summaryrefslogtreecommitdiffstats
path: root/source/a
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2024-01-26 20:59:27 +0000
committer Eric Hameleers <alien@slackware.com>2024-01-26 22:29:25 +0100
commitc2e6d1a771c30e282596e9ba23175d9b6d48be25 (patch)
tree824dbd7db2148669accbde55223bc32350e4ef47 /source/a
parent0abd603d71db76d9bad0951aa186d9b2e72ca05b (diff)
downloadcurrent-c2e6d1a771c30e282596e9ba23175d9b6d48be25.tar.gz
current-c2e6d1a771c30e282596e9ba23175d9b6d48be25.tar.xz
Fri Jan 26 20:59:27 UTC 202420240126205927
a/pam-1.6.0-x86_64-1.txz: Upgraded. pam_namespace.so: fixed a possible local denial-of-service vulnerability. For more information, see: https://seclists.org/oss-sec/2024/q1/31 https://www.cve.org/CVERecord?id=CVE-2024-22365 (* Security fix *) a/xz-5.4.6-x86_64-1.txz: Upgraded. l/python-hatchling-1.21.1-x86_64-1.txz: Upgraded.
Diffstat (limited to 'source/a')
-rw-r--r--source/a/pam/fedora-patches/pam-1.1.3-nouserenv.patch27
-rw-r--r--source/a/pam/fedora-patches/pam-1.1.6-limits-user.patch20
-rw-r--r--source/a/pam/fedora-patches/pam-1.1.8-audit-user-mgmt.patch31
-rw-r--r--source/a/pam/fedora-patches/pam-1.1.8-full-relro.patch67
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.0-pwhistory-helper.patch806
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-coverity.patch185
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-motd-multiple-paths.patch755
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-noflex.patch24
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-redhat-modules.patch78
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch34
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch73
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch40
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch104
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch95
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch105
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch34
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-yescrypt.patch479
-rw-r--r--source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch29
-rw-r--r--source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch95
-rw-r--r--source/a/pam/fedora-patches/pam-1.5.3-unix-nomsg.patch (renamed from source/a/pam/fedora-patches/pam-1.3.0-unix-nomsg.patch)9
-rw-r--r--source/a/pam/fedora-patches/pam-1.6.0-noflex.patch24
-rw-r--r--source/a/pam/fedora-patches/pam-1.6.0-redhat-modules.patch24
-rwxr-xr-xsource/a/pam/pam.SlackBuild30
23 files changed, 60 insertions, 3108 deletions
diff --git a/source/a/pam/fedora-patches/pam-1.1.3-nouserenv.patch b/source/a/pam/fedora-patches/pam-1.1.3-nouserenv.patch
deleted file mode 100644
index f3a742c8d..000000000
--- a/source/a/pam/fedora-patches/pam-1.1.3-nouserenv.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
---- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200
-+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100
-@@ -10,7 +10,7 @@
- #define DEFAULT_READ_ENVFILE 1
-
- #define DEFAULT_USER_ENVFILE ".pam_environment"
--#define DEFAULT_USER_READ_ENVFILE 1
-+#define DEFAULT_USER_READ_ENVFILE 0
-
- #include "config.h"
-
-diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
---- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200
-+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100
-@@ -147,7 +147,10 @@
- <listitem>
- <para>
- Turns on or off the reading of the user specific environment
-- file. 0 is off, 1 is on. By default this option is on.
-+ file. 0 is off, 1 is on. By default this option is off as user
-+ supplied environment variables in the PAM environment could affect
-+ behavior of subsequent modules in the stack without the consent
-+ of the system administrator.
- </para>
- </listitem>
- </varlistentry>
diff --git a/source/a/pam/fedora-patches/pam-1.1.6-limits-user.patch b/source/a/pam/fedora-patches/pam-1.1.6-limits-user.patch
deleted file mode 100644
index 3c17b781a..000000000
--- a/source/a/pam/fedora-patches/pam-1.1.6-limits-user.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf
---- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200
-+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100
-@@ -1,5 +1,16 @@
- # /etc/security/limits.conf
- #
-+#This file sets the resource limits for the users logged in via PAM.
-+#It does not affect resource limits of the system services.
-+#
-+#Also note that configuration files in /etc/security/limits.d directory,
-+#which are read in alphabetical order, override the settings in this
-+#file in case the domain is the same or more specific.
-+#That means for example that setting a limit for wildcard domain here
-+#can be overriden with a wildcard setting in a config file in the
-+#subdirectory, but a user specific setting here can be overriden only
-+#with a user specific setting in the subdirectory.
-+#
- #Each line describes a limit for a user in the form:
- #
- #<domain> <type> <item> <value>
diff --git a/source/a/pam/fedora-patches/pam-1.1.8-audit-user-mgmt.patch b/source/a/pam/fedora-patches/pam-1.1.8-audit-user-mgmt.patch
deleted file mode 100644
index 277a5699f..000000000
--- a/source/a/pam/fedora-patches/pam-1.1.8-audit-user-mgmt.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
---- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
-+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200
-@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
- #ifdef HAVE_LIBAUDIT
- char buf[64];
- int audit_fd = audit_open();
-- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
-- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
-+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
-+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
-+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
- if (audit_fd >=0)
- close(audit_fd);
- #endif
-@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
- }
- else if ( !cline_reset ) {
- #ifdef HAVE_LIBAUDIT
-- char buf[64];
- int audit_fd = audit_open();
-- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
-- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
-+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
-+ "pam_tally2-reset-all-accts reset=0", "*", -1,
-+ NULL, NULL, ttyname(STDIN_FILENO), 1);
- if (audit_fd >=0)
- close(audit_fd);
- #endif
diff --git a/source/a/pam/fedora-patches/pam-1.1.8-full-relro.patch b/source/a/pam/fedora-patches/pam-1.1.8-full-relro.patch
deleted file mode 100644
index b2d8526f9..000000000
--- a/source/a/pam/fedora-patches/pam-1.1.8-full-relro.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
---- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
-+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
-@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
-
- AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -I$(srcdir)/.. @PIE_CFLAGS@
--AM_LDFLAGS = @PIE_LDFLAGS@
-+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
- LDADD = $(top_builddir)/libpam/libpam.la
-
- securelibfilter_PROGRAMS = upperLOWER
-diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
---- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
-+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
-@@ -30,6 +30,8 @@ endif
-
- sbin_PROGRAMS = mkhomedir_helper
- mkhomedir_helper_SOURCES = mkhomedir_helper.c
-+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
-+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
- mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
-
- if ENABLE_REGENERATE_MAN
-diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
---- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
-+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
-@@ -26,6 +26,8 @@ if HAVE_VERSIONING
- pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
- endif
-
-+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
-+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
- pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
-
- securelib_LTLIBRARIES = pam_tally2.la
-diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
---- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
-+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
-@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
- pam_timestamp_check_SOURCES = pam_timestamp_check.c
- pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
- pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
--pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
-+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
-
- hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
- hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
-diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
---- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
-+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
-@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
- unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
- passverify.c
- unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
--unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
-+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
- unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
-
- unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
- passverify.c
- unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
--unix_update_LDFLAGS = @PIE_LDFLAGS@
-+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
- unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
-
- if ENABLE_REGENERATE_MAN
diff --git a/source/a/pam/fedora-patches/pam-1.3.0-pwhistory-helper.patch b/source/a/pam/fedora-patches/pam-1.3.0-pwhistory-helper.patch
deleted file mode 100644
index 554e5c8f8..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.0-pwhistory-helper.patch
+++ /dev/null
@@ -1,806 +0,0 @@
-diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am
---- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100
-+++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200
-@@ -1,5 +1,6 @@
- #
- # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
-+# Copyright (c) 2013 Red Hat, Inc.
- #
-
- CLEANFILES = *~
-@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
-
- TESTS = tst-pam_pwhistory
-
--man_MANS = pam_pwhistory.8
-+man_MANS = pam_pwhistory.8 pwhistory_helper.8
-
--XMLS = README.xml pam_pwhistory.8.xml
-+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
-
- securelibdir = $(SECUREDIR)
- secureconfdir = $(SCONFIGDIR)
-
--AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
--AM_LDFLAGS = -no-undefined -avoid-version -module
-+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-+ -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\"
-+
-+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module
- if HAVE_VERSIONING
-- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
- endif
-
- noinst_HEADERS = opasswd.h
-
- securelib_LTLIBRARIES = pam_pwhistory.la
--pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
-+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
-+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
- pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
-
-+sbin_PROGRAMS = pwhistory_helper
-+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
-+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
-+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
-+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
-+
- if ENABLE_REGENERATE_MAN
- noinst_DATA = README
- README: pam_pwhistory.8.xml
-diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c
---- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100
-+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200
-@@ -1,5 +1,6 @@
- /*
- * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
-+ * Copyright (c) 2013 Red Hat, Inc.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -38,6 +39,7 @@
- #endif
-
- #include <pwd.h>
-+#include <shadow.h>
- #include <time.h>
- #include <ctype.h>
- #include <errno.h>
-@@ -47,6 +49,7 @@
- #include <string.h>
- #include <stdlib.h>
- #include <syslog.h>
-+#include <stdarg.h>
- #include <sys/stat.h>
-
- #if defined (HAVE_XCRYPT_H)
-@@ -55,7 +58,14 @@
- #include <crypt.h>
- #endif
-
-+#ifdef HELPER_COMPILE
-+#define pam_modutil_getpwnam(h,n) getpwnam(n)
-+#define pam_modutil_getspnam(h,n) getspnam(n)
-+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__)
-+#else
-+#include <security/pam_modutil.h>
- #include <security/pam_ext.h>
-+#endif
- #include <security/pam_modules.h>
-
- #include "opasswd.h"
-@@ -76,6 +86,19 @@ typedef struct {
- char *old_passwords;
- } opwd;
-
-+#ifdef HELPER_COMPILE
-+void
-+helper_log_err(int err, const char *format, ...)
