diff --git a/.authd.metadata b/.authd.metadata new file mode 100644 index 0000000..7a2c9d2 --- /dev/null +++ b/.authd.metadata @@ -0,0 +1 @@ +1a508618ce847ffd0b00a4341cbcb8b310f845e9 SOURCES/authd-1.4.4.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..52ab20a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/authd-1.4.4.tar.gz diff --git a/SOURCES/auth.socket b/SOURCES/auth.socket new file mode 100644 index 0000000..d701b04 --- /dev/null +++ b/SOURCES/auth.socket @@ -0,0 +1,9 @@ +[Unit] +Description=Authd Activation Socket + +[Socket] +ListenStream=113 +Accept=true + +[Install] +WantedBy=sockets.target diff --git a/SOURCES/auth@.service b/SOURCES/auth@.service new file mode 100644 index 0000000..8da5bd2 --- /dev/null +++ b/SOURCES/auth@.service @@ -0,0 +1,8 @@ +[Unit] +Description=Authd Ident Protocol Requests Server +After=local-fs.target + +[Service] +User=ident +ExecStart=/usr/sbin/in.authd -t60 --xerror --os -E +StandardInput=socket diff --git a/SOURCES/authd-covscan.patch b/SOURCES/authd-covscan.patch new file mode 100644 index 0000000..4211af8 --- /dev/null +++ b/SOURCES/authd-covscan.patch @@ -0,0 +1,43 @@ +diff --git a/authd.c b/authd.c +index a2072de..07c6f0d 100644 +--- a/authd.c ++++ b/authd.c +@@ -240,7 +240,6 @@ static void create_opt(int argc, char *argv[]) { + opt.passwd = vstrdup(DFL_PASSWD); + if ((opt.mapped = calloc(HEX_LEN_MAX + sizeof '\0', sizeof(char))) == NULL) + handle_error(NULL); +- memset(opt.mapped, '0', HEX_LEN_MAX); + opt.multiquery = 1; + opt.timeout = UINT_MAX; + while ((c = getopt_long(argc, argv, SHORT_OPTS, LONG_OPTS, &i)) != -1) { +@@ -539,7 +538,9 @@ static char *get_created_tok_addr(const char *peer_addr_hex) { + } + // hex addr must have even number of digits + if ((int) z & 1) { +- errno = EINVAL; return NULL; ++ free(addr); ++ errno = EINVAL; ++ return NULL; + } + while (z > 1) { + unsigned long ul; char *endptr; +@@ -548,7 +549,9 @@ static char *get_created_tok_addr(const char *peer_addr_hex) { + addr_hex[z] = '\0'; z -= HEX_DIG; + ul = strtoul(addr_hex + z, &endptr, 16); + if (is_bad_strto(addr_hex + z, endptr)) { +- errno = EINVAL; return NULL; ++ free(addr); ++ errno = EINVAL; ++ return NULL; + } + if ((!IS_IPV4 || 6 == z) && is_16_bits) + *p++ = ':'; +@@ -809,7 +812,7 @@ static bool initialize_crypto(crypto_t *x, const char *filename) { + const EVP_MD *const HASH = EVP_md5(); // openssl compat: enc -pass + const size_t KEY_SIZE = EVP_CIPHER_key_length(x->cipher); + const size_t IV_SIZE = EVP_CIPHER_iv_length(x->cipher); +- char *pass = NULL; size_t z = 0; ++ unsigned char *pass = NULL; size_t z = 0; + + if (!S_ISREG(file.st_mode)) return false; // no dirs, devs, etc. + if (file.st_mode & (S_IROTH | S_IWOTH)) return false; // no ------rw- diff --git a/SPECS/authd.spec b/SPECS/authd.spec new file mode 100644 index 0000000..7c0d2ab --- /dev/null +++ b/SPECS/authd.spec @@ -0,0 +1,89 @@ +%global _hardened_build 1 + +Summary: A RFC 1413 ident protocol daemon +Name: authd +Version: 1.4.4 +Release: 5%{?dist} +License: GPLv2+ +URL: https://github.com/InfrastructureServices/authd +Obsoletes: pidentd < 3.2 +Provides: pidentd = 3.2 +Requires(post): openssl +Source0: https://github.com/InfrastructureServices/authd/releases/download/v1.4.4/authd-1.4.4.tar.gz +Source1: auth.socket +Source2: auth@.service +BuildRequires: gcc +BuildRequires: openssl-devel gettext help2man systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Patch0: authd-covscan.patch + +%description +authd is a small and fast RFC 1413 ident protocol daemon +with both xinetd server and interactive modes that +supports IPv6 and IPv4 as well as the more popular features +of pidentd. + +%prep +%autosetup + +%build +make prefix=%{_prefix} CFLAGS="%{optflags}" \ + LDFLAGS="-lcrypto %{build_ldflags}" + +%install +%make_install datadir=%{buildroot}/%{_datadir} \ + sbindir=%{buildroot}/%{_sbindir} + +install -d %{buildroot}%{_unitdir}/ +install -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/ +install -m 644 %{SOURCE2} %{buildroot}%{_unitdir}/ + +install -d %{buildroot}%{_sysconfdir}/ +touch %{buildroot}%{_sysconfdir}/ident.key + +install -d %{buildroot}/%{_mandir}/man1/ +help2man -N -v -V %{buildroot}/%{_sbindir}/in.authd -o \ + %{buildroot}/%{_mandir}/man1/in.authd.1 + +%find_lang %{name} + +%post +/usr/sbin/adduser -s /sbin/nologin -u 98 -r -d '/' ident 2>/dev/null || true +/usr/bin/openssl rand -base64 -out %{_sysconfdir}/ident.key 32 +echo CHANGE THE LINE ABOVE TO A PASSPHRASE >> %{_sysconfdir}/ident.key +/bin/chown ident:ident %{_sysconfdir}/ident.key +chmod o-rw %{_sysconfdir}/ident.key +%systemd_post auth.socket + +%postun +%systemd_postun_with_restart auth.socket + +%preun +%systemd_preun auth.socket + +%files -f authd.lang +%license COPYING +%verify(not md5 size mtime user group) %config(noreplace) %attr(640,root,root) %{_sysconfdir}/ident.key +%doc COPYING README.html rfc1413.txt +%{_sbindir}/in.authd +%{_mandir}/*/* +%{_unitdir}/* + +%changelog +* Mon Feb 18 2019 Pavel Zhukov - 1.4.4-5 +- Related: #1642073 - Properly pass hardened ld flags +- Fix covscan reported errors + +* Sun Feb 17 2019 Pavel Zhukov - 1.4.4-2 +- Related: #1642073 - Rebuild with RHEL CFLAGS +- Enabled hardered build + +* Tue Feb 12 2019 Pavel Zhukov - 1.4.4-1 +- Import from Fedora +- New release (v1.4.4) +- New upstream URL + +