Accepting request 77146 from network:utilities

- enable use of crypt_gensalt to support all glibc supported
  algorithms
- allow 8bit passwords read from file
- support new blowfish $2y algorithm

I've sent the patches to Marco d'Itri <md@linux.it>, he said he will
include them in the next whois release. (forwarded request 76616 from lnussel)

OBS-URL: https://build.opensuse.org/request/show/77146
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/whois?expand=0&rev=24

whois-5.0.11-mkpasswd-add-support-for-the-new-2y-blowfish-tag-CVE-2011-2483.diff

@@ -0,0 +1,41 @@
+From 757e302cc12f962ee1e04ccc572d0553bcfb780c Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 14 Jul 2011 13:38:08 +0200
+Subject: [PATCH whois 4/7] add support for the new 2y blowfish tag (CVE-2011-2483)
+
+---
+ mkpasswd.c |    9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/mkpasswd.c b/mkpasswd.c
+index 8bdc7f3..281d970 100644
+--- a/mkpasswd.c
++++ b/mkpasswd.c
+@@ -86,9 +86,13 @@ static const struct crypt_method methods[] = {
+ #if defined FreeBSD
+     { "bf",		"$2$",  22,	22,	0, "Blowfish (FreeBSD)" },
+ #endif
+-#if defined OpenBSD || (defined __SVR4 && defined __sun) || defined HAVE_CRYPT_GENSALT
++#if defined OpenBSD || (defined __SVR4 && defined __sun)
+     { "bf",		"$2a$", 22,	22,	1, "Blowfish" },
+ #endif
++#if defined HAVE_CRYPT_GENSALT
++    { "bf",		"$2a$", 22,	22,	1, "Blowfish, system-specific on 8-bit chars" },
++    { "bfy",		"$2y$", 22,	22,	1, "Blowfish, correct handling of 8-bit chars" },
++#endif
+ #if defined FreeBSD
+     { "nt",		"$3$",  0,	0,	0, "NT-Hash" },
+ #endif
+@@ -226,7 +230,8 @@ int main(int argc, char *argv[])
+ 	salt_prefix = methods[0].prefix;
+     }
+ 
+-    if (streq(salt_prefix, "$2a$")) {		/* OpenBSD Blowfish  */
++    if (streq(salt_prefix, "$2a$")
++    || streq(salt_prefix, "$2y$")) {		/* OpenBSD Blowfish  */
+ 	if (rounds <= 4)
+ 	    rounds = 4;
+ 	/* actually for 2a it is the logarithm of the number of rounds */
+-- 
+1.7.3.4
+

whois-5.0.11-mkpasswd-crypt_gensalt-might-change-the-prefix.diff

@@ -0,0 +1,28 @@
+From b8cdda35e57303fa67e96165e8eb37a19e22171b Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 14 Jul 2011 13:06:56 +0200
+Subject: [PATCH whois 3/7] crypt_gensalt might change the prefix
+
+It's undocumented behavior but be prepared for it.
+---
+ mkpasswd.c |    4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/mkpasswd.c b/mkpasswd.c
+index 59c7a58..8bdc7f3 100644
+--- a/mkpasswd.c
++++ b/mkpasswd.c
+@@ -331,7 +331,9 @@ int main(int argc, char *argv[])
+ 	    fprintf(stderr, "crypt failed.\n");
+ 	    exit(2);
+ 	}
+-	if (!strneq(result, salt_prefix, strlen(salt_prefix))) {
++	/* yes, using strlen(salt_prefix) on salt. It's not
++	 * documented whether crypt_gensalt may change the prefix */
++	if (!strneq(result, salt, strlen(salt_prefix))) {
+ 	    fprintf(stderr, _("Method not supported by crypt(3).\n"));
+ 	    exit(2);
+ 	}
+-- 
+1.7.3.4
+

whois-5.0.11-mkpasswd-fix-compiler-warnings.diff

@@ -0,0 +1,34 @@
+From a57b7374a00a93bc237f34c28f9226258adb6a82 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 14 Jul 2011 13:42:01 +0200
+Subject: [PATCH whois 7/7] fix compiler warnings
+
+---
+ mkpasswd.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mkpasswd.c b/mkpasswd.c
+index 7408cbc..cb5f5ad 100644
+--- a/mkpasswd.c
++++ b/mkpasswd.c
+@@ -179,7 +179,7 @@ int main(int argc, char *argv[])
+ 	    {
+ 		char *p;
+ 		rounds = strtol(optarg, &p, 10);
+-		if (p == NULL || *p != '\0' || rounds < 0) {
++		if (p == NULL || *p != '\0') {
+ 		    fprintf(stderr, _("Invalid number '%s'.\n"), optarg);
+ 		    exit(1);
+ 		}
+@@ -296,7 +296,7 @@ int main(int argc, char *argv[])
+     if (password) {
+     } else if (password_fd != -1) {
+ 	FILE *fp;
+-	unsigned char *p;
++	char *p;
+ 
+ 	if (isatty(password_fd))
+ 	    fprintf(stderr, _("Password: "));
+-- 
+1.7.3.4
+