-+{
-+ va_list args;
-+
-+ va_start(args, format);
-+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-+ vsyslog(err, format, args);
-+ va_end(args);
-+ closelog();
-+}
-+#endif
-
- static int
- parse_entry (char *line, opwd *data)
-@@ -117,8 +140,8 @@ compare_password(const char *newpass, co
- }
-
- /* Check, if the new password is already in the opasswd file. */
--int
--check_old_pass (pam_handle_t *pamh, const char *user,
-+PAMH_ARG_DECL(int
-+check_old_pass, const char *user,
- const char *newpass, int debug)
- {
- int retval = PAM_SUCCESS;
-@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
- opwd entry;
- int found = 0;
-
-+#ifndef HELPER_COMPILE
-+ if (SELINUX_ENABLED)
-+ return PAM_PWHISTORY_RUN_HELPER;
-+#endif
-+
- if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
- {
- if (errno != ENOENT)
-@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
- return retval;
- }
-
--int
--save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
-- const char *oldpass, int howmany, int debug UNUSED)
-+PAMH_ARG_DECL(int
-+save_old_pass, const char *user,
-+ int howmany, int debug UNUSED)
- {
- char opasswd_tmp[] = TMP_PASSWORDS_FILE;
- struct stat opasswd_stat;
-@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
- char *buf = NULL;
- size_t buflen = 0;
- int found = 0;
-+ struct passwd *pwd;
-+ const char *oldpass;
-+
-+ pwd = pam_modutil_getpwnam (pamh, user);
-+ if (pwd == NULL)
-+ return PAM_USER_UNKNOWN;
-
- if (howmany <= 0)
- return PAM_SUCCESS;
-
-+#ifndef HELPER_COMPILE
-+ if (SELINUX_ENABLED)
-+ return PAM_PWHISTORY_RUN_HELPER;
-+#endif
-+
-+ if ((strcmp(pwd->pw_passwd, "x") == 0) ||
-+ ((pwd->pw_passwd[0] == '#') &&
-+ (pwd->pw_passwd[1] == '#') &&
-+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
-+ {
-+ struct spwd *spw = pam_modutil_getspnam (pamh, user);
-+
-+ if (spw == NULL)
-+ return PAM_USER_UNKNOWN;
-+ oldpass = spw->sp_pwdp;
-+ }
-+ else
-+ oldpass = pwd->pw_passwd;
-+
- if (oldpass == NULL || *oldpass == '\0')
- return PAM_SUCCESS;
-
-@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
- {
- char *out;
-
-- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0)
-+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0)
- {
- retval = PAM_AUTHTOK_ERR;
- if (oldpf)
-diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h
---- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100
-+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200
-@@ -1,5 +1,6 @@
- /*
- * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
-+ * Copyright (c) 2013 Red Hat, Inc.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -36,10 +37,32 @@
- #ifndef __OPASSWD_H__
- #define __OPASSWD_H__
-
--extern int check_old_pass (pam_handle_t *pamh, const char *user,
-- const char *newpass, int debug);
--extern int save_old_pass (pam_handle_t *pamh, const char *user,
-- uid_t uid, const char *oldpass,
-- int howmany, int debug);
-+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT
-+
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#define SELINUX_ENABLED is_selinux_enabled()>0
-+#else
-+#define SELINUX_ENABLED 0
-+#endif
-+
-+#ifdef HELPER_COMPILE
-+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__)
-+#define PAMH_ARG(...) __VA_ARGS__
-+#else
-+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__)
-+#define PAMH_ARG(...) pamh, __VA_ARGS__
-+#endif
-+
-+#ifdef HELPER_COMPILE
-+void
-+helper_log_err(int err, const char *format, ...);
-+#endif
-+
-+PAMH_ARG_DECL(int
-+check_old_pass, const char *user, const char *newpass, int debug);
-+
-+PAMH_ARG_DECL(int
-+save_old_pass, const char *user, int howmany, int debug);
-
- #endif /* __OPASSWD_H__ */
-diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c
---- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200
-+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200
-@@ -1,6 +1,7 @@
- /*
- * Copyright (c) 2008, 2012 Thorsten Kukuk
- * Author: Thorsten Kukuk <kukuk@thkukuk.de>
-+ * Copyright (c) 2013 Red Hat, Inc.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -46,10 +47,14 @@
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
--#include <shadow.h>
- #include <syslog.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-+#include <sys/time.h>
-+#include <sys/resource.h>
-+#include <sys/wait.h>
-+#include <signal.h>
-+#include <fcntl.h>
-
- #include <security/pam_modules.h>
- #include <security/pam_modutil.h>
-@@ -59,6 +64,7 @@
- #include "opasswd.h"
-
- #define DEFAULT_BUFLEN 2048
-+#define MAX_FD_NO 20000
-
- struct options_t {
- int debug;
-@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const
- pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
- }
-
-+static int
-+run_save_helper(pam_handle_t *pamh, const char *user,
-+ int howmany, int debug)
-+{
-+ int retval, child;
-+ struct sigaction newsa, oldsa;
-+
-+ memset(&newsa, '\0', sizeof(newsa));
-+ newsa.sa_handler = SIG_DFL;
-+ sigaction(SIGCHLD, &newsa, &oldsa);
-+
-+ child = fork();
-+ if (child == 0)
-+ {
-+ int i = 0;
-+ struct rlimit rlim;
-+ int dummyfds[2];
-+ static char *envp[] = { NULL };
-+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
-+
-+ /* replace std file descriptors with a dummy pipe */
-+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
-+ {
-+ dup2(dummyfds[0], STDIN_FILENO);
-+ dup2(dummyfds[1], STDOUT_FILENO);
-+ dup2(dummyfds[1], STDERR_FILENO);
-+ }
-+
-+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
-+ {
-+ if (rlim.rlim_max >= MAX_FD_NO)
-+ rlim.rlim_max = MAX_FD_NO;
-+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
-+ {
-+ if (i != dummyfds[0])
-+ close(i);
-+ }
-+ }
-+
-+ /* exec binary helper */
-+ args[0] = strdup(PWHISTORY_HELPER);
-+ args[1] = strdup("save");
-+ args[2] = x_strdup(user);
-+ asprintf(&args[3], "%d", howmany);
-+ asprintf(&args[4], "%d", debug);
-+
-+ execve(args[0], args, envp);
-+
-+ _exit(PAM_SYSTEM_ERR);
-+ }
-+ else if (child > 0)
-+ {
-+ /* wait for child */
-+ int rc = 0;
-+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
-+ if (rc < 0)
-+ {
-+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc);
-+ retval = PAM_SYSTEM_ERR;
-+ }
-+ else if (!WIFEXITED(retval))
-+ {
-+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval);
-+ retval = PAM_SYSTEM_ERR;
-+ }
-+ else
-+ {
-+ retval = WEXITSTATUS(retval);
-+ }
-+ }
-+ else
-+ {
-+ retval = PAM_SYSTEM_ERR;
-+ }
-+
-+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
-+
-+ return retval;
-+}
-+
-+static int
-+run_check_helper(pam_handle_t *pamh, const char *user,
-+ const char *newpass, int debug)
-+{
-+ int retval, child, fds[2];
-+ struct sigaction newsa, oldsa;
-+
-+ /* create a pipe for the password */
-+ if (pipe(fds) != 0)
-+ return PAM_SYSTEM_ERR;
-+
-+ memset(&newsa, '\0', sizeof(newsa));
-+ newsa.sa_handler = SIG_DFL;
-+ sigaction(SIGCHLD, &newsa, &oldsa);
-+
-+ child = fork();
-+ if (child == 0)
-+ {
-+ int i = 0;
-+ struct rlimit rlim;
-+ int dummyfds[2];
-+ static char *envp[] = { NULL };
-+ char *args[] = { NULL, NULL, NULL, NULL, NULL };
-+
-+ /* reopen stdin as pipe */
-+ dup2(fds[0], STDIN_FILENO);
-+
-+ /* replace std file descriptors with a dummy pipe */
-+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
-+ {
-+ dup2(dummyfds[1], STDOUT_FILENO);
-+ dup2(dummyfds[1], STDERR_FILENO);
-+ }
-+
-+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
-+ {
-+ if (rlim.rlim_max >= MAX_FD_NO)
-+ rlim.rlim_max = MAX_FD_NO;
-+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
-+ {
-+ if (i != dummyfds[0])
-+ close(i);
-+ }
-+ }
-+
-+ /* exec binary helper */
-+ args[0] = strdup(PWHISTORY_HELPER);
-+ args[1] = strdup("check");
-+ args[2] = x_strdup(user);
-+ asprintf(&args[3], "%d", debug);
-+
-+ execve(args[0], args, envp);
-+
-+ _exit(PAM_SYSTEM_ERR);
-+ }
-+ else if (child > 0)
-+ {
-+ /* wait for child */
-+ int rc = 0;
-+ if (newpass == NULL)
-+ newpass = "";
-+
-+ /* send the password to the child */
-+ if (write(fds[1], newpass, strlen(newpass)+1) == -1)
-+ {
-+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m");
-+ retval = PAM_SYSTEM_ERR;
-+ }
-+ newpass = NULL;
-+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
-+ close(fds[1]);
-+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
-+ if (rc < 0)
-+ {
-+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc);
-+ retval = PAM_SYSTEM_ERR;
-+ }
-+ else if (!WIFEXITED(retval))
-+ {
-+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval);
-+ retval = PAM_SYSTEM_ERR;
-+ }
-+ else
-+ {
-+ retval = WEXITSTATUS(retval);
-+ }
-+ }
-+ else
-+ {
-+ close(fds[0]);
-+ close(fds[1]);
-+ retval = PAM_SYSTEM_ERR;
-+ }
-+
-+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
-+
-+ return retval;
-+}
-
- /* This module saves the current crypted password in /etc/security/opasswd
- and then compares the new password with all entries in this file. */
-@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const
- int
- pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
-- struct passwd *pwd;
- const char *newpass;
- const char *user;
- int retval, tries;
-@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
- return PAM_SUCCESS;
- }
-
-- pwd = pam_modutil_getpwnam (pamh, user);
-- if (pwd == NULL)
-- return PAM_USER_UNKNOWN;
--
-- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
-- ((pwd->pw_passwd[0] == '#') &&
-- (pwd->pw_passwd[1] == '#') &&
-- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
-- {
-- struct spwd *spw = pam_modutil_getspnam (pamh, user);
-- if (spw == NULL)
-- return PAM_USER_UNKNOWN;
-+ retval = save_old_pass (pamh, user, options.remember, options.debug);
-
-- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
-- options.remember, options.debug);
-- if (retval != PAM_SUCCESS)
-- return retval;
-- }
-- else
-- {
-- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
-- options.remember, options.debug);
-- if (retval != PAM_SUCCESS)
-- return retval;
-- }
-+ if (retval == PAM_PWHISTORY_RUN_HELPER)
-+ retval = run_save_helper(pamh, user, options.remember, options.debug);
-+
-+ if (retval != PAM_SUCCESS)
-+ return retval;
-
- newpass = NULL;
- tries = 0;
-@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
- if (options.debug)
- pam_syslog (pamh, LOG_DEBUG, "check against old password file");
-
-- if (check_old_pass (pamh, user, newpass,
-- options.debug) != PAM_SUCCESS)
-+ retval = check_old_pass (pamh, user, newpass, options.debug);
-+ if (retval == PAM_PWHISTORY_RUN_HELPER)
-+ retval = run_check_helper(pamh, user, newpass, options.debug);
-+
-+ if (retval != PAM_SUCCESS)
- {
- if (getuid() || options.enforce_for_root ||
- (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
-diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c
---- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200
-+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200
-@@ -0,0 +1,209 @@
-+/*
-+ * Copyright (c) 2013 Red Hat, Inc.
-+ * Author: Tomas Mraz <tmraz@redhat.com>
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, and the entire permission notice in its entirety,
-+ * including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ * products derived from this software without specific prior
-+ * written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions. (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "config.h"
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <syslog.h>
-+#include <errno.h>
-+#include <unistd.h>
-+#include <signal.h>
-+#include <security/_pam_types.h>
-+#include <security/_pam_macros.h>
-+#include "opasswd.h"
-+
-+#define MAXPASS 200
-+
-+static void
-+su_sighandler(int sig)
-+{
-+#ifndef SA_RESETHAND
-+ /* emulate the behaviour of the SA_RESETHAND flag */
-+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
-+ struct sigaction sa;
-+ memset(&sa, '\0', sizeof(sa));
-+ sa.sa_handler = SIG_DFL;
-+ sigaction(sig, &sa, NULL);
-+ }
-+#endif
-+ if (sig > 0) {
-+ _exit(sig);
-+ }
-+}
-+
-+static void
-+setup_signals(void)
-+{
-+ struct sigaction action; /* posix signal structure */
-+
-+ /*
-+ * Setup signal handlers
-+ */
-+ (void) memset((void *) &action, 0, sizeof(action));
-+ action.sa_handler = su_sighandler;
-+#ifdef SA_RESETHAND
-+ action.sa_flags = SA_RESETHAND;
-+#endif
-+ (void) sigaction(SIGILL, &action, NULL);
-+ (void) sigaction(SIGTRAP, &action, NULL);
-+ (void) sigaction(SIGBUS, &action, NULL);
-+ (void) sigaction(SIGSEGV, &action, NULL);
-+ action.sa_handler = SIG_IGN;
-+ action.sa_flags = 0;
-+ (void) sigaction(SIGTERM, &action, NULL);
-+ (void) sigaction(SIGHUP, &action, NULL);
-+ (void) sigaction(SIGINT, &action, NULL);
-+ (void) sigaction(SIGQUIT, &action, NULL);
-+}
-+
-+static int
-+read_passwords(int fd, int npass, char **passwords)
-+{
-+ int rbytes = 0;
-+ int offset = 0;
-+ int i = 0;
-+ char *pptr;
-+ while (npass > 0)
-+ {
-+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
-+
-+ if (rbytes < 0)
-+ {
-+ if (errno == EINTR) continue;
-+ break;
-+ }
-+ if (rbytes == 0)
-+ break;
-+
-+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes))
-+ != NULL)
-+ {
-+ rbytes -= pptr - (passwords[i]+offset) + 1;
-+ i++;
-+ offset = 0;
-+ npass--;
-+ if (rbytes > 0)
-+ {
-+ if (npass > 0)
-+ memcpy(passwords[i], pptr+1, rbytes);
-+ memset(pptr+1, '\0', rbytes);
-+ }
-+ }
-+ offset += rbytes;
-+ }
-+
-+ /* clear up */
-+ if (offset > 0 && npass > 0)
-+ memset(passwords[i], '\0', offset);
-+
-+ return i;
-+}
-+
-+
-+static int
-+check_history(const char *user, const char *debug)
-+{
-+ char pass[MAXPASS + 1];
-+ char *passwords[] = { pass };
-+ int npass;
-+ int dbg = atoi(debug); /* no need to be too fancy here */
-+ int retval;
-+
-+ /* read the password from stdin (a pipe from the pam_pwhistory module) */
-+ npass = read_passwords(STDIN_FILENO, 1, passwords);
-+
-+ if (npass != 1)
-+ { /* is it a valid password? */
-+ helper_log_err(LOG_DEBUG, "no password supplied");
-+ return PAM_AUTHTOK_ERR;
-+ }
-+
-+ retval = check_old_pass(user, pass, dbg);
-+
-+ memset(pass, '\0', MAXPASS); /* clear memory of the password */
-+
-+ return retval;
-+}
-+
-+static int
-+save_history(const char *user, const char *howmany, const char *debug)
-+{
-+ int num = atoi(howmany);
-+ int dbg = atoi(debug); /* no need to be too fancy here */
-+ int retval;
-+
-+ retval = save_old_pass(user, num, dbg);
-+
-+ return retval;
-+}
-+
-+int
-+main(int argc, char *argv[])
-+{
-+ const char *option;
-+ const char *user;
-+
-+ /*
-+ * Catch or ignore as many signal as possible.
-+ */
-+ setup_signals();
-+
-+ /*
-+ * we establish that this program is running with non-tty stdin.
