14 changed files with 1586 additions and 960 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1 @@
-/libxcrypt-*/
+/libxcrypt-*.tar.*
 /libxcrypt-*.rpm
 /libxcrypt-*.tar.xz
 /libxcrypt-gpgkey.gpg
 /results_libxcrypt/
--- a/.packit.yaml
+++ b/.packit.yaml
@ -1,43 +0,0 @@
 specfile_path: libxcrypt.spec
 synced_files:
  - libxcrypt.spec
  - .packit.yaml
 upstream_package_name: libxcrypt
 upstream_project_url: https://github.com/besser82/libxcrypt
 upstream_tag_template: v{version}
 downstream_package_name: libxcrypt
 dist_git_namespace: rpms
 create_pr: True
 actions:
  post-upstream-clone: "wget https://src.fedoraproject.org/rpms/libxcrypt/raw/main/f/libxcrypt.spec -O libxcrypt.spec"
 jobs:
 - job: copr_build
  trigger: pull_request
  metadata:
    list_on_homepage: False
    targets:
      - fedora-all-aarch64
      - fedora-all-i386
      - fedora-all-x86_64
      - fedora-development-s390x
 - job: copr_build
  trigger: commit
  metadata:
    branch: develop
    list_on_homepage: False
    targets:
      - fedora-all-aarch64
      - fedora-all-i386
      - fedora-all-x86_64
      - fedora-development-s390x
 - job: propose_downstream
  trigger: release
  metadata:
    dist_git_branches:
      - main
--- a/ci.fmf
+++ b/ci.fmf
@ -1 +0,0 @@
 resultsdb-testcase: separate
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +1,8 @@
 # recipients: glibc-bugzilla
 --- !Policy
 product_versions:
-  - rhel-10
+  - rhel-8
 decision_context: osci_compose_gate
 rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
--- a/libxcrypt-4.4.36.tar.xz.asc
+++ b/libxcrypt-4.4.36.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEZ4zj/uQwMRWW24wW9S6YAHWUwh0FAmSlr0UACgkQ9S6YAHWU
 wh0/Pg/+M0zxkElg/2YPCFNeSo+zsVjGozdnPF4DvISk54+owXULo2fkx7VW15LC
 4DcvKKg3p+6bCz1rdOnJbzSfNiO3d7VS1mGNOECWUTF4q3eiXhgDy5QrHbZfDaqR
 DohWDNJPY1RwTfMf8qhtnTukjutnNpUdPJHV5wavJsBr8mLQ6qBXTsgfORJsfGi0
 cz+GTn3IZX/xcMvbFx9VrY/ixzYZZMFOmy+00T2yURlA/A5XjNPldTDRYVBtYUre
 Phiox3Oz9BRh65hnLjPFIYvMrjAGnOxl2lWfHK6Mdu46QV7qB7nGryOSbr4OHvN8
 YpukVexz5YlSM09ws9AHqUzf4nn2fo+M1v9YftrLYa0vKM5oUW5+nJp2oRm+q2WW
 UYy7J60rM7Rg8HvpAXriIbyOz758xSA3dwSMAVFrY9mLZdCipBfdAD9xNIysaWTo
 ockJ13TYzK6m8F8aL3tYGT/7M1IbdUMqGa7wPEkg5bkb0IGOI45yH4VN4AbU3h4v
 ZZrMNkMNl84Y3rYgq2QcqoMf9Wg/dv9zuXpkF0COipk4qxiEiBZlebFSAZEX1LSO
 6O5AlUtHb9Mue7CTv61dV//C7l2/TOADsvWN4dBqQzioPx+uH4wJAdEY6afeePAR
 GniSzdtbuszlVcd7E8sqN/DFofhOBBXrX6QpJkapMTnfoKDL3SQ=
 =wTDU
 -----END PGP SIGNATURE-----
--- a/libxcrypt-4.4.36.tar.xz.sha256sum
+++ b/libxcrypt-4.4.36.tar.xz.sha256sum
@ -1,2 +0,0 @@
 e5e1f4caee0a01de2aee26e3138807d6d3ca2b8e67287966d1fefd65e1fd8943  libxcrypt-4.4.36.tar.xz
 04f2985349a027dd544806b2b6888402fbfd71322c210a94271e1e02f46fbf74  libxcrypt-4.4.36.tar.xz.asc
--- a/libxcrypt-configure-c99.patch
+++ b/libxcrypt-configure-c99.patch
@ -1,35 +0,0 @@
 Author: Florian Weimer <fweimer@redhat.com>
 Date:   Tue Dec 19 11:00:11 2023 +0100
    configure: Only text the makecontext signature we need
    The test/explicit-bzero.c test uses a start routine without any
    arguments.  There is no need for the multi-argument version.
    This avoids a build failure with glibc and future compilers.