whois-5.0.11-mkpasswd-remove-obsolete-settings.diff

@@ -0,0 +1,43 @@
+From cda3259facbb37e8775131cfde9822aeb09edf78 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 14 Jul 2011 13:31:13 +0200
+Subject: [PATCH whois 6/7] remove obsolete settings
+
+According to Solar Designer $2$ never was officially released,
+refers to a pre-version of blowfish crypt. FreeBSD is said to
+support $2a.
+
+libxcrypt does not actually support {SHA}
+---
+ mkpasswd.c |    8 +-------
+ 1 files changed, 1 insertions(+), 7 deletions(-)
+
+diff --git a/mkpasswd.c b/mkpasswd.c
+index ee997ba..7408cbc 100644
+--- a/mkpasswd.c
++++ b/mkpasswd.c
+@@ -83,10 +83,7 @@ static const struct crypt_method methods[] = {
+     { "des",		"",	2,	2,	0,
+ 	N_("standard 56 bit DES-based crypt(3)") },
+     { "md5",		"$1$",	8,	8,	0, "MD5" },
+-#if defined FreeBSD
+-    { "bf",		"$2$",  22,	22,	0, "Blowfish (FreeBSD)" },
+-#endif
+-#if defined OpenBSD || (defined __SVR4 && defined __sun)
++#if defined OpenBSD || defined FreeBSD || (defined __SVR4 && defined __sun)
+     { "bf",		"$2a$", 22,	22,	1, "Blowfish" },
+ #endif
+ #if defined HAVE_CRYPT_GENSALT
+@@ -111,9 +108,6 @@ static const struct crypt_method methods[] = {
+ #if defined __SVR4 && defined __sun
+     { "sunmd5",		"$md5$", 8,	8,	1, "SunMD5" },
+ #endif
+-#if defined HAVE_XCRYPT
+-    { "sha",		"{SHA}", 0,	0,	0, "SHA-1" },
+-#endif
+     { NULL,		NULL,	0,	0,	0, NULL }
+ };
+ 
+-- 
+1.7.3.4
+

whois-5.0.11-mkpasswd-set-default-blowfish-rounds-to-5.diff

@@ -0,0 +1,28 @@
+From 45731d21f551b72e10e211edfa1b3c4e2ed3f8ad Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 14 Jul 2011 13:39:07 +0200
+Subject: [PATCH whois 5/7] set default blowfish rounds to 5
+
+five rounds is the crypt_blowfish default
+---
+ mkpasswd.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mkpasswd.c b/mkpasswd.c
+index 281d970..ee997ba 100644
+--- a/mkpasswd.c
++++ b/mkpasswd.c
+@@ -232,8 +232,8 @@ int main(int argc, char *argv[])
+ 
+     if (streq(salt_prefix, "$2a$")
+     || streq(salt_prefix, "$2y$")) {		/* OpenBSD Blowfish  */
+-	if (rounds <= 4)
+-	    rounds = 4;
++	if (rounds < 5)
++	    rounds = 5;
+ 	/* actually for 2a it is the logarithm of the number of rounds */
+ 	snprintf(rounds_str, sizeof(rounds_str), "%02u$", rounds);
+     } else if (rounds_support && rounds)
+-- 
+1.7.3.4
+

whois-5.0.11-mkpasswd-support-8bit-characters.diff

@@ -0,0 +1,42 @@
+From b6d62022a7ab3694ed6cef0021a2f837c6b5d80b Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 14 Jul 2011 13:06:41 +0200
+Subject: [PATCH whois 2/7] support 8bit characters
+
+8bit characters are accepted when typed interactively so there is no
+reason to reject them when read from a file.
+---
+ mkpasswd.c |   17 +++--------------
+ 1 files changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/mkpasswd.c b/mkpasswd.c
+index 43403d4..59c7a58 100644
+--- a/mkpasswd.c
++++ b/mkpasswd.c
+@@ -312,20 +312,9 @@ int main(int argc, char *argv[])
+ 	    exit(2);
+ 	}
+ 
+-	p = (unsigned char *)password;
+-	while (*p) {
+-	    if (*p == '\n' || *p == '\r') {
+-		*p = '\0';
+-		break;
+-	    }
+-	    /* which characters are valid? */
+-	    if (*p > 0x7f) {
+-		fprintf(stderr,
+-			_("Illegal password character '0x%hhx'.\n"), *p);
+-		exit(1);
+-	    }
+-	    p++;
+-	}
++	p = strpbrk(password, "\n\r");
++	if (p)
++	    *p = '\0';
+     } else {
+ 	password = getpass(_("Password: "));
+ 	if (!password) {
+-- 
+1.7.3.4
+