-+ * this is to discourage casual use.
-+ */
-+
-+ if (isatty(STDIN_FILENO) || argc < 4)
-+ {
-+ fprintf(stderr,
-+ "This binary is not designed for running in this way.\n");
-+ sleep(10); /* this should discourage/annoy the user */
-+ return PAM_SYSTEM_ERR;
-+ }
-+
-+ option = argv[1];
-+ user = argv[2];
-+
-+ if (strcmp(option, "check") == 0 && argc == 4)
-+ return check_history(user, argv[3]);
-+ else if (strcmp(option, "save") == 0 && argc == 5)
-+ return save_history(user, argv[3], argv[4]);
-+
-+ return PAM_SYSTEM_ERR;
-+}
-+
-diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml
---- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200
-+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200
-@@ -0,0 +1,68 @@
-+<?xml version="1.0" encoding='UTF-8'?>
-+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-+
-+<refentry id="pwhistory_helper">
-+
-+ <refmeta>
-+ <refentrytitle>pwhistory_helper</refentrytitle>
-+ <manvolnum>8</manvolnum>
-+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
-+ </refmeta>
-+
-+ <refnamediv id="pwhistory_helper-name">
-+ <refname>pwhistory_helper</refname>
-+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
-+ </refnamediv>
-+
-+ <refsynopsisdiv>
-+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
-+ <command>pwhistory_helper</command>
-+ <arg choice="opt">
-+ ...
-+ </arg>
-+ </cmdsynopsis>
-+ </refsynopsisdiv>
-+
-+ <refsect1 id="pwhistory_helper-description">
-+
-+ <title>DESCRIPTION</title>
-+
-+ <para>
-+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
-+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
-+ from passwd or shadow file to the opasswd file and checks a password
-+ supplied by user against the existing hashes in the opasswd file.
-+ </para>
-+
-+ <para>
-+ The purpose of the helper is to enable tighter confinement of
-+ login and password changing services. The helper is thus called only
-+ when SELinux is enabled on the system.
-+ </para>
-+
-+ <para>
-+ The interface of the helper - command line options, and input/output
-+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
-+ module and it should not be called directly from applications.
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id='pwhistory_helper-see_also'>
-+ <title>SEE ALSO</title>
-+ <para>
-+ <citerefentry>
-+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
-+ </citerefentry>
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id='pwhistory_helper-author'>
-+ <title>AUTHOR</title>
-+ <para>
-+ Written by Tomas Mraz based on the code originally in
-+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
-+ </para>
-+ </refsect1>
-+
-+</refentry>
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-coverity.patch b/source/a/pam/fedora-patches/pam-1.3.1-coverity.patch
deleted file mode 100644
index cecf768f6..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-coverity.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
-index 106ef7c..b2e94c7 100644
---- a/libpam/pam_handlers.c
-+++ b/libpam/pam_handlers.c
-@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh
- {
- char *p;
- FILE *f;
-- int err = 0;
-
- /* Absolute path */
- if (service[0] == '/') {
-diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
-index be53f34..07dce36 100644
---- a/libpam_misc/misc_conv.c
-+++ b/libpam_misc/misc_conv.c
-@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
- line[nc] = '\0';
- }
- *retstr = strdup(line);
-- _pam_overwrite(line);
-+ _pam_overwrite_n(line, sizeof(line));
- if (!*retstr) {
- D(("no memory for response string"));
- nc = -1;
-@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
- D(("the timer appears to have expired"));
-
- *retstr = NULL;
-- _pam_overwrite(line);
-+ _pam_overwrite_n(line, sizeof(line));
-
- cleanexit:
-
-diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
-index 80d885d..3801862 100644
---- a/modules/pam_access/pam_access.c
-+++ b/modules/pam_access/pam_access.c
-@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- const char *user=NULL;
- const void *void_from=NULL;
- const char *from;
-- const char const *default_config = PAM_ACCESS_CONFIG;
-+ const char * const default_config = PAM_ACCESS_CONFIG;
- struct passwd *user_pw;
- char hostname[MAXHOSTNAMELEN + 1];
- int rv;
-diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
-index 4bc4ae7..f8476b4 100644
---- a/modules/pam_limits/pam_limits.c
-+++ b/modules/pam_limits/pam_limits.c
-@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = {
- #endif
- };
-
--static int str2rlimit(char *name) {
-+static int str2rlimit(const char *name) {
- int i;
- if (!name || *name == '\0')
- return -1;
-@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
- return -1;
- }
-
--static rlim_t str2rlim_t(char *value) {
-+static rlim_t str2rlim_t(const char *value) {
- unsigned long long rlimit = 0;
-
- if (!value) return (rlim_t)rlimit;
-@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
- FILE *limitsfile;
- const char *proclimits = "/proc/1/limits";
- char line[256];
-- char *units, *hard, *soft, *name;
-+ const char *units, *hard, *soft, *name;
-
- if (!(limitsfile = fopen(proclimits, "r"))) {
- pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
-diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
-index 96bfd98..66d202c 100644
---- a/modules/pam_loginuid/pam_loginuid.c
-+++ b/modules/pam_loginuid/pam_loginuid.c
-@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
- fd = open("/proc/self/uid_map", O_RDONLY);
- if (fd >= 0) {
- count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
-- if (strncmp(uid_map, host_uid_map, count) != 0)
-+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
- rc = PAM_IGNORE;
- close(fd);
- }
-diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
-index 9e204c1..4b8d6b7 100644
---- a/modules/pam_mkhomedir/mkhomedir_helper.c
-+++ b/modules/pam_mkhomedir/mkhomedir_helper.c
-@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
- {
- pam_syslog(NULL, LOG_DEBUG,
- "unable to open or stat src file %s: %m", newsource);
-+ if (srcfd >= 0)
-+ close(srcfd);
- closedir(d);
-
- #ifndef PATH_MAX
-diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
-index f541f89..85f5efa 100644
---- a/modules/pam_namespace/pam_namespace.c
-+++ b/modules/pam_namespace/pam_namespace.c
-@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *
- if (fstat(fd, &newstatbuf) < 0) {
- pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
- ipath);
-+ close(fd);
- rmdir(ipath);
- return PAM_SESSION_ERR;
- }
-diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
-index e6cf346..813f579 100644
---- a/modules/pam_pwhistory/opasswd.c
-+++ b/modules/pam_pwhistory/opasswd.c
-@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
- n = strlen (buf);
- #endif /* HAVE_GETLINE / HAVE_GETDELIM */
-
-+ if (n < 1)
-+ break;
-+
- cp = buf;
- save = strdup (buf); /* Copy to write the original data back. */
- if (save == NULL)
-@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
- goto error_opasswd;
- }
-
-- if (n < 1)
-- break;
--
- tmp = strchr (cp, '#'); /* remove comments */
- if (tmp)
- *tmp = '\0';
-diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
-index 17baabe..a9d9140 100644
---- a/modules/pam_rootok/pam_rootok.c
-+++ b/modules/pam_rootok/pam_rootok.c
-@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...)
- int audit_fd;
- va_list ap;
-
-- va_start(ap, fmt);
- #ifdef HAVE_LIBAUDIT
- audit_fd = audit_open();
-
- if (audit_fd >= 0) {
- char *buf;
-+ int ret;
-
-- if (vasprintf (&buf, fmt, ap) < 0)
-+ va_start(ap, fmt);
-+ ret = vasprintf (&buf, fmt, ap);
-+ va_end(ap);
-+ if (ret < 0)
- return 0;
- audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
- NULL, 0);
-@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...)
- }
-
- #endif
-+ va_start(ap, fmt);
- vsyslog (LOG_USER | LOG_INFO, fmt, ap);
- va_end(ap);
- return 0;
-diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
-index c653290..f37af0f 100644
---- a/modules/pam_sepermit/pam_sepermit.c
-+++ b/modules/pam_sepermit/pam_sepermit.c
-@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
- if (*sense == PAM_SUCCESS) {
- if (ignore)
- *sense = PAM_IGNORE;
-- if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
-+ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1)
- if (sepermit_lock(pamh, user, debug) < 0)
- *sense = PAM_AUTH_ERR;
- }
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-motd-multiple-paths.patch b/source/a/pam/fedora-patches/pam-1.3.1-motd-multiple-paths.patch
deleted file mode 100644
index a0b069815..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-motd-multiple-paths.patch
+++ /dev/null
@@ -1,755 +0,0 @@
-diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml
-index 906c4ed..4e2110c 100644
---- a/modules/pam_motd/pam_motd.8.xml
-+++ b/modules/pam_motd/pam_motd.8.xml
-@@ -21,6 +21,9 @@
- <arg choice="opt">
- motd=<replaceable>/path/filename</replaceable>
- </arg>
-+ <arg choice="opt">
-+ motd_dir=<replaceable>/path/dirname.d</replaceable>
-+ </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -31,10 +34,49 @@
- <para>
- pam_motd is a PAM module that can be used to display
- arbitrary motd (message of the day) files after a successful
-- login. By default the <filename>/etc/motd</filename> file is
-- shown. The message size is limited to 64KB.
-+ login. By default, pam_motd shows files in the
-+ following locations:
-+ </para>
-+ <para>
-+ <simplelist type='vert'>
-+ <member><filename>/etc/motd</filename></member>
-+ <member><filename>/run/motd</filename></member>
-+ <member><filename>/usr/lib/motd</filename></member>
-+ <member><filename>/etc/motd.d/</filename></member>
-+ <member><filename>/run/motd.d/</filename></member>
-+ <member><filename>/usr/lib/motd.d/</filename></member>
-+ </simplelist>
-+ </para>
-+ <para>
-+ Each message size is limited to 64KB.
-+ </para>
-+ <para>
-+ If <filename>/etc/motd</filename> does not exist,
-+ then <filename>/run/motd</filename> is shown. If
-+ <filename>/run/motd</filename> does not exist, then
-+ <filename>/usr/lib/motd</filename> is shown.
-+ </para>
-+ <para>
-+ Similar overriding behavior applies to the directories.
-+ Files in <filename>/etc/motd.d/</filename> override files
-+ with the same name in <filename>/run/motd.d/</filename> and
-+ <filename>/usr/lib/motd.d/</filename>. Files in <filename>/run/motd.d/</filename>
-+ override files with the same name in <filename>/usr/lib/motd.d/</filename>.
-+ </para>
-+ <para>
-+ Files the in the directories listed above are displayed in
-+ lexicographic order by name.
-+ </para>
-+ <para>
-+ To silence a message,
-+ a symbolic link with target <filename>/dev/null</filename>
-+ may be placed in <filename>/etc/motd.d</filename> with
-+ the same filename as the message to be silenced. Example:
-+ Creating a symbolic link as follows silences <filename>/usr/lib/motd.d/my_motd</filename>.
-+ </para>
-+ <para>
-+ <command>ln -s /dev/null /etc/motd.d/my_motd</command>
- </para>
--
- </refsect1>
-
- <refsect1 id="pam_motd-options">
-@@ -47,8 +89,10 @@
- </term>
- <listitem>
- <para>
-- The <filename>/path/filename</filename> file is displayed
-- as message of the day.
-+ The <filename>/path/filename</filename> file is displayed
-+ as message of the day. Multiple paths to try can be
-+ specified as a colon-separated list. By default this option
-+ is set to <filename>/etc/motd:/run/motd:/usr/lib/motd</filename>.
- </para>
- </listitem>
- </varlistentry>
-@@ -59,16 +103,17 @@
- <listitem>
- <para>
- The <filename>/path/dirname.d</filename> directory is scanned
-- and each file contained inside of it is displayed.
-+ and each file contained inside of it is displayed. Multiple
-+ directories to scan can be specified as a colon-separated list.
-+ By default this option is set to <filename>/etc/motd.d:/run/motd.d:/usr/lib/motd.d</filename>.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- <para>
-- When no options are given, the default is to display both
-- <filename>/etc/motd</filename> and the contents of
-- <filename>/etc/motd.d</filename>. Specifying either option (or both)
-- will disable this default behavior.
-+ When no options are given, the default behavior applies for both
-+ options. Specifying either option (or both) will disable the
-+ default behavior for both options.
- </para>
- </refsect1>
-
-diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
-index cc828d7..ec3ebd5 100644
---- a/modules/pam_motd/pam_motd.c
-+++ b/modules/pam_motd/pam_motd.c
-@@ -33,8 +33,8 @@
- */
-
- #define PAM_SM_SESSION
--#define DEFAULT_MOTD "/etc/motd"
--#define DEFAULT_MOTD_D "/etc/motd.d"
-+#define DEFAULT_MOTD "/etc/motd:/run/motd:/usr/lib/motd"
-+#define DEFAULT_MOTD_D "/etc/motd.d:/run/motd.d:/usr/lib/motd.d"
-
- #include <security/pam_modules.h>
- #include <security/pam_modutil.h>
-@@ -97,12 +97,234 @@ static void try_to_display_directory(pam_handle_t *pamh, const char *dirname)
- }
- }
-
-+/*
-+ * Split a DELIM-separated string ARG into an array.