    The GNU C library declares the makecontext callback of
    type void (*) (void), so no cast is needed.  On other systems,
    the type may be the (currently distinct) type void (*) (),
    but given that this only affects the ability to execute a test,
    no further machinery is added here to detect that different type.
 Submitted upstream: <https://github.com/besser82/libxcrypt/pull/178>
 diff --git a/configure.ac b/configure.ac
 index 35965b3b20466f71..ecc71b02b8c9752f 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -303,13 +303,11 @@ AS_IF([test $ac_cv_header_ucontext_h = yes],
 #include <ucontext.h>
 static int x;
 static void fn1(void) {}
 -static void fn2(int a, int b) { x = a - b; }
 ]], [[
   ucontext_t uc1, uc2;
   if (getcontext(&uc1)) return 1;
   if (setcontext(&uc1)) return 1;
   makecontext(&uc1, fn1, 0);
 -  makecontext(&uc2, fn2, 2, 1, 1);
   if (swapcontext(&uc1, &uc2)) return 1;
   return x;
 ]])],
--- a/libxcrypt-rh1612157.patch
+++ b/libxcrypt-rh1612157.patch
@ -0,0 +1,67 @@
 commit cc1806e214b89403152c2c53932d8d0b8aeb1e91
 Author: Björn Esser <besser82@fedoraproject.org>
 Date:   Sat Aug 4 13:02:03 2018 +0200
    Add alias man-pages for other crypt functions.
 diff --git a/Makefile.am b/Makefile.am
 index 201dea53313e7054..1ea36121d085b55d 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -15,7 +15,8 @@ EXTRA_DIST = \
 	gen-map.awk gen-vers.awk gen-crypt-h.awk \
 	gen-hashes.awk sel-hashes.awk hashes.lst
 -notrans_dist_man3_MANS = crypt_rn.3 crypt_gensalt.3
 +notrans_dist_man3_MANS = crypt.3 crypt_r.3 crypt_ra.3 \
 +	crypt_rn.3 crypt_gensalt.3
 notrans_dist_man5_MANS = crypt.5
 nodist_include_HEADERS = crypt.h
 diff --git a/crypt.3 b/crypt.3
 new file mode 100644
 index 0000000000000000..430e48f320d6e8af
 --- /dev/null
 +++ b/crypt.3
@@ -0,0 +1 @@
 +.so man3/crypt_rn.3
 diff --git a/crypt.5 b/crypt.5
 index 5db9c923cbd66e55..7fe46091f192b114 100644
 --- a/crypt.5
 +++ b/crypt.5
@@ -279,6 +279,8 @@ that will work on an old operating system that supports nothing else.
 .hash "$3$" "\e$3\e$\e$[0-9a-f]{32}" unlimited 8 256 256 0 1
 .SH SEE ALSO
 .BR crypt (3),
 +.BR crypt_r (3),
 +.BR crypt_ra (3),
 .BR crypt_rn (3),
 .BR crypt_gensalt (3),
 .BR getpwent (3),
 diff --git a/crypt_gensalt.3 b/crypt_gensalt.3
 index ebfff28db79a3c53..31097400e5cd2080 100644
 --- a/crypt_gensalt.3
 +++ b/crypt_gensalt.3
@@ -223,6 +223,8 @@ T}	Thread safety	MT-Safe
 .SH SEE ALSO
 .ad l
 .BR crypt (3),
 +.BR crypt_r (3),
 +.BR crypt_ra (3),
 .BR crypt_rn (3),
 .BR getpass (3),
 .BR getpwent (3),
 diff --git a/crypt_r.3 b/crypt_r.3
 new file mode 100644
 index 0000000000000000..430e48f320d6e8af
 --- /dev/null
 +++ b/crypt_r.3
@@ -0,0 +1 @@
 +.so man3/crypt_rn.3
 diff --git a/crypt_ra.3 b/crypt_ra.3
 new file mode 100644
 index 0000000000000000..430e48f320d6e8af
 --- /dev/null
 +++ b/crypt_ra.3
@@ -0,0 +1 @@
 +.so man3/crypt_rn.3
--- a/libxcrypt-rh1613537.patch
+++ b/libxcrypt-rh1613537.patch
@ -0,0 +1,320 @@
 commit 8596e298f761c32cecff45424f5242cd14269292
 Author: Zack Weinberg <zackw@panix.com>
 Date:   Tue Aug 7 21:35:12 2018 -0400
    Add configure option --disable-failure-tokens.
