[net-nds/389-ds-base] rm, in tree

2021-08-12 13:13:11 +02:00
parent 42c33c7927
commit dc0837bc67
8 changed files with 0 additions and 679 deletions
--- a/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch
+++ b/net-nds/389-ds-base/files/389-ds-base-1.4.4.16-crypt-import.patch
@@ -1,118 +0,0 @@
-From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001
-From: Firstyear <william@blackhats.net.au>
-Date: Fri, 9 Jul 2021 11:53:35 +1000
-Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow
- all passwords (#4819)
-
-Bug Description: Due to mishanding of short dbpwd hashes, the
-crypt_r algorithm was misused and was only comparing salts
-in some cases, rather than checking the actual content
-of the password.
-
-Fix Description: Stricter checks on dbpwd lengths to ensure
-that content passed to crypt_r has at least 2 salt bytes and
-1 hash byte, as well as stricter checks on ct_memcmp to ensure
-that compared values are the same length, rather than potentially
-allowing overruns/short comparisons.
-
-fixes: https://github.com/389ds/389-ds-base/issues/4817
-
-Author: William Brown <william@blackhats.net.au>
-
-Review by: @mreynolds389
---
- .../password/pwd_crypt_asterisk_test.py       | 50 +++++++++++++++++++
- ldap/servers/plugins/pwdstorage/crypt_pwd.c   | 20 +++++---
- 2 files changed, 64 insertions(+), 6 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
-
-diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
-new file mode 100644
-index 000000000..d76614db1
--- /dev/null
-+++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
-@@ -0,0 +1,50 @@
-+# --- BEGIN COPYRIGHT BLOCK ---
-+# Copyright (C) 2021 William Brown <william@blackhats.net.au>
-+# All rights reserved.
-+#
-+# License: GPL (version 3 or any later version).
-+# See LICENSE for details.
-+# --- END COPYRIGHT BLOCK ---
-+#
-+import ldap
-+import pytest
-+from lib389.topologies import topology_st
-+from lib389.idm.user import UserAccounts
-+from lib389._constants import (DEFAULT_SUFFIX, PASSWORD)
-+
-+pytestmark = pytest.mark.tier1
-+
-+def test_password_crypt_asterisk_is_rejected(topology_st):
-+    """It was reported that {CRYPT}* was allowing all passwords to be
-+    valid in the bind process. This checks that we should be rejecting
-+    these as they should represent locked accounts. Similar, {CRYPT}!
-+
-+    :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3
-+    :setup: Single instance
-+    :steps: 1. Set a password hash in with CRYPT and the content *
-+            2. Test a bind
-+            3. Set a password hash in with CRYPT and the content !
-+            4. Test a bind
-+    :expectedresults:
-+            1. Successfully set the values
-+            2. The bind fails
-+            3. Successfully set the values
-+            4. The bind fails
-+    """
-+    topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
-+    topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off')
-+
-+    users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
-+    user = users.create_test_user()
-+
-+    user.set('userPassword', "{CRYPT}*")
-+
-+    # Attempt to bind with incorrect password.
-+    with pytest.raises(ldap.INVALID_CREDENTIALS):
-+        badconn = user.bind('badpassword')
-+
-+    user.set('userPassword', "{CRYPT}!")
-+    # Attempt to bind with incorrect password.
-+    with pytest.raises(ldap.INVALID_CREDENTIALS):
-+        badconn = user.bind('badpassword')
-+
-diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-index 9031b2199..1b37d41ed 100644
--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
- int
- crypt_pw_cmp(const char *userpwd, const char *dbpwd)
- {
-    int rc;
-    char *cp;
-+    int rc = -1;
-+    char *cp = NULL;
-+    size_t dbpwd_len = strlen(dbpwd);
-     struct crypt_data data;
-     data.initialized = 0;
- 
-    /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
-    cp = crypt_r(userpwd, dbpwd, &data);
-    if (cp) {
-        rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
-+    /*
-+     * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will
-+     * allow any password to bind as we then only compare SALTS.