-+ * Outputs a newly allocated array of strings OUT_ARG_SPLIT
-+ * and the number of strings OUT_NUM_STRS.
-+ * Returns 0 in case of error, 1 in case of success.
-+ */
-+static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
-+ char ***out_arg_split, uint *out_num_strs)
-+{
-+ char *arg_extracted = NULL;
-+ const char *arg_ptr = arg;
-+ char **arg_split = NULL;
-+ char delim_str[2];
-+ int i = 0;
-+ uint num_strs = 0;
-+ int retval = 0;
-+
-+ delim_str[0] = delim;
-+ delim_str[1] = '\0';
-+
-+ if (arg == NULL) {
-+ goto out;
-+ }
-+
-+ while (arg_ptr != NULL) {
-+ num_strs++;
-+ arg_ptr = strchr(arg_ptr + sizeof(const char), delim);
-+ }
-+
-+ arg_split = (char **)calloc(num_strs, sizeof(char *));
-+ if (arg_split == NULL) {
-+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate string array");
-+ goto out;
-+ }
-+
-+ arg_extracted = strtok_r(arg, delim_str, &arg);
-+ while (arg_extracted != NULL && i < num_strs) {
-+ arg_split[i++] = arg_extracted;
-+ arg_extracted = strtok_r(NULL, delim_str, &arg);
-+ }
-+
-+ retval = 1;
-+
-+ out:
-+ *out_num_strs = num_strs;
-+ *out_arg_split = arg_split;
-+
-+ return retval;
-+}
-+
-+/* Join A_STR and B_STR, inserting a "/" between them if one is not already trailing
-+ * in A_STR or beginning B_STR. A pointer to a newly allocated string holding the
-+ * joined string is returned in STRP_OUT.
-+ * Returns -1 in case of error, or the number of bytes in the joined string in
-+ * case of success. */
-+static int join_dir_strings(char **strp_out, const char *a_str, const char *b_str)
-+{
-+ int has_sep = 0;
-+ int retval = -1;
-+ char *join_strp = NULL;
-+
-+ if (strp_out == NULL || a_str == NULL || b_str == NULL) {
-+ goto out;
-+ }
-+ if (strlen(a_str) == 0) {
-+ goto out;
-+ }
-+
-+ has_sep = (a_str[strlen(a_str) - 1] == '/') || (b_str[0] == '/');
-+
-+ retval = asprintf(&join_strp, "%s%s%s", a_str,
-+ (has_sep == 1) ? "" : "/", b_str);
-+
-+ if (retval < 0) {
-+ goto out;
-+ }
-+
-+ *strp_out = join_strp;
-+
-+ out:
-+ return retval;
-+}
-+
-+static int compare_strings(const void * a, const void * b)
-+{
-+ const char *a_str = *(char **)a;
-+ const char *b_str = *(char **)b;
-+
-+ if (a_str == NULL && b_str == NULL) {
-+ return 0;
-+ }
-+ else if (a_str == NULL) {
-+ return -1;
-+ }
-+ else if (b_str == NULL) {
-+ return 1;
-+ }
-+ else {
-+ return strcmp(a_str, b_str);
-+ }
-+}
-+
-+static int filter_dirents(const struct dirent *d)
-+{
-+ return (d->d_type == DT_REG || d->d_type == DT_LNK);
-+}
-+
-+static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
-+ char **motd_dir_path_split, int num_motd_dirs)
-+{
-+ struct dirent ***dirscans = NULL;
-+ int *dirscans_sizes = NULL;
-+ int dirscans_size_total = 0;
-+ char **dirnames_all = NULL;
-+ int i;
-+ int i_dirnames = 0;
-+
-+ if (pamh == NULL || motd_dir_path_split == NULL) {
-+ goto out;
-+ }
-+ if (num_motd_dirs < 1) {
-+ goto out;
-+ }
-+
-+ if ((dirscans = (struct dirent ***)calloc(num_motd_dirs,
-+ sizeof(struct dirent **))) == NULL) {
-+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent arrays");
-+ goto out;
-+ }
-+ if ((dirscans_sizes = (int *)calloc(num_motd_dirs, sizeof(int))) == NULL) {
-+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent array sizes");
-+ goto out;
-+ }
-+
-+ for (i = 0; i < num_motd_dirs; i++) {
-+ dirscans_sizes[i] = scandir(motd_dir_path_split[i], &(dirscans[i]),
-+ filter_dirents, alphasort);
-+ if (dirscans_sizes[i] < 0) {
-+ pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s", motd_dir_path_split[i]);
-+ dirscans_sizes[i] = 0;
-+ }
-+ dirscans_size_total += dirscans_sizes[i];
-+ }
-+
-+ /* Allocate space for all file names found in the directories, including duplicates. */
-+ if ((dirnames_all = (char **)calloc(dirscans_size_total,
-+ sizeof(char *))) == NULL) {
-+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirname array");
-+ goto out;
-+ }
-+
-+ for (i = 0; i < dirscans_size_total; i++) {
-+ dirnames_all[i] = NULL;
-+ }
-+
-+ for (i = 0; i < num_motd_dirs; i++) {
-+ int j;
-+
-+ for (j = 0; j < dirscans_sizes[i]; j++) {
-+ dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
-+ i_dirnames++;
-+ }
-+ }
-+
-+ qsort(dirnames_all, dirscans_size_total,
-+ sizeof(const char *), compare_strings);
-+
-+ for (i = 0; i < dirscans_size_total; i++) {
-+ int j;
-+
-+ if (dirnames_all[i] == NULL) {
-+ continue;
-+ }
-+
-+ /* Skip duplicate file names. */
-+ if (i > 0 && strcmp(dirnames_all[i], dirnames_all[i - 1]) == 0) {
-+ continue;
-+ }
-+
-+ for (j = 0; j < num_motd_dirs; j++) {
-+ char *abs_path = NULL;
-+
-+ if (join_dir_strings(&abs_path, motd_dir_path_split[j],
-+ dirnames_all[i]) < 0) {
-+ continue;
-+ }
-+
-+ if (abs_path != NULL) {
-+ int fd = open(abs_path, O_RDONLY, 0);
-+ if (fd >= 0) {
-+ try_to_display_fd(pamh, fd);
-+ close(fd);
-+
-+ /* We displayed a file, skip to the next file name. */
-+ break;
-+ }
-+ }
-+ _pam_drop(abs_path);
-+ }
-+ }
-+
-+ out:
-+ _pam_drop(dirnames_all);
-+ for (i = 0; i < num_motd_dirs; i++) {
-+ int j;
-+ for (j = 0; j < dirscans_sizes[i]; j++) {
-+ _pam_drop(dirscans[i][j]);
-+ }
-+ _pam_drop(dirscans[i]);
-+ }
-+ _pam_drop(dirscans_sizes);
-+ _pam_drop(dirscans);
-+
-+ return;
-+}
-+
- int pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
- {
- int retval = PAM_IGNORE;
- const char *motd_path = NULL;
-+ char *motd_path_copy = NULL;
-+ int num_motd_paths = 0;
-+ char **motd_path_split = NULL;
- const char *motd_dir_path = NULL;
-+ char *motd_dir_path_copy = NULL;
-+ int num_motd_dir_paths = 0;
-+ char **motd_dir_path_split = NULL;
-
- if (flags & PAM_SILENT) {
- return retval;
-@@ -141,16 +363,52 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
- }
-
- if (motd_path != NULL) {
-- int fd = open(motd_path, O_RDONLY, 0);
-+ motd_path_copy = strdup(motd_path);
-+ }
-+
-+ if (motd_path_copy != NULL) {
-+ if (pam_split_string(pamh, motd_path_copy, ':',
-+ &motd_path_split, &num_motd_paths) == 0) {
-+ goto out;
-+ }
-+ }
-+
-+ if (motd_dir_path != NULL) {
-+ motd_dir_path_copy = strdup(motd_dir_path);
-+ }
-
-- if (fd >= 0) {
-- try_to_display_fd(pamh, fd);
-- close(fd);
-+ if (motd_dir_path_copy != NULL) {
-+ if (pam_split_string(pamh, motd_dir_path_copy, ':',
-+ &motd_dir_path_split, &num_motd_dir_paths) == 0) {
-+ goto out;
- }
- }
-
-- if (motd_dir_path != NULL)
-- try_to_display_directory(pamh, motd_dir_path);
-+ if (motd_path_split != NULL) {
-+ int i;
-+
-+ for (i = 0; i < num_motd_paths; i++) {
-+ int fd = open(motd_path_split[i], O_RDONLY, 0);
-+
-+ if (fd >= 0) {
-+ try_to_display_fd(pamh, fd);
-+ close(fd);
-+
-+ /* We found and displayed a file, move onto next filename. */
-+ break;
-+ }
-+ }
-+ }
-+
-+ if (motd_dir_path_split != NULL)
-+ try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
-+ num_motd_dir_paths);
-+
-+ out:
-+ _pam_drop(motd_path_copy);
-+ _pam_drop(motd_path_split);
-+ _pam_drop(motd_dir_path_copy);
-+ _pam_drop(motd_dir_path_split);
-
- return retval;
- }
-diff --git a/xtests/Makefile.am b/xtests/Makefile.am
-index a6d6f8d..4d5aba3 100644
---- a/xtests/Makefile.am
-+++ b/xtests/Makefile.am
-@@ -32,7 +32,10 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
- tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh \
- tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh \
- tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh \
-- tst-pam_time1.pamd time.conf
-+ tst-pam_time1.pamd time.conf \
-+ tst-pam_motd.sh tst-pam_motd1.sh tst-pam_motd2.sh \
-+ tst-pam_motd3.sh tst-pam_motd4.sh tst-pam_motd1.pamd \
-+ tst-pam_motd2.pamd tst-pam_motd3.pamd tst-pam_motd4.pamd
-
- XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
- tst-pam_dispatch4 tst-pam_dispatch5 \
-@@ -41,7 +44,7 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
- tst-pam_access1 tst-pam_access2 tst-pam_access3 \
- tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
- tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
-- tst-pam_pwhistory1 tst-pam_time1
-+ tst-pam_pwhistory1 tst-pam_time1 tst-pam_motd
-
- NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \
- tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line1
-diff --git a/xtests/tst-pam_motd.c b/xtests/tst-pam_motd.c
-new file mode 100644
-index 0000000..bba2f9d
---- /dev/null
-+++ b/xtests/tst-pam_motd.c
-@@ -0,0 +1,69 @@
-+/*
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, and the entire permission notice in its entirety,
-+ * including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ * products derived from this software without specific prior
-+ * written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions. (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <security/pam_appl.h>
-+#include <security/pam_misc.h>
-+
-+static struct pam_conv conv = {
-+ misc_conv,
-+ NULL
-+};
-+
-+int main(int argc, char *argv[])
-+{
-+ pam_handle_t *pamh=NULL;
-+ char *tst_arg = NULL;
-+ int retval;
-+
-+ if (argc > 1)
-+ tst_arg = argv[1];
-+
-+ retval = pam_start(tst_arg, NULL, &conv, &pamh);
-+
-+ retval = pam_open_session(pamh, 0);
-+
-+ retval = pam_close_session(pamh, 0);
-+
-+ if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
-+ pamh = NULL;
-+ exit(1);
-+ }
-+
-+ return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */
-+}
-diff --git a/xtests/tst-pam_motd.sh b/xtests/tst-pam_motd.sh
-new file mode 100755
-index 0000000..9080128
---- /dev/null
-+++ b/xtests/tst-pam_motd.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+
-+set -e
-+
-+./tst-pam_motd1.sh
-+./tst-pam_motd2.sh
-+./tst-pam_motd3.sh
-+./tst-pam_motd4.sh
-diff --git a/xtests/tst-pam_motd1.pamd b/xtests/tst-pam_motd1.pamd
-new file mode 100644
-index 0000000..ddea82c
---- /dev/null
-+++ b/xtests/tst-pam_motd1.pamd
-@@ -0,0 +1,3 @@
-+#%PAM-1.0
-+session required pam_permit.so
-+session optional pam_motd.so motd=tst-pam_motd1.d/etc/motd motd_dir=tst-pam_motd1.d/etc/motd.d
-diff --git a/xtests/tst-pam_motd1.sh b/xtests/tst-pam_motd1.sh
-new file mode 100755
-index 0000000..cc88854
---- /dev/null
-+++ b/xtests/tst-pam_motd1.sh
-@@ -0,0 +1,36 @@
-+#!/bin/bash
-+
-+TST_DIR="tst-pam_motd1.d"
-+
-+function tst_cleanup() {
-+ rm -rf "${TST_DIR}"
-+ rm -f tst-pam_motd1.out
-+}
-+
-+mkdir -p ${TST_DIR}
-+mkdir -p ${TST_DIR}/etc/motd.d
-+
-+# Verify the case of single motd and motd.d directory works
-+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
-+echo "motd: /etc/motd.d/test" > ${TST_DIR}/etc/motd.d/test
-+
-+./tst-pam_motd tst-pam_motd1 > tst-pam_motd1.out
-+
-+RET=$?