    When this option is given, crypt and crypt_r will return NULL on
    failure, instead of a special "failure token" string that isn't the
    hash of any passphrase.  This was the historical behavior of glibc,
    FreeBSD libc, and several other implementations.
 diff --git a/configure.ac b/configure.ac
 index a22a5926bd82f729..23651f9c5c886107 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -152,6 +152,25 @@ AC_CHECK_FUNCS_ONCE([
 ])
 # Configure options.
 +AC_ARG_ENABLE([failure-tokens],
 +    AS_HELP_STRING(
 +        [--disable-failure-tokens],
 +        [Make crypt and crypt_r return NULL on failure, instead of a
 +         special "failure token" string that isn't the hash of any
 +         passphrase.  This matches the behavior of several other
 +         crypt implementations, but will break programs that assume these
 +         functions never return NULL.  crypt_rn and crypt_ra are not affected
 +         by this option, and will always return NULL on failure.]
 +    ),
 +    [case "$enableval" in
 +      yes) enable_failure_tokens=1;;
 +       no) enable_failure_tokens=0;;
 +        *) AC_MSG_ERROR([bad value ${enableval} for --enable-failure-tokens]);;
 +     esac],
 +    [enable_failure_tokens=1])
 +AC_DEFINE_UNQUOTED([ENABLE_FAILURE_TOKENS], [$enable_failure_tokens],
 +  [Define to 1 if crypt and crypt_r should return a "failure token" on
 +   failure, or 0 if they should return NULL.])
 AC_ARG_ENABLE([obsolete-api],
     AS_HELP_STRING(
 diff --git a/crypt.c b/crypt.c
 index 9a3e19214e613097..839763afad14eaa9 100644
 --- a/crypt.c
 +++ b/crypt.c
@@ -235,7 +235,11 @@ crypt_r (const char *phrase, const char *setting, struct crypt_data *data)
 {
   make_failure_token (setting, data->output, sizeof data->output);
   do_crypt (phrase, setting, data);
 +#if ENABLE_FAILURE_TOKENS
   return data->output;
 +#else
 +  return data->output[0] == '*' ? 0 : data->output;
 +#endif
 }
 SYMVER_crypt_r;
 #endif
 diff --git a/crypt_rn.3 b/crypt_rn.3
 index 24da44cfce19716b..d021c4ed4a046e04 100644
 --- a/crypt_rn.3
 +++ b/crypt_rn.3
@@ -204,17 +204,31 @@ multiple threads simultaneously, as long as a separate
 object is used for each thread.
 .PP
 Upon error,
 -.B crypt
 -and
 -.B crypt_r
 -return a pointer to an
 +.BR crypt_r ", " crypt_rn ", and " crypt_ra
 +write an
 .I invalid
 -hashed passphrase.
 +hashed passphrase to the
 +.I output
 +field of their
 +.I crypt_data
 +object, and
 +.B crypt
 +writes an invalid hash to its static storage area.
 This string will be shorter than 13 characters,
 will begin with a \(oq\fB*\fR\(cq,
 and will not compare equal to
 .IR setting .
 -(This peculiar behavior is for compatibility
 +.PP
 +Upon error,
 +.BR crypt_rn " and " crypt_ra
 +return a null pointer.
 +.BR crypt_r " and " crypt
 +may also return a null pointer,
 +or they may return a pointer to the invalid hash,
 +depending on how
 +.I libcrypt
 +was configured.
 +(The option to return the invalid hash is for compatibility
 with old applications that assume that
 .B crypt
 cannot return a null pointer.
@@ -222,15 +236,6 @@ See
 .B "PORTABILITY NOTES"
 below.)
 .PP
 -.B crypt_rn
 -and
 -.B crypt_ra
 -also write an invalid hashed passphrase to the
 -.I output
 -field of their
 -.I crypt_data
 -object when they fail, but they return a null pointer.
 -.PP
 All four functions set
 .I errno
 when they fail.