-+     */
-+    if (dbpwd_len >= 3) {
-+        /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
-+        cp = crypt_r(userpwd, dbpwd, &data);
-+    }
-+    /* If these are not the same length, we can not proceed safely with memcmp. */
-+    if (cp && dbpwd_len == strlen(cp)) {
-+        rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len);
-     } else {
-         rc = -1;
-     }
--- a/net-nds/389-ds-base/files/389-ds-base-db-gentoo.patch
+++ b/net-nds/389-ds-base/files/389-ds-base-db-gentoo.patch
@@ -1,17 +0,0 @@
-diff --git a/m4/db.m4 b/m4/db.m4
-index c916c2b83..a9dd5ef2b 100644
--- a/m4/db.m4
-+++ b/m4/db.m4
-@@ -96,9 +96,9 @@ if test -z "$db_inc"; then
- fi
- 
- dnl figure out which version of db we're using from the header file
-db_ver_maj=`grep DB_VERSION_MAJOR $db_incdir/db.h | awk '{print $3}'`
-db_ver_min=`grep DB_VERSION_MINOR $db_incdir/db.h | awk '{print $3}'`
-db_ver_pat=`grep DB_VERSION_PATCH $db_incdir/db.h | awk '{print $3}'`
-+db_ver_maj=`gcc -E -fdirectives-only $db_incdir/db.h | grep DB_VERSION_MAJOR | awk '{print $3}'`
-+db_ver_min=`gcc -E -fdirectives-only $db_incdir/db.h | grep DB_VERSION_MINOR | awk '{print $3}'`
-+db_ver_pat=`gcc -E -fdirectives-only $db_incdir/db.h | grep DB_VERSION_PATCH | awk '{print $3}'`
- 
- dnl Ensure that we have libdb at least 4.7, older versions aren't supported
- if test ${db_ver_maj} -lt 4; then
--- a/net-nds/389-ds-base/files/389-ds-base.conf
+++ b/net-nds/389-ds-base/files/389-ds-base.conf
@@ -1,3 +0,0 @@
-d /var/log/dirsrv 0700 dirsrv dirsrv -
-d /var/lib/dirsrv 0700 dirsrv dirsrv -
-d /run/lock/dirsrv 0770 dirsrv dirsrv -
--- a/net-nds/389-ds-base/files/389-ds-snmp.initd
+++ b/net-nds/389-ds-base/files/389-ds-snmp.initd
@@ -1,44 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-PIDFILE="/var/run/ldap-agent.pid"
-CONFIGFILE="/etc/dirsrv/config/ldap-agent.conf"
-
-# instance support in progress
-
-depend() {
-	need net
-	use logger snmpd
-}
-
-start() {
-	ebegin "Starting 389 Directory Server ldap-snmp agent"
-	start-stop-daemon --start --quiet -b \
-		--pidfile ${PIDFILE} --exec /usr/sbin/ldap-agent -- ${CONFIGFILE}
-	eend ${?}
-	if [ "${?}" != "0" ]; then
-		local entries=/etc/dirsrv/slapd-*
-		if [ -n "${entries}" ]; then
-			ewarn "Please make sure that ${CONFIGFILE} contains at least"
-			ewarn "one of the following entries:"
-			for entry in ${entries}; do
-				entry=$(basename ${entry})
-				ewarn "server ${entry}"
-			done
-		fi
-	fi
-}
-
-stop() {
-	ebegin "Stopping 389 Directory Server ldap-snmp agent"
-	start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
-	eend ${?}
-	
-}
-
-restart() {
-	svc_stop
-	sleep 2
-	svc_start
-}
--- a/net-nds/389-ds-base/files/389-ds.initd-r1
+++ b/net-nds/389-ds-base/files/389-ds.initd-r1
@@ -1,89 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-DIRSRV_EXEC="/usr/sbin/ns-slapd"
-PID_DIRECTORY="/run/dirsrv"
-LOCK_DIRECTORY="/var/lock/dirsrv"
-DIRSRV_CONF_DIR="/etc/dirsrv"
-DS_INSTANCES=${DIRSRV_CONF_DIR}/slapd-*
-
-depend() {
-	need net logger
-	use dns
-	provide dirsrv ldap
-}
-
-checkconfig() {
-	if [ -z "${DS_INSTANCES}" ]; then
-		eerror "389 Directory Server has not been configured."
-		eend 1
-		return 1
-	fi
-}
-
-start() {
-	checkconfig || return 1
-
-	for instance in ${DS_INSTANCES}; do
-		instance=$(basename ${instance})
-		# skip .removed instances, bug #338133
-		if [ "${instance%%.removed}" != "${instance}" ]; then
-			continue
-		fi
-		# Create the required directories in case they got nuked
-		mkdir -p ${PID_DIRECTORY}
-		mkdir -p ${LOCK_DIRECTORY}/${instance}
-		# This will probably break one day, we should be pulling out the suitespotuser from dse.ldif
-		chown dirsrv: ${PID_DIRECTORY}
-		chown dirsrv: ${LOCK_DIRECTORY}/${instance}
-		ebegin "Starting 389 Directory Server: instance ${instance}"
-		start-stop-daemon --start --quiet -m \
-			--pidfile ${PID_DIRECTORY}/${instance}.startpid \
-			--exec ${DIRSRV_EXEC} -- -D ${DIRSRV_CONF_DIR}/${instance} \
-			-i ${PID_DIRECTORY}/${instance}.pid \
-			-w ${PID_DIRECTORY}/${instance}.startpid
-		sts=${?}
-		eend ${sts}
-		if [ "${sts}" != "0" ]; then
-			return 1
-		fi
-	done
-}
-
-
-
-stop() {
-	checkconfig || return 1
-
-	for instance in ${DS_INSTANCES}; do
-		instance=$(basename ${instance})
-		if [ "${instance%%.removed}" != "${instance}" ]; then
-			continue
-		fi
-		ebegin "Stopping 389 Directory Server: instance ${instance}"
-		start-stop-daemon --stop --quiet \
-			--pidfile ${PID_DIRECTORY}/${instance}.pid \
-			--exec ${DIRSRV_EXEC}
-		eend ${?}
-	done
-}
-
-status() {
-	for instance in ${DS_INSTANCES}; do
-		instance=$(basename ${instance})
-		if [ "${instance%%.removed}" != "${instance}" ]; then
-			continue
-		fi
-		if [ -e ${PID_DIRECTORY}/${instance}.pid ]; then
-			pid=$(cat ${PID_DIRECTORY}/${instance}.pid)
-			if [ $(echo "$pid" | grep -c $pid) -ge 1 ]; then
-				einfo "389 Directory Server: instance ${instance} (pid $pid) running."
-			else
-				ewarn "389 Directory Server: instance ${instance} (pid $pid) NOT running."
-			fi
-		else
-			eerror "389 Directory Server: instance ${instance} is NOT running."
-		fi
-	done
-}