-+
-+motd_to_show_output=$(cat tst-pam_motd1.out | grep "motd: /etc/motd")
-+if [ -z "${motd_to_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+motd_dir_to_show_output=$(cat tst-pam_motd1.out | grep "motd: /etc/motd.d/test")
-+if [ -z "${motd_dir_to_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+tst_cleanup
-+exit $RET
-diff --git a/xtests/tst-pam_motd2.pamd b/xtests/tst-pam_motd2.pamd
-new file mode 100644
-index 0000000..8200191
---- /dev/null
-+++ b/xtests/tst-pam_motd2.pamd
-@@ -0,0 +1,3 @@
-+#%PAM-1.0
-+session required pam_permit.so
-+session optional pam_motd.so motd=tst-pam_motd2.d/etc/motd:tst-pam_motd2.d/run/motd:tst-pam_motd2.d/usr/lib/motd motd_dir=tst-pam_motd2.d/etc/motd.d:tst-pam_motd2.d/run/motd.d:tst-pam_motd2.d/usr/lib/motd.d
-diff --git a/xtests/tst-pam_motd2.sh b/xtests/tst-pam_motd2.sh
-new file mode 100755
-index 0000000..d26ea92
---- /dev/null
-+++ b/xtests/tst-pam_motd2.sh
-@@ -0,0 +1,53 @@
-+#!/bin/bash
-+
-+TST_DIR="tst-pam_motd2.d"
-+
-+function tst_cleanup() {
-+ rm -rf "${TST_DIR}"
-+ rm -f tst-pam_motd2.out
-+}
-+
-+mkdir -p ${TST_DIR}
-+mkdir -p ${TST_DIR}/etc/motd.d
-+mkdir -p ${TST_DIR}/run/motd.d
-+mkdir -p ${TST_DIR}/usr/lib/motd.d
-+
-+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
-+echo "motd: /run/motd" > ${TST_DIR}/run/motd
-+echo "motd: /usr/lib/motd" > ${TST_DIR}/usr/lib/motd
-+
-+# Drop a motd file in test directories such that every overriding
-+# condition (for 3 directories in this case) will be seen.
-+echo "motd: e0r0u1 in usr/lib - will show" > ${TST_DIR}/usr/lib/motd.d/e0r0u1.motd
-+echo "motd: e0r1u0 in run - will show" > ${TST_DIR}/run/motd.d/e0r1u0.motd
-+echo "motd: e0r1u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e0r1u1.motd
-+echo "motd: e0r1u1 in run - will show" > ${TST_DIR}/run/motd.d/e0r1u1.motd
-+echo "motd: e1r0u0 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r0u0.motd
-+echo "motd: e1r0u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e1r0u1.motd
-+echo "motd: e1r0u1 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r0u1.motd
-+echo "motd: e1r1u0 in run - not show" > ${TST_DIR}/run/motd.d/e1r1u0.motd
-+echo "motd: e1r1u0 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r1u0.motd
-+echo "motd: e1r1u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e1r1u1.motd
-+echo "motd: e1r1u1 in run - not show" > ${TST_DIR}/run/motd.d/e1r1u1.motd
-+echo "motd: e1r1u1 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r1u1.motd
-+
-+./tst-pam_motd tst-pam_motd2 > tst-pam_motd2.out
-+
-+RET=$?
-+
-+motd_to_show_output=$(cat tst-pam_motd2.out | grep "motd: /etc/motd")
-+if [ -z "${motd_to_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+motd_dir_not_show_output=$(cat tst-pam_motd2.out | grep "not show")
-+if [ -n "${motd_dir_not_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+tst_cleanup
-+exit $RET
-diff --git a/xtests/tst-pam_motd3.pamd b/xtests/tst-pam_motd3.pamd
-new file mode 100644
-index 0000000..a8b8cbf
---- /dev/null
-+++ b/xtests/tst-pam_motd3.pamd
-@@ -0,0 +1,3 @@
-+#%PAM-1.0
-+session required pam_permit.so
-+session optional pam_motd.so motd=tst-pam_motd3.d/etc/motd:tst-pam_motd3.d/run/motd:tst-pam_motd3.d/usr/lib/motd motd_dir=tst-pam_motd3.d/etc/motd.d:tst-pam_motd3.d/run/motd.d:tst-pam_motd3.d/usr/lib/motd.d
-diff --git a/xtests/tst-pam_motd3.sh b/xtests/tst-pam_motd3.sh
-new file mode 100755
-index 0000000..e18856b
---- /dev/null
-+++ b/xtests/tst-pam_motd3.sh
-@@ -0,0 +1,53 @@
-+#!/bin/bash
-+
-+TST_DIR="tst-pam_motd3.d"
-+
-+function tst_cleanup() {
-+ rm -rf "${TST_DIR}"
-+ rm -f tst-pam_motd3.out
-+}
-+
-+mkdir -p ${TST_DIR}
-+mkdir -p ${TST_DIR}/etc/motd.d
-+mkdir -p ${TST_DIR}/run/motd.d
-+mkdir -p ${TST_DIR}/usr/lib/motd.d
-+
-+# Verify motd is still displayed when not overridden
-+echo "motd: test-show in run - show" > ${TST_DIR}/run/motd.d/test-show.motd
-+
-+# Test overridden by a symlink to a file that isn't /dev/null; symlink target should show
-+echo "motd: hidden-by-symlink in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/hidden-by-symlink.motd
-+echo "motd: test-from-symlink - show" > ${TST_DIR}/test-from-symlink.motd
-+ln -sr ${TST_DIR}/test-from-symlink.motd ${TST_DIR}/run/motd.d/hidden-by-symlink.motd
-+
-+# Test hidden by a null symlink
-+echo "motd: hidden-by-null-symlink in run - not show" > ${TST_DIR}/run/motd.d/hidden-by-null-symlink.motd
-+ln -s /dev/null ${TST_DIR}/etc/motd.d/hidden-by-null-symlink.motd
-+
-+./tst-pam_motd tst-pam_motd3 > tst-pam_motd3.out
-+
-+RET=$?
-+
-+motd_dir_not_show_output=$(cat tst-pam_motd3.out | grep "not show")
-+if [ -n "${motd_dir_not_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+motd_test_show_output=$(cat tst-pam_motd3.out | grep "test-show.*- show")
-+if [ -z "${motd_test_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+motd_general_symlink_show_output=$(cat tst-pam_motd3.out | grep "test-from-symlink.*- show")
-+if [ -z "${motd_general_symlink_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+tst_cleanup
-+exit $RET
-diff --git a/xtests/tst-pam_motd4.pamd b/xtests/tst-pam_motd4.pamd
-new file mode 100644
-index 0000000..9dc311a
---- /dev/null
-+++ b/xtests/tst-pam_motd4.pamd
-@@ -0,0 +1,3 @@
-+#%PAM-1.0
-+session required pam_permit.so
-+session optional pam_motd.so motd=tst-pam_motd4.d/etc/motd
-diff --git a/xtests/tst-pam_motd4.sh b/xtests/tst-pam_motd4.sh
-new file mode 100755
-index 0000000..6022177
---- /dev/null
-+++ b/xtests/tst-pam_motd4.sh
-@@ -0,0 +1,27 @@
-+#!/bin/bash
-+
-+TST_DIR="tst-pam_motd4.d"
-+
-+function tst_cleanup() {
-+ rm -rf "${TST_DIR}"
-+ rm -f tst-pam_motd4.out
-+}
-+
-+mkdir -p ${TST_DIR}/etc
-+
-+# Verify the case of single motd with no motd_dir given in tst-pam_motd4.pamd
-+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
-+
-+./tst-pam_motd tst-pam_motd4 > tst-pam_motd4.out
-+
-+RET=$?
-+
-+motd_to_show_output=$(cat tst-pam_motd4.out | grep "motd: /etc/motd")
-+if [ -z "${motd_to_show_output}" ];
-+then
-+ tst_cleanup
-+ exit 1
-+fi
-+
-+tst_cleanup
-+exit $RET
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-noflex.patch b/source/a/pam/fedora-patches/pam-1.3.1-noflex.patch
deleted file mode 100644
index c65d22537..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-noflex.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up Linux-PAM-1.3.1/doc/Makefile.am.noflex Linux-PAM-1.3.1/doc/Makefile.am
---- Linux-PAM-1.3.1/doc/Makefile.am.noflex 2017-02-10 11:10:15.000000000 +0100
-+++ Linux-PAM-1.3.1/doc/Makefile.am 2018-05-18 14:53:50.300997606 +0200
-@@ -2,7 +2,7 @@
- # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
- #
-
--SUBDIRS = man specs sag adg mwg
-+SUBDIRS = man sag adg mwg
-
- CLEANFILES = *~
-
-diff -up Linux-PAM-1.3.1/Makefile.am.noflex Linux-PAM-1.3.1/Makefile.am
---- Linux-PAM-1.3.1/Makefile.am.noflex 2018-05-18 14:53:50.301997629 +0200
-+++ Linux-PAM-1.3.1/Makefile.am 2018-05-18 14:55:31.576353800 +0200
-@@ -4,7 +4,7 @@
-
- AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news
-
--SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
-+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
-
- CLEANFILES = *~
-
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.3.1-redhat-modules.patch
deleted file mode 100644
index 4d3f37414..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-redhat-modules.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-diff -up Linux-PAM-1.3.1/configure.ac.redhat-modules Linux-PAM-1.3.1/configure.ac
---- Linux-PAM-1.3.1/configure.ac.redhat-modules 2018-05-18 12:57:57.000000000 +0200
-+++ Linux-PAM-1.3.1/configure.ac 2018-11-26 12:58:14.623545121 +0100
-@@ -611,10 +611,12 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
- libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
- po/Makefile.in \
- modules/Makefile \
-+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
-+ modules/pam_postgresok/Makefile \
- modules/pam_access/Makefile modules/pam_cracklib/Makefile \
- modules/pam_debug/Makefile modules/pam_deny/Makefile \
- modules/pam_echo/Makefile modules/pam_env/Makefile \
-- modules/pam_faildelay/Makefile \
-+ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \
- modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
- modules/pam_ftp/Makefile modules/pam_group/Makefile \
- modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
-diff -up Linux-PAM-1.3.1/doc/sag/pam_faillock.xml.redhat-modules Linux-PAM-1.3.1/doc/sag/pam_faillock.xml
---- Linux-PAM-1.3.1/doc/sag/pam_faillock.xml.redhat-modules 2018-11-26 12:58:14.623545121 +0100
-+++ Linux-PAM-1.3.1/doc/sag/pam_faillock.xml 2018-11-26 12:58:14.623545121 +0100
-@@ -0,0 +1,38 @@
-+<?xml version='1.0' encoding='UTF-8'?>
-+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-+<section id='sag-pam_faillock'>
-+ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
-+ <cmdsynopsis>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
-+ </cmdsynopsis>
-+ <cmdsynopsis>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
-+ </cmdsynopsis>
-+ <section id='sag-pam_faillock-description'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-options'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-types'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-return_values'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-examples'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-author'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
-+ </section>
-+</section>
-diff -up Linux-PAM-1.3.1/modules/Makefile.am.redhat-modules Linux-PAM-1.3.1/modules/Makefile.am
---- Linux-PAM-1.3.1/modules/Makefile.am.redhat-modules 2017-02-10 11:10:15.000000000 +0100
-+++ Linux-PAM-1.3.1/modules/Makefile.am 2018-11-26 12:58:14.623545121 +0100
-@@ -3,13 +3,14 @@
- #
-
- SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
-+ pam_chroot pam_console pam_postgresok pam_faillock \
- pam_env pam_exec pam_faildelay pam_filter pam_ftp \
- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
- pam_listfile pam_localuser pam_loginuid pam_mail \
- pam_mkhomedir pam_motd pam_namespace pam_nologin \
- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
- pam_selinux pam_sepermit pam_shells pam_stress \
-- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
-+ pam_succeed_if pam_time pam_timestamp \
- pam_tty_audit pam_umask \
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
-
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch
deleted file mode 100644
index bff9d47ea..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Thu, 15 Nov 2018 15:01:57 +0100
-Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
-
-Bcrypt hashes used the "$2a$" prefix since 1997.
-However, in 2011 an implementation bug was discovered in bcrypt
-affecting the handling of characters in passphrases with the 8th
-bit set.
-
-Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
-for a behavior that exactly matches crypt_blowfish's "$2y$", and
-the crypt_blowfish implementation supports it as well since v1.1.
-
-That said new computed bcrypt hashes should use the "$2b$" prefix.
-
-* modules/pam_unix/passverify.c: Use bcrypt b-variant.
