jr +tcb-1.0.3-r2.ebuild, + +files/tcb-gentoo.patch: + Drop dependency on libxcrypt, provide better upgrade path by supporting + hash functions present in unpatched glibc. *tcb-1.0.3-r1 (12 Jan 2010) diff --git a/sys-auth/tcb/files/tcb-gentoo.patch b/sys-auth/tcb/files/tcb-gentoo.patch new file mode 100644 index 000000000000..ee681854f784 --- /dev/null +++ b/sys-auth/tcb/files/tcb-gentoo.patch @@ -0,0 +1,126 @@ +--- pam_tcb/support.c.orig 2010-01-17 12:22:29.000000000 +0100 ++++ pam_tcb/support.c 2010-01-17 15:47:38.000000000 +0100 +@@ -466,6 +466,39 @@ + return retval; + } + ++static char i64c(int i) ++{ ++ if (i < 0) ++ return '.'; ++ if (i > 63) ++ return 'z'; ++ ++ if (i == 0) ++ return '.'; ++ if (i == 1) ++ return '/'; ++ if (i >= 2 && i <= 11) ++ return ('0' - 2 + i); ++ if (i >= 12 && i <= 37) ++ return ('A' - 12 + i); ++ if (i >= 38 && i <= 63) ++ return ('a' - 38 + i); ++ ++ return '\0'; ++} ++ ++static char *make_salt(const char *prefix, const char *entropy, ++ int entropy_size) ++{ ++ char salt[64]; ++ char *sp = stpcpy(salt, prefix); ++ int i; ++ for (i = 0; i < entropy_size / 2; i++) ++ *sp++ = i64c(entropy[i] & 077); ++ *sp = '\0'; ++ return strdup(salt); ++} ++ + static int check_crypt(pam_handle_t *pamh, const char *pass, + const char *stored_hash) + { +@@ -481,11 +514,11 @@ + + /* This exists because of timing attacks. */ + memset(input, 0x55, sizeof(input)); +- fake_salt = crypt_gensalt_ra(pam_unix_param.crypt_prefix, +- pam_unix_param.count, input, sizeof(input)); ++ fake_salt = make_salt(pam_unix_param.crypt_prefix, ++ input, sizeof(input)); + + if (!fake_salt) { +- pam_syslog(pamh, LOG_CRIT, "crypt_gensalt_ra: %m"); ++ pam_syslog(pamh, LOG_CRIT, "make_salt: %m"); + return PAM_BUF_ERR; + } + +@@ -816,22 +849,21 @@ + return PAM_SUCCESS; + } + +-static char *crypt_wrapper_ra(pam_handle_t *pamh, const char *key, ++static char *crypt_wrapper_r(pam_handle_t *pamh, const char *key, + const char *salt) + { +- char *retval; +- void *data = NULL; +- int size = 0; ++ char *retval = NULL; ++ struct crypt_data *cdata = malloc(sizeof(*cdata)); + +- retval = crypt_ra(key, salt, &data, &size); +- if (retval) +- retval = strdup(retval); /* we return NULL if strdup fails */ +- else +- pam_syslog(pamh, LOG_CRIT, "crypt_ra: %m"); +- if (data) { +- memset(data, 0, size); +- free(data); ++ if (cdata != NULL) { ++ cdata->initialized = 0; ++ retval = strdup(crypt_r(key, salt, cdata)); ++ if (!retval) ++ pam_syslog(pamh, LOG_CRIT, "crypt_r: %m"); ++ memset(cdata, '\0', sizeof(*cdata)); ++ free(cdata); + } ++ + return retval; + } + +@@ -841,7 +873,7 @@ + char *retval; + + if (off(UNIX_PLAIN_CRYPT)) +- return crypt_wrapper_ra(pamh, key, salt); ++ return crypt_wrapper_r(pamh, key, salt); + + errno = 0; + retval = crypt(key, salt); +@@ -873,13 +905,13 @@ + } + close(fd); + +- salt = crypt_gensalt_ra(pam_unix_param.crypt_prefix, +- pam_unix_param.count, entropy, sizeof(entropy)); ++ salt = make_salt(pam_unix_param.crypt_prefix, ++ entropy, sizeof(entropy)); + + memset(entropy, 0, sizeof(entropy)); + + if (!salt) { +- pam_syslog(pamh, LOG_CRIT, "crypt_gensalt_ra: %m"); ++ pam_syslog(pamh, LOG_CRIT, "make_salt: %m"); + return NULL; + } + +@@ -1019,7 +1051,7 @@ + if (!parse_opt(pamh, *argv, the_cmdline_opts)) + return 0; + param = get_optval("prefix=", the_cmdline_opts); +- pam_unix_param.crypt_prefix = param ?: "$2a$"; ++ pam_unix_param.crypt_prefix = param ?: "$6$"; + + param = get_optval("helper=", the_cmdline_opts); + pam_unix_param.helper = param ?: CHKPWD_HELPER; diff --git a/sys-auth/tcb/tcb-1.0.3-r2.ebuild b/sys-auth/tcb/tcb-1.0.3-r2.ebuild new file mode 100644 index 000000000000..fab566c5e830 --- /dev/null +++ b/sys-auth/tcb/tcb-1.0.3-r2.ebuild @@ -0,0 +1,52 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-auth/tcb/tcb-1.0.3-r2.ebuild,v 1.1 2010/01/17 14:55:16 phajdan.jr Exp $ + +inherit eutils multilib + +DESCRIPTION="Libraries and tools implementing the tcb password shadowing scheme" +HOMEPAGE="http://www.openwall.com/tcb/" +SRC_URI="ftp://ftp.openwall.com/pub/projects/tcb/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="pam" + +DEPEND="pam? ( >=sys-libs/pam-0.75 )" +RDEPEND="${DEPEND}" + +pkg_setup() { + for group in auth chkpwd shadow ; do + enewgroup ${group} + done + + mymakeopts=" + SLIBDIR=/$(get_libdir) + LIBDIR=/usr/$(get_libdir) + MANDIR=/usr/share/man + DESTDIR='${D}'" +} + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}"/${PN}-1.0.2-build.patch + epatch "${FILESDIR}"/${PN}-gentoo.patch + use pam || sed -i '/pam/d' Makefile +} + +src_compile() { + emake $mymakeopts || die "emake failed" +} + +src_install() { + emake $mymakeopts install || die "emake install failed" + dodoc ChangeLog +} + +pkg_postinst() { + einfo "You must now run /sbin/tcb_convert to convert your shadow to tcb" + einfo "To remove this you must first run /sbin/tcp_unconvert and then unmerge" +} -- cgit v1.2.3-65-gdbad