whois-5.0.11-mkpasswd-support-Owl-patched-libcrypt.diff

@@ -0,0 +1,68 @@
+From 1f6bc61a9b79472234571092493d6d980826e736 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 14 Jul 2011 13:06:14 +0200
+Subject: [PATCH whois 1/7] support Owl patched libcrypt
+
+Owl (and upcoming openSUSE) patch crypt_gensalt directly into libc's
+libcrypt.
+---
+ Makefile   |    7 ++++++-
+ mkpasswd.c |    8 ++++++--
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 44f09dd..66c4cbe 100644
+--- a/Makefile
++++ b/Makefile
+@@ -44,9 +44,14 @@ endif
+ 
+ ifdef HAVE_XCRYPT
+ mkpasswd_LDADD += -lxcrypt
+-DEFS += -DHAVE_XCRYPT
++DEFS += -DHAVE_XCRYPT -DHAVE_CRYPT_GENSALT
+ else
++ifdef HAVE_CRYPT_GENSALT
++DEFS += -DHAVE_CRYPT_GENSALT
+ mkpasswd_LDADD += -lcrypt
++else
++mkpasswd_LDADD += -lcrypt
++endif
+ endif
+ 
+ ##############################################################################
+diff --git a/mkpasswd.c b/mkpasswd.c
+index 176d980..43403d4 100644
+--- a/mkpasswd.c
++++ b/mkpasswd.c
+@@ -36,6 +36,10 @@
+ #include <xcrypt.h>
+ #include <sys/stat.h>
+ #endif
++#ifdef HAVE_CRYPT_GENSALT
++#define _OW_SOURCE
++#include <crypt.h>
++#endif
+ #ifdef HAVE_GETTIMEOFDAY
+ #include <sys/time.h>
+ #endif
+@@ -82,7 +86,7 @@ static const struct crypt_method methods[] = {
+ #if defined FreeBSD
+     { "bf",		"$2$",  22,	22,	0, "Blowfish (FreeBSD)" },
+ #endif
+-#if defined OpenBSD || (defined __SVR4 && defined __sun) || defined HAVE_XCRYPT
++#if defined OpenBSD || (defined __SVR4 && defined __sun) || defined HAVE_CRYPT_GENSALT
+     { "bf",		"$2a$", 22,	22,	1, "Blowfish" },
+ #endif
+ #if defined FreeBSD
+@@ -264,7 +268,7 @@ int main(int argc, char *argv[])
+ 	strcat(salt, rounds_str);
+ 	strcat(salt, salt_arg);
+     } else {
+-#ifdef HAVE_XCRYPT
++#ifdef HAVE_CRYPT_GENSALT
+ 	void *entropy = get_random_bytes(64);
+ 
+ 	salt = crypt_gensalt(salt_prefix, rounds, entropy, 64);
+-- 
+1.7.3.4
+

whois.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jul 19 08:48:20 UTC 2011 - lnussel@suse.de
+
+- enable use of crypt_gensalt to support all glibc supported
+  algorithms
+- allow 8bit passwords read from file
+- support new blowfish $2y algorithm
+
 -------------------------------------------------------------------
 Tue Mar 22 10:15:42 UTC 2011 - puzel@novell.com
 

whois.spec

@@ -24,8 +24,15 @@ License:        GPLv2+
 Summary:        Whois Client Program
 Url:            http://www.linux.it/~md/software/
 Group:          Productivity/Networking/Other
-Source:         %{name}_%{version}.tar.bz2
+Source:         http://ftp.debian.org/debian/pool/main/w/whois/%{name}_%{version}.tar.bz2
 Patch1:         whois-4.7.33-nb.patch
+Patch2:         whois-5.0.11-mkpasswd-support-Owl-patched-libcrypt.diff
+Patch3:         whois-5.0.11-mkpasswd-crypt_gensalt-might-change-the-prefix.diff
+Patch4:         whois-5.0.11-mkpasswd-support-8bit-characters.diff
+Patch5:         whois-5.0.11-mkpasswd-add-support-for-the-new-2y-blowfish-tag-CVE-2011-2483.diff
+Patch6:         whois-5.0.11-mkpasswd-set-default-blowfish-rounds-to-5.diff
+Patch7:         whois-5.0.11-mkpasswd-remove-obsolete-settings.diff
+Patch8:         whois-5.0.11-mkpasswd-fix-compiler-warnings.diff
 BuildRequires:  libidn-devel
 Provides:       ripe-whois-tools
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -40,10 +47,17 @@ mkpasswd, a simple front-end to crypt(3).
 %prep
 %setup -n whois-%{version}
 %patch1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 rename no nb po/no.*
 
 %build
-make all mkpasswd HAVE_LIBIDN=1 HAVE_ICONV=1 CFLAGS="%{optflags}"
+make all mkpasswd HAVE_LIBIDN=1 HAVE_ICONV=1 HAVE_CRYPT_GENSALT=1 CFLAGS="%{optflags}"
 
 %install
 mkdir -p %{buildroot}{/usr/bin,%{_mandir}/man1}