----
- modules/pam_unix/passverify.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 9c1771e2..1f433b3a 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
- /* algoid = "$1" */
- return crypt_md5_wrapper(password);
- } else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
-- algoid = "$2a$";
-+ algoid = "$2b$";
- } else if (on(UNIX_SHA256_PASS, ctrl)) {
- algoid = "$5$";
- } else if (on(UNIX_SHA512_PASS, ctrl)) {
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch
deleted file mode 100644
index 5cbc35b03..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Mon, 26 Nov 2018 22:33:17 +0100
-Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to
- syslog.
-
-libxcrypt can be build-time configured to support (or not support)
-various hashing methods. Future versions will also have support for
-runtime configuration by the system's vendor and/or administrator.
-
-For that reason adminstrator should be notified by pam if users cannot
-log into their account anymore because of such a change in the system's
-configuration of libxcrypt.
-
-Also check for malformed hashes, like descrypt hashes starting with
-"$2...", which might have been generated by unsafe base64 encoding
-functions as used in glibc <= 2.16.
-Such hashes are likely to be rejected by many recent implementations
-of libcrypt.
-
-* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
-hashes found by checksalt to syslog.
----
- modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index eb2444bb..2c808eb5 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
- * Ok, we don't know the crypt algorithm, but maybe
- * libcrypt knows about it? We should try it.
- */
-+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-+ /* Get the status of the hash from checksalt */
-+ int retval_checksalt = crypt_checksalt(hash);
-+
-+ /*
-+ * Check for hashing methods that are disabled by
-+ * libcrypt configuration and/or system preset.
-+ */
-+ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) {
-+ /*
-+ * pam_syslog() needs a pam handle,
-+ * but that's not available here.
-+ */
-+ helper_log_err(LOG_ERR,
-+ "pam_unix(verify_pwd_hash): The method "
-+ "for computing the hash \"%.6s\" has been "
-+ "disabled in libcrypt by the preset from "
-+ "the system's vendor and/or administrator.",
-+ hash);
-+ }
-+ /*
-+ * Check for malformed hashes, like descrypt hashes
-+ * starting with "$2...", which might have been
-+ * generated by unsafe base64 encoding functions
-+ * as used in glibc <= 2.16.
-+ * Such hashes are likely to be rejected by many
-+ * recent implementations of libcrypt.
-+ */
-+ if (retval_checksalt == CRYPT_SALT_INVALID) {
-+ helper_log_err(LOG_ERR,
-+ "pam_unix(verify_pwd_hash): The hash \"%.6s\""
-+ "does not use a method known by the version "
-+ "of libcrypt this system is supplied with.",
-+ hash);
-+ }
-+#endif
- #ifdef HAVE_CRYPT_R
- struct crypt_data *cdata;
- cdata = malloc(sizeof(*cdata));
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch
deleted file mode 100644
index 0a74e940e..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 62425bf2a0c72d0e23139d0b285547a7add26251 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Thu, 15 Nov 2018 19:49:44 +0100
-Subject: [PATCH] pam_unix: Add support for crypt_checksalt, if libcrypt
- supports it.
-
-libxcrypt v4.3 has added the crypt_checksalt function to whether
-the prefix at the begining of a given hash string refers to a
-supported hashing method.
-
-Future revisions of this function will add support to check whether
-the hashing method, the prefix refers to, was disabled or considered
-deprecated by the system's factory presets or system administrator.
-Furthermore it will be able to detect whether the parameters, which
-are used by the corresponding hashing method, being encoded in the
-hash string are not considered to be strong enough anymore.
-
-*modules/pam_unix/passverify.c: Add support for crypt_checksalt.
----
- modules/pam_unix/passverify.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 1f433b3a..6132130a 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -244,7 +244,13 @@ PAMH_ARG_DECL(int check_shadow_expiry,
- D(("account expired"));
- return PAM_ACCT_EXPIRED;
- }
-+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-+ if (spent->sp_lstchg == 0 ||
-+ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
-+ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
-+#else
- if (spent->sp_lstchg == 0) {
-+#endif
- D(("need a new password"));
- *daysleft = 0;
- return PAM_NEW_AUTHTOK_REQD;
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch
deleted file mode 100644
index 41733ae04..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From d8d11db2cef65da5d2afa7acf21aa9c8cd88abed Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Tue, 27 Nov 2018 16:11:03 +0100
-Subject: [PATCH] pam_unix: Use pam_syslog instead of helper_log_err.
-
-* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
- PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
-* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
-* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
- to verify_pwd_hash() call.
----
- modules/pam_unix/passverify.c | 24 +++++++++++++-----------
- modules/pam_unix/passverify.h | 6 +++---
- modules/pam_unix/support.c | 2 +-
- 3 files changed, 17 insertions(+), 15 deletions(-)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 2c808eb5..80e32767 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -65,8 +65,8 @@ strip_hpux_aging(char *hash)
- }
- }
-
--int
--verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
-+PAMH_ARG_DECL(int verify_pwd_hash,
-+ const char *p, char *hash, unsigned int nullok)
- {
- size_t hash_len;
- char *pp = NULL;
-@@ -116,11 +116,10 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
- * pam_syslog() needs a pam handle,
- * but that's not available here.
- */
-- helper_log_err(LOG_ERR,
-- "pam_unix(verify_pwd_hash): The method "
-- "for computing the hash \"%.6s\" has been "
-- "disabled in libcrypt by the preset from "
-- "the system's vendor and/or administrator.",
-+ pam_syslog(pamh, LOG_ERR,
-+ "The support for password hash \"%.6s\" "
-+ "has been disabled in libcrypt "
-+ "configuration.",
- hash);
- }
- /*
-@@ -132,12 +131,15 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
- * recent implementations of libcrypt.
- */
- if (retval_checksalt == CRYPT_SALT_INVALID) {
-- helper_log_err(LOG_ERR,
-- "pam_unix(verify_pwd_hash): The hash \"%.6s\""
-- "does not use a method known by the version "
-- "of libcrypt this system is supplied with.",
-+ pam_syslog(pamh, LOG_ERR,
-+ "The password hash \"%.6s\" is unknown to "
-+ "libcrypt.",
- hash);
- }
-+#else
-+#ifndef HELPER_COMPILE
-+ (void)pamh;
-+#endif
- #endif
- #ifdef HAVE_CRYPT_R
- struct crypt_data *cdata;
-diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
-index 086c28ac..e9a88fbf 100644
---- a/modules/pam_unix/passverify.h
-+++ b/modules/pam_unix/passverify.h
-@@ -12,9 +12,6 @@
-
- #define OLD_PASSWORDS_FILE "/etc/security/opasswd"
-
--int
--verify_pwd_hash(const char *p, char *hash, unsigned int nullok);
--
- int
- is_pwd_shadowed(const struct passwd *pwd);
-
-@@ -65,6 +62,9 @@ read_passwords(int fd, int npass, char **passwords);
- #define PAMH_ARG(...) pamh, __VA_ARGS__
- #endif
-
-+PAMH_ARG_DECL(int verify_pwd_hash,
-+ const char *p, char *hash, unsigned int nullok);
-+
- PAMH_ARG_DECL(char * create_password_hash,
- const char *password, unsigned long long ctrl, int rounds);
-
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index 6894288d..ea5594d2 100644
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -770,7 +770,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
- }
- }
- } else {
-- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
-+ retval = verify_pwd_hash(pamh, p, salt, off(UNIX__NONULL, ctrl));
- }
-
- if (retval == PAM_SUCCESS) {
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
deleted file mode 100644
index 8ae4abfd8..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 05aa693b7db6b818d31e41f0cab1d5fb4f49600e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Thu, 15 Nov 2018 15:58:56 +0100
-Subject: [PATCH] pam_unix: Prefer a gensalt function, that supports auto
- entropy.
-
-* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
-* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
-* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
----
- modules/pam_unix/pam_unix_passwd.c | 2 +-
- modules/pam_unix/passverify.c | 13 +++++++++++++
- modules/pam_unix/support.c | 7 +++++--
- 3 files changed, 19 insertions(+), 3 deletions(-)
-
-Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
-===================================================================
---- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix_passwd.c
-+++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
-@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
- unsigned int ctrl, lctrl;
- int retval;
- int remember = -1;
-- int rounds = -1;
-+ int rounds = 0;
- int pass_min_len = 0;
-
- /* <DO NOT free() THESE> */
-Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c
-===================================================================
---- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c
-+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c
-@@ -375,7 +375,12 @@ PAMH_ARG_DECL(char * create_password_has
- const char *password, unsigned int ctrl, int rounds)
- {
- const char *algoid;
-+#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
-+ /* Strings returned by crypt_gensalt_rn will be no longer than this. */
-+ char salt[CRYPT_GENSALT_OUTPUT_SIZE];
-+#else
- char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */
-+#endif
- char *sp;
- #ifdef HAVE_CRYPT_R
- struct crypt_data *cdata = NULL;
-@@ -406,6 +411,13 @@ PAMH_ARG_DECL(char * create_password_has
- return crypted;
- }
-
-+#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
-+ /*
-+ * Any version of libcrypt supporting auto entropy is
-+ * guaranteed to have crypt_gensalt_rn().
-+ */
-+ sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
-+#else
- #ifdef HAVE_CRYPT_GENSALT_R
- if (on(UNIX_BLOWFISH_PASS, ctrl)) {
- char entropy[17];
-@@ -423,6 +435,7 @@ PAMH_ARG_DECL(char * create_password_has
- #ifdef HAVE_CRYPT_GENSALT_R
- }
- #endif
-+#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
- #ifdef HAVE_CRYPT_R
- sp = NULL;
- cdata = malloc(sizeof(*cdata));
-Index: Linux-PAM-1.3.1/modules/pam_unix/support.c
-===================================================================
---- Linux-PAM-1.3.1.orig/modules/pam_unix/support.c
-+++ Linux-PAM-1.3.1/modules/pam_unix/support.c
-@@ -175,6 +175,7 @@ int _set_ctrl(pam_handle_t *pamh, int fl
-
- if (val) {
- *rounds = strtol(val, NULL, 10);
-+ set(UNIX_ALGO_ROUNDS, ctrl);
- free (val);
- }
- }
-@@ -254,11 +255,13 @@ int _set_ctrl(pam_handle_t *pamh, int fl
- if (*rounds < 4 || *rounds > 31)
- *rounds = 5;
- } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
-- if ((*rounds < 1000) || (*rounds == INT_MAX))
-+ if ((*rounds < 1000) || (*rounds == INT_MAX)) {
- /* don't care about bogus values */
-+ *rounds = 0;
- unset(UNIX_ALGO_ROUNDS, ctrl);
-- if (*rounds >= 10000000)
-+ } else if (*rounds >= 10000000) {
- *rounds = 9999999;
-+ }
- }
- }
-
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch
deleted file mode 100644
index 8755cf602..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml
-===================================================================
---- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix.8.xml
-+++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml
-@@ -293,11 +293,10 @@
- <listitem>
- <para>
- When a user changes their password next,
-- encrypt it with the SHA256 algorithm. If the
-- SHA256 algorithm is not known to the <citerefentry>
-+ encrypt it with the SHA256 algorithm. The
-+ SHA256 algorithm must be supported by the <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
-- </citerefentry> function,
-- fall back to MD5.
-+ </citerefentry> function.
- </para>
- </listitem>
- </varlistentry>
-@@ -308,11 +307,10 @@
- <listitem>
- <para>
- When a user changes their password next,
-- encrypt it with the SHA512 algorithm. If the
-- SHA512 algorithm is not known to the <citerefentry>
-+ encrypt it with the SHA512 algorithm. The
-+ SHA512 algorithm must be supported by the <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
-- </citerefentry> function,
-- fall back to MD5.
-+ </citerefentry> function.
- </para>
- </listitem>
- </varlistentry>
-@@ -323,11 +321,10 @@
- <listitem>
- <para>
- When a user changes their password next,
-- encrypt it with the blowfish algorithm. If the
-- blowfish algorithm is not known to the <citerefentry>
-+ encrypt it with the blowfish algorithm. The
-+ blowfish algorithm must be supported by the <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
-- </citerefentry> function,
-- fall back to MD5.
-+ </citerefentry> function.
- </para>
- </listitem>
- </varlistentry>
-@@ -338,11 +335,10 @@
- <listitem>
- <para>
- When a user changes their password next,
-- encrypt it with the gost-yescrypt algorithm. If the
-- gost-yescrypt algorithm is not known to the <citerefentry>
-+ encrypt it with the gost-yescrypt algorithm. The
-+ gost-yescrypt algorithm must be supported by the <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
-- </citerefentry> function,
-- fall back to MD5.
-+ </citerefentry> function.
- </para>
- </listitem>
- </varlistentry>
-@@ -353,11 +349,10 @@
- <listitem>
- <para>
- When a user changes their password next,
-- encrypt it with the yescrypt algorithm. If the
-- yescrypt algorithm is not known to the <citerefentry>
-+ encrypt it with the yescrypt algorithm. The
-+ yescrypt algorithm must be supported by the <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
-- </citerefentry> function,
-- fall back to MD5.
-+ </citerefentry> function.
- </para>
- </listitem>
- </varlistentry>
-Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c
-===================================================================
---- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c
-+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c
-@@ -466,10 +466,9 @@ PAMH_ARG_DECL(char * create_password_has
- sp = crypt(password, salt);
- #endif
- if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
-- /* libxcrypt/libc doesn't know the algorithm, use MD5 */
-+ /* libxcrypt/libc doesn't know the algorithm, error out */
- pam_syslog(pamh, LOG_ERR,
-- "Algo %s not supported by the crypto backend, "
-- "falling back to MD5\n",
-+ "Algo %s not supported by the crypto backend.\n",
- on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" :
- on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
- on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
-@@ -481,7 +480,7 @@ PAMH_ARG_DECL(char * create_password_has
- #ifdef HAVE_CRYPT_R
- free(cdata);
- #endif
-- return crypt_md5_wrapper(password);
-+ return NULL;
- }
- sp = x_strdup(sp);
- #ifdef HAVE_CRYPT_R
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
deleted file mode 100644
index 14f285deb..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a2b72aeb86f297d349bc9e6a8f059fedf97a499a Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Thu, 31 May 2018 00:20:18 +0000
-Subject: [PATCH] pam_unix: remove obsolete _unix_read_password prototype
-
-The function was removed by commit Linux-PAM-1.3.0~5
-so the function prototype should go as well.
-
-* modules/pam_unix/support.h (_unix_read_password): Remove.
-
-Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
-direct pam_prompt() calls.")
----
- modules/pam_unix/support.h | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
-index b4c279c3..543e9b9f 100644
---- a/modules/pam_unix/support.h
-+++ b/modules/pam_unix/support.h
-@@ -164,13 +164,6 @@ extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl,
- const char *name);
- extern int _unix_verify_password(pam_handle_t * pamh, const char *name
- ,const char *p, unsigned int ctrl);
--extern int _unix_read_password(pam_handle_t * pamh
-- ,unsigned int ctrl
-- ,const char *comment
-- ,const char *prompt1
-- ,const char *prompt2
-- ,const char *data_name
-- ,const void **pass);
-
- extern int _unix_run_verify_binary(pam_handle_t *pamh,
- unsigned int ctrl, const char *user, int *daysleft);
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-yescrypt.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-yescrypt.patch
deleted file mode 100644
index f04a59ce7..000000000
--- a/source/a/pam/fedora-patches/pam-1.3.1-unix-yescrypt.patch
+++ /dev/null
@@ -1,479 +0,0 @@
-From 16bd523f85ede9fa9115f80e826f2d803d7e61d4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Thu, 15 Nov 2018 16:38:05 +0100
-Subject: [PATCH] pam_unix: Add support for (gost-)yescrypt hashing methods.
-
-libxcrypt (v4.2 and later) has added support for the yescrypt
-hashing method; gost-yescrypt has been added in v4.3.
-
-* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
-* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
-* modules/pam_unix/pam_unix_auth.c: Likewise.
-* modules/pam_unix/pam_unix_passwd.c: Likewise.
-* modules/pam_unix/pam_unix_sess.c: Likewise.
-* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
-* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
-* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
-* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
----
- modules/pam_unix/pam_unix.8.xml | 35 +++++++++-
- modules/pam_unix/pam_unix_acct.c | 4 +-
- modules/pam_unix/pam_unix_auth.c | 4 +-
- modules/pam_unix/pam_unix_passwd.c | 12 ++--
- modules/pam_unix/pam_unix_sess.c | 4 +-
- modules/pam_unix/passverify.c | 8 ++-
- modules/pam_unix/passverify.h | 2 +-
- modules/pam_unix/support.c | 33 ++++++----
- modules/pam_unix/support.h | 101 +++++++++++++++--------------
- 9 files changed, 128 insertions(+), 75 deletions(-)
-
-diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
-index 1b318f11..cae2aeaa 100644
---- a/modules/pam_unix/pam_unix.8.xml
-+++ b/modules/pam_unix/pam_unix.8.xml
-@@ -331,14 +331,45 @@
- </para>
- </listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>gost_yescrypt</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ When a user changes their password next,
-+ encrypt it with the gost-yescrypt algorithm. If the
-+ gost-yescrypt algorithm is not known to the <citerefentry>
-+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
-+ </citerefentry> function,
-+ fall back to MD5.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>yescrypt</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ When a user changes their password next,
-+ encrypt it with the yescrypt algorithm. If the
-+ yescrypt algorithm is not known to the <citerefentry>
-+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
-+ </citerefentry> function,
-+ fall back to MD5.
-+ </para>
-+ </listitem>
-+ </varlistentry>
- <varlistentry>
- <term>
- <option>rounds=<replaceable>n</replaceable></option>
- </term>
- <listitem>
- <para>
-- Set the optional number of rounds of the SHA256, SHA512
-- and blowfish password hashing algorithms to
-+ Set the optional number of rounds of the SHA256, SHA512,
-+ blowfish, gost-yescrypt, and yescrypt password hashing
-+ algorithms to
- <replaceable>n</replaceable>.
- </para>
- </listitem>
-diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
-index fbc84e2f..d8d084ac 100644
---- a/modules/pam_unix/pam_unix_acct.c
-+++ b/modules/pam_unix/pam_unix_acct.c
-@@ -62,7 +62,7 @@
- #include "support.h"
- #include "passverify.h"
-
--int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
-+int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
- const char *user, int *daysleft)
- {
- int retval=0, child, fds[2];
-@@ -185,7 +185,7 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
- int
- pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
-- unsigned int ctrl;
-+ unsigned long long ctrl;
- const void *void_uname;
- const char *uname;
- int retval, daysleft;
-diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
-index 9d9f709d..905fc66c 100644
---- a/modules/pam_unix/pam_unix_auth.c
-+++ b/modules/pam_unix/pam_unix_auth.c
-@@ -96,7 +96,7 @@ setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
- int
- pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
-- unsigned int ctrl;
-+ unsigned long long ctrl;
- int retval, *ret_data = NULL;
- const char *name;
- const char *p;
-@@ -194,7 +194,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags,
- {
- int retval;
- const void *pretval = NULL;
-- unsigned int ctrl;
-+ unsigned long long ctrl;
-
- D(("called."));
-
-diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
-index f2c42513..df4c1233 100644
---- a/modules/pam_unix/pam_unix_passwd.c
-+++ b/modules/pam_unix/pam_unix_passwd.c
-@@ -138,7 +138,7 @@ __taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf)
- }
- #endif
-
--static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
-+static char *getNISserver(pam_handle_t *pamh, unsigned long long ctrl)
- {
- char *master;
- char *domainname;
-@@ -233,7 +233,7 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
-
- #ifdef WITH_SELINUX
-
--static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
-+static int _unix_run_update_binary(pam_handle_t *pamh, unsigned long long ctrl, const char *user,
- const char *fromwhat, const char *towhat, int remember)
- {
- int retval, child, fds[2];
-@@ -388,7 +388,7 @@ static int check_old_password(const char *forwho, const char *newpass)
-
- static int _do_setpass(pam_handle_t* pamh, const char *forwho,
- const char *fromwhat,
-- char *towhat, unsigned int ctrl, int remember)
-+ char *towhat, unsigned long long ctrl, int remember)
- {
- struct passwd *pwd = NULL;
- int retval = 0;
-@@ -512,7 +512,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
- return retval;
- }
-
--static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl)
-+static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned long long ctrl)
- {
- struct passwd *pwent = NULL; /* Password and shadow password */
- struct spwd *spent = NULL; /* file entries for the user */
-@@ -542,7 +542,7 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in
- }
-
- static int _pam_unix_approve_pass(pam_handle_t * pamh
-- ,unsigned int ctrl
-+ ,unsigned long long ctrl
- ,const char *pass_old
- ,const char *pass_new,
- int pass_min_len)
-@@ -600,7 +600,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
- int
- pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
-- unsigned int ctrl, lctrl;
-+ unsigned long long ctrl, lctrl;
- int retval;
- int remember = -1;
- int rounds = 0;
-diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c
-index 03e7dcd9..4b8af530 100644
---- a/modules/pam_unix/pam_unix_sess.c
-+++ b/modules/pam_unix/pam_unix_sess.c
-@@ -67,7 +67,7 @@ int
- pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
- char *user_name, *service;
-- unsigned int ctrl;
-+ unsigned long long ctrl;
- int retval;
- const char *login_name;
-
-@@ -103,7 +103,7 @@ int
- pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
- char *user_name, *service;
-- unsigned int ctrl;
-+ unsigned long long ctrl;
- int retval;
-
- D(("called."));
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 95dfe528..39e2bfac 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -387,7 +387,7 @@ crypt_md5_wrapper(const char *pass_new)
- }
-
- PAMH_ARG_DECL(char * create_password_hash,
-- const char *password, unsigned int ctrl, int rounds)
-+ const char *password, unsigned long long ctrl, int rounds)
- {
- const char *algoid;
- #if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
-@@ -404,6 +404,10 @@ PAMH_ARG_DECL(char * create_password_hash,
- if (on(UNIX_MD5_PASS, ctrl)) {
- /* algoid = "$1" */
- return crypt_md5_wrapper(password);
-+ } else if (on(UNIX_YESCRYPT_PASS, ctrl)) {
-+ algoid = "$y$";
-+ } else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) {
-+ algoid = "$gy$";
- } else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
- algoid = "$2b$";
- } else if (on(UNIX_SHA256_PASS, ctrl)) {
-@@ -466,6 +470,8 @@ PAMH_ARG_DECL(char * create_password_hash,
- pam_syslog(pamh, LOG_ERR,
- "Algo %s not supported by the crypto backend, "
- "falling back to MD5\n",
-+ on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" :
-+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
- on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
- on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
- on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
-diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
-index caf7ae8a..086c28ac 100644
---- a/modules/pam_unix/passverify.h
-+++ b/modules/pam_unix/passverify.h
-@@ -66,7 +66,7 @@ read_passwords(int fd, int npass, char **passwords);
- #endif
-
- PAMH_ARG_DECL(char * create_password_hash,
-- const char *password, unsigned int ctrl, int rounds);
-+ const char *password, unsigned long long ctrl, int rounds);
-
- PAMH_ARG_DECL(int get_account_info,
- const char *name, struct passwd **pwd, struct spwd **spwdent);
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index 8cbc4217..6894288d 100644
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -107,7 +107,7 @@ search_key (const char *key, const char *filename)
-
- /* this is a front-end for module-application conversations */
-
--int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
-+int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
- int type, const char *text)
- {
- int retval = PAM_SUCCESS;
-@@ -122,10 +122,11 @@ int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
- * set the control flags for the UNIX module.
- */
-
--int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
-- int *pass_min_len, int argc, const char **argv)
-+unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
-+ int *rounds, int *pass_min_len, int argc,
-+ const char **argv)
- {
-- unsigned int ctrl;
-+ unsigned long long ctrl;
- char *val;
- int j;
-
-@@ -243,15 +244,23 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
- set(UNIX__NONULL, ctrl);
- }
-
-- /* Set default rounds for blowfish */
-- if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
-- *rounds = 5;
-- set(UNIX_ALGO_ROUNDS, ctrl);
-+ /* Set default rounds for blowfish, gost-yescrypt and yescrypt */
-+ if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
-+ if (on(UNIX_BLOWFISH_PASS, ctrl) ||
-+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
-+ on(UNIX_YESCRYPT_PASS, ctrl)) {
-+ *rounds = 5;
-+ set(UNIX_ALGO_ROUNDS, ctrl);
-+ }
- }
-
- /* Enforce sane "rounds" values */
- if (on(UNIX_ALGO_ROUNDS, ctrl)) {
-- if (on(UNIX_BLOWFISH_PASS, ctrl)) {
-+ if (on(UNIX_GOST_YESCRYPT_PASS, ctrl) ||
-+ on(UNIX_YESCRYPT_PASS, ctrl)) {
-+ if (*rounds < 3 || *rounds > 11)
-+ *rounds = 5;
-+ } else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
- if (*rounds < 4 || *rounds > 31)
- *rounds = 5;
- } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
-@@ -532,7 +541,7 @@ int _unix_comesfromsource(pam_handle_t *pamh,
- #include <sys/wait.h>
-
- static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
-- unsigned int ctrl, const char *user)
-+ unsigned long long ctrl, const char *user)
- {
- int retval, child, fds[2];
- struct sigaction newsa, oldsa;
-@@ -658,7 +667,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
- */
-
- int
--_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
-+_unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name)
- {
- struct passwd *pwd = NULL;
- char *salt = NULL;
-@@ -706,7 +715,7 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
- }
-
- int _unix_verify_password(pam_handle_t * pamh, const char *name
-- ,const char *p, unsigned int ctrl)
-+ ,const char *p, unsigned long long ctrl)
- {
- struct passwd *pwd = NULL;
- char *salt = NULL;
-diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
-index 543e9b9f..e02c05e0 100644
---- a/modules/pam_unix/support.h
-+++ b/modules/pam_unix/support.h
-@@ -22,8 +22,8 @@
-
- typedef struct {
- const char *token;
-- unsigned int mask; /* shall assume 32 bits of flags */
-- unsigned int flag;
-+ unsigned long long mask; /* shall assume 64 bits of flags */
-+ unsigned long long flag;
- unsigned int is_hash_algo;
- } UNIX_Ctrls;
-
-@@ -48,7 +48,7 @@ typedef struct {
-
- /* the generic mask */
-
--#define _ALL_ON_ (~0U)
-+#define _ALL_ON_ (~0ULL)
-
- /* end of macro definitions definitions for the control flags */
-
-@@ -98,47 +98,51 @@ typedef struct {
- #define UNIX_QUIET 28 /* Don't print informational messages */
- #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
- #define UNIX_DES 30 /* DES, default */
-+#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
-+#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
- /* -------------- */
--#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
-+#define UNIX_CTRLS_ 33 /* number of ctrl arguments defined */
-
--#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
-+#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
-
- static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- {
--/* symbol token name ctrl mask ctrl *
-- * ----------------------- ------------------- --------------------- -------- */
--
--/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
--/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
--/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
--/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
--/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
--/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
--/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
--/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
--/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
--/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
--/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
--/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
--/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
--/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
--/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
--/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
--/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
--/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
--/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
--/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
--/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
--/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
--/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
--/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
--/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
--/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
--/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
--/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
--/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
--/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
--/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
-+/* symbol token name ctrl mask ctrl *
-+ * --------------------------- -------------------- ------------------------- ---------------- */
-+
-+/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
-+/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
-+/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
-+/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
-+/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
-+/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
-+/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
-+/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
-+/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
-+/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
-+/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
-+/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
-+/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
-+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
-+/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
-+/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
-+/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
-+/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
-+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
-+/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
-+/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
-+/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
-+/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
-+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
-+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
-+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
-+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
-+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
-+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
-+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
-+/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
-+/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
-+/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
- };
-
- #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
-@@ -151,20 +155,23 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- _pam_drop(xx); \
- }
-
--extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
-- ,int type, const char *text);
--extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds,
-- int *pass_min_len, int argc, const char **argv);
-+extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
-+ int type, const char *text);
-+extern unsigned long long _set_ctrl(pam_handle_t * pamh, int flags,
-+ int *remember, int *rounds,
-+ int *pass_min_len,
-+ int argc, const char **argv);
- extern int _unix_getpwnam (pam_handle_t *pamh,
- const char *name, int files, int nis,
- struct passwd **ret);
- extern int _unix_comesfromsource (pam_handle_t *pamh,
- const char *name, int files, int nis);
--extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl,
-+extern int _unix_blankpasswd(pam_handle_t *pamh, unsigned long long ctrl,
- const char *name);
--extern int _unix_verify_password(pam_handle_t * pamh, const char *name
-- ,const char *p, unsigned int ctrl);
-+extern int _unix_verify_password(pam_handle_t * pamh, const char *name,
-+ const char *p, unsigned long long ctrl);
-
- extern int _unix_run_verify_binary(pam_handle_t *pamh,
-- unsigned int ctrl, const char *user, int *daysleft);
-+ unsigned long long ctrl,
-+ const char *user, int *daysleft);
- #endif /* _PAM_UNIX_SUPPORT_H */
diff --git a/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch
deleted file mode 100644
index fda4eca75..000000000
--- a/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch
+++ /dev/null
@@ -1,29 +0,0 @@
---- ./configure.ac.orig 2020-06-08 05:17:27.000000000 -0500
-+++ ./configure.ac 2020-06-13 14:11:04.857950668 -0500
-@@ -712,6 +712,7 @@
- po/Makefile.in \
- Make.xml.rules \
- modules/Makefile \
-+ modules/pam_chroot/Makefile modules/pam_console/Makefile modules/pam_postgresok/Makefile \
- modules/pam_access/Makefile modules/pam_cracklib/Makefile \
- modules/pam_debug/Makefile modules/pam_deny/Makefile \
- modules/pam_echo/Makefile modules/pam_env/Makefile \
---- ./modules/Makefile.am.orig 2020-06-08 05:17:27.000000000 -0500
-+++ ./modules/Makefile.am 2020-06-13 14:12:28.614946035 -0500
-@@ -53,6 +53,8 @@
- SUBDIRS := \
- pam_access \
- $(MAYBE_PAM_CRACKLIB) \
-+ pam_chroot \
-+ pam_console \
- pam_debug \
- pam_deny \
- pam_echo \
-@@ -76,6 +78,7 @@
- $(MAYBE_PAM_NAMESPACE) \
- pam_nologin \
- pam_permit \
-+ pam_postgresok \
- pam_pwhistory \
- $(MAYBE_PAM_RHOSTS) \
- pam_rootok \
diff --git a/source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch
deleted file mode 100644
index 1212a6d31..000000000
--- a/source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch
+++ /dev/null
@@ -1,95 +0,0 @@
---- ./doc/sag/pam_faillock.xml.orig 2023-05-19 13:22:11.197977808 -0500
-+++ ./doc/sag/pam_faillock.xml 2023-05-19 13:24:39.673969595 -0500
-@@ -1,27 +1,38 @@
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="sag-pam_faillock">
-+<?xml version='1.0' encoding='UTF-8'?>
-+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-+<section id='sag-pam_faillock'>
- <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
-- <cmdsynopsis sepchar=" ">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-cmdsynopsisauth")/*)'/>
-+ <cmdsynopsis>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
- </cmdsynopsis>
-- <cmdsynopsis sepchar=" ">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-cmdsynopsisacct")/*)'/>
-+ <cmdsynopsis>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
- </cmdsynopsis>
-- <section xml:id="sag-pam_faillock-description">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-description")/*)'/>
-+ <section id='sag-pam_faillock-description'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-options'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-types'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-return_values'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-examples'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-author'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
- </section>
-- <section xml:id="sag-pam_faillock-options">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-options")/*)'/>
-- </section>
-- <section xml:id="sag-pam_faillock-types">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-types")/*)'/>
-- </section>
-- <section xml:id="sag-pam_faillock-return_values">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-return_values")/*)'/>
-- </section>
-- <section xml:id="sag-pam_faillock-examples">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-examples")/*)'/>
-- </section>
-- <section xml:id="sag-pam_faillock-author">
-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-author")/*)'/>
-- </section>
--</section>
-\ No newline at end of file
-+</section>
---- ./configure.ac.orig 2023-05-07 18:06:47.000000000 -0500
-+++ ./configure.ac 2023-05-19 13:22:11.198977808 -0500
-@@ -754,6 +754,8 @@
- po/Makefile.in \
- Make.xml.rules \
- modules/Makefile \
-+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
-+ modules/pam_postgresok/Makefile \
- modules/pam_access/Makefile \
- modules/pam_debug/Makefile modules/pam_deny/Makefile \
- modules/pam_echo/Makefile modules/pam_env/Makefile \
---- ./modules/Makefile.am.orig 2023-05-07 18:06:47.000000000 -0500
-+++ ./modules/Makefile.am 2023-05-19 13:22:11.198977808 -0500
-@@ -44,6 +44,8 @@
-
- SUBDIRS := \
- pam_access \
-+ pam_chroot \
-+ pam_console \
- pam_debug \
- pam_deny \
- pam_echo \
-@@ -67,6 +69,7 @@
- $(MAYBE_PAM_NAMESPACE) \
- pam_nologin \
- pam_permit \
-+ pam_postgresok \
- pam_pwhistory \
- $(MAYBE_PAM_RHOSTS) \
- pam_rootok \
diff --git a/source/a/pam/fedora-patches/pam-1.3.0-unix-nomsg.patch b/source/a/pam/fedora-patches/pam-1.5.3-unix-nomsg.patch
index 33c226773..3a8abbb1a 100644
--- a/source/a/pam/fedora-patches/pam-1.3.0-unix-nomsg.patch
+++ b/source/a/pam/fedora-patches/pam-1.5.3-unix-nomsg.patch
@@ -1,7 +1,8 @@
-diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c
---- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200
-+++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200
-@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
+Index: Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- Linux-PAM-1.5.3.orig/modules/pam_unix/pam_unix_passwd.c
++++ Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c
+@@ -678,12 +678,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
return PAM_SUCCESS;
} else if (off(UNIX__IAMROOT, ctrl) ||
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
diff --git a/source/a/pam/fedora-patches/pam-1.6.0-noflex.patch b/source/a/pam/fedora-patches/pam-1.6.0-noflex.patch
new file mode 100644
index 000000000..706841c9d
--- /dev/null
+++ b/source/a/pam/fedora-patches/pam-1.6.0-noflex.patch
@@ -0,0 +1,24 @@
+diff -up Linux-PAM-1.6.0/doc/Makefile.am.noflex Linux-PAM-1.6.0/doc/Makefile.am
+--- Linux-PAM-1.6.0/doc/Makefile.am.noflex 2024-01-23 13:19:04.681955581 +0100
++++ Linux-PAM-1.6.0/doc/Makefile.am 2024-01-23 13:19:49.740014426 +0100
+@@ -2,7 +2,7 @@
+ # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+ #
+
+-SUBDIRS = man specs sag adg mwg
++SUBDIRS = man sag adg mwg
+
+ CLEANFILES = *~
+ DISTCLEANFILES = custom-html.xsl custom-man.xsl
+diff -up Linux-PAM-1.6.0/Makefile.am.noflex Linux-PAM-1.6.0/Makefile.am
+--- Linux-PAM-1.6.0/Makefile.am.noflex 2024-01-23 13:19:04.681955581 +0100
++++ Linux-PAM-1.6.0/Makefile.am 2024-01-23 13:21:03.428109219 +0100
+@@ -4,7 +4,7 @@
+
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
+
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po doc xtests
+
+ if HAVE_DOC
+ SUBDIRS += doc
diff --git a/source/a/pam/fedora-patches/pam-1.6.0-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.6.0-redhat-modules.patch
new file mode 100644
index 000000000..66aa8ff48
--- /dev/null
+++ b/source/a/pam/fedora-patches/pam-1.6.0-redhat-modules.patch
@@ -0,0 +1,24 @@
+diff -up Linux-PAM-1.6.0/configure.ac.redhat-modules Linux-PAM-1.6.0/configure.ac
+--- Linux-PAM-1.6.0/configure.ac.redhat-modules 2024-01-23 13:16:34.854753145 +0100
++++ Linux-PAM-1.6.0/configure.ac 2024-01-23 13:17:52.855859922 +0100
+@@ -774,6 +774,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
+ po/Makefile.in \
+ Make.xml.rules \
+ modules/Makefile \
++ modules/pam_chroot/Makefile \
++ modules/pam_postgresok/Makefile \
+ modules/pam_access/Makefile \
+ modules/pam_canonicalize_user/Makefile \
+ modules/pam_debug/Makefile modules/pam_deny/Makefile \
+diff -up Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules Linux-PAM-1.6.0/modules/Makefile.am
+--- Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules 2024-01-17 11:29:36.000000000 +0100
++++ Linux-PAM-1.6.0/modules/Makefile.am 2024-01-23 13:16:34.855753147 +0100
+@@ -48,6 +48,8 @@ SUBDIRS := \
+ pam_debug \
+ pam_deny \
+ pam_echo \
++ pam_chroot \
++ pam_postgresok \
+ pam_env \
+ pam_exec \
+ pam_faildelay \
diff --git a/source/a/pam/pam.SlackBuild b/source/a/pam/pam.SlackBuild
index 64b098060..cfe61ec73 100755
--- a/source/a/pam/pam.SlackBuild
+++ b/source/a/pam/pam.SlackBuild
@@ -1,7 +1,7 @@
#!/bin/sh
# Copyright 2010 Vincent Batts, vbatts@hashbangbash.com
-# Copyright 2010, 2011 Patrick J. Volkerding, Sebeka, Minnesota, USA
+# Copyright 2010, 2011, 2024 Patrick J. Volkerding, Sebeka, Minnesota, USA
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
@@ -27,7 +27,7 @@ SRCNAM=Linux-PAM
PKGNAM=pam
PAMRHVER=${PAMRHVER:-$(echo pam-redhat-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-1}
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
@@ -96,27 +96,11 @@ for file in pam-redhat-$PAMRHVER/* ; do
echo "$(basename $file) already exists in modules/, not moving!"
fi
done
-# NOTE: Linux-PAM-1.4.0 already ships with most of these applied:
-#zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.4.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.5.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.1.6-limits-user.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.1.8-audit-user-mgmt.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.0-unix-nomsg.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
-#zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
+
+# Patches from the Fedora SRPM:
+zcat $CWD/fedora-patches/pam-1.5.3-unix-nomsg.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/fedora-patches/pam-1.6.0-noflex.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/fedora-patches/pam-1.6.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
# Improve the comments in /etc/environment:
zcat $CWD/patches/pam.etc.environment.better.comments.diff.gz | patch -p1 --verbose || exit 1