 diff --git a/test-badsalt.c b/test-badsalt.c
 index b2743373628b1f3f..3d2e47ac0e7647bd 100644
 --- a/test-badsalt.c
 +++ b/test-badsalt.c
@@ -222,12 +222,28 @@ check_crypt (const char *label, const char *fn,
              const char *retval, const char *setting,
              bool expected_to_succeed)
 {
 -  /* crypt/crypt_r should never return null */
 +#if ENABLE_FAILURE_TOKENS
 +  /* crypt/crypt_r never return null when failure tokens are enabled */
   if (!retval)
     {
       printf ("FAIL: %s/%s/%s: returned NULL\n", label, setting, fn);
       return false;
     }
 +#else
 +  if (expected_to_succeed && !retval)
 +    {
 +      printf ("FAIL: %s/%s/%s: returned NULL\n", label, setting, fn);
 +      return false;
 +    }
 +  else if (!expected_to_succeed && retval)
 +    {
 +      printf ("FAIL: %s/%s/%s: returned %p, should be NULL\n",
 +              label, setting, fn, (const void *)retval);
 +      return false;
 +    }
 +  else if (!expected_to_succeed && !retval)
 +    return true;
 +#endif
   if (!check_results (label, fn, retval, setting,
                       expected_to_succeed))
     return false;
 diff --git a/test-crypt-badargs.c b/test-crypt-badargs.c
 index 0e6af1626a605086..6be24a99ca7f9015 100644
 --- a/test-crypt-badargs.c
 +++ b/test-crypt-badargs.c
@@ -169,6 +169,14 @@ test_crypt_ra (const char *tag,
   check (tag, expect, got);
 }
 +#if ENABLE_FAILURE_TOKENS
 +# define FT0 "*0"
 +# define FT1 "*1"
 +#else
 +# define FT0 0
 +# define FT1 0
 +#endif
 +
 /* PAGE should point to PAGESIZE bytes of read-write memory followed
    by another PAGESIZE bytes of inaccessible memory.  */
@@ -187,55 +195,55 @@ do_tests(char *page, size_t pagesize)
   size_t i;
   /* When SETTING is null, it shouldn't matter what PHRASE is.  */
 -  expect_no_fault ("0.0.crypt",    0,  0, "*0", test_crypt);
 -  expect_no_fault ("0.0.crypt_r",  0,  0, "*0", test_crypt_r);
 +  expect_no_fault ("0.0.crypt",    0,  0, FT0, test_crypt);
 +  expect_no_fault ("0.0.crypt_r",  0,  0, FT0, test_crypt_r);
   expect_no_fault ("0.0.crypt_rn", 0,  0, 0,    test_crypt_rn);
   expect_no_fault ("0.0.crypt_ra", 0,  0, 0,    test_crypt_ra);
 -  expect_no_fault ("''.0.crypt",    "", 0, "*0", test_crypt);
 -  expect_no_fault ("''.0.crypt_r",  "", 0, "*0", test_crypt_r);
 +  expect_no_fault ("''.0.crypt",    "", 0, FT0, test_crypt);
 +  expect_no_fault ("''.0.crypt_r",  "", 0, FT0, test_crypt_r);
   expect_no_fault ("''.0.crypt_rn", "", 0, 0,    test_crypt_rn);
   expect_no_fault ("''.0.crypt_ra", "", 0, 0,    test_crypt_ra);
 -  expect_no_fault ("ph.0.crypt",    phrase, 0, "*0", test_crypt);
 -  expect_no_fault ("ph.0.crypt_r",  phrase, 0, "*0", test_crypt_r);
 +  expect_no_fault ("ph.0.crypt",    phrase, 0, FT0, test_crypt);
 +  expect_no_fault ("ph.0.crypt_r",  phrase, 0, FT0, test_crypt_r);
   expect_no_fault ("ph.0.crypt_rn", phrase, 0, 0,    test_crypt_rn);
   expect_no_fault ("ph.0.crypt_ra", phrase, 0, 0,    test_crypt_ra);
 -  expect_no_fault ("p1.0.crypt",    p1, 0, "*0", test_crypt);
 -  expect_no_fault ("p1.0.crypt_r",  p1, 0, "*0", test_crypt_r);
 +  expect_no_fault ("p1.0.crypt",    p1, 0, FT0, test_crypt);
 +  expect_no_fault ("p1.0.crypt_r",  p1, 0, FT0, test_crypt_r);
   expect_no_fault ("p1.0.crypt_rn", p1, 0, 0,    test_crypt_rn);
   expect_no_fault ("p1.0.crypt_ra", p1, 0, 0,    test_crypt_ra);
 -  expect_no_fault ("p2.0.crypt",    p2, 0, "*0", test_crypt);
 -  expect_no_fault ("p2.0.crypt_r",  p2, 0, "*0", test_crypt_r);
 +  expect_no_fault ("p2.0.crypt",    p2, 0, FT0, test_crypt);
 +  expect_no_fault ("p2.0.crypt_r",  p2, 0, FT0, test_crypt_r);
   expect_no_fault ("p2.0.crypt_rn", p2, 0, 0,    test_crypt_rn);
   expect_no_fault ("p2.0.crypt_ra", p2, 0, 0,    test_crypt_ra);
   /* Conversely, when PHRASE is null,
      it shouldn't matter what SETTING is...  */
 -  expect_no_fault ("0.''.crypt",    0, "", "*0", test_crypt);
 -  expect_no_fault ("0.''.crypt_r",  0, "", "*0", test_crypt_r);
 +  expect_no_fault ("0.''.crypt",    0, "", FT0,  test_crypt);
 +  expect_no_fault ("0.''.crypt_r",  0, "", FT0,  test_crypt_r);
   expect_no_fault ("0.''.crypt_rn", 0, "", 0,    test_crypt_rn);
   expect_no_fault ("0.''.crypt_ra", 0, "", 0,    test_crypt_ra);
 -  expect_no_fault ("0.'*'.crypt",    0, "*", "*0", test_crypt);
 -  expect_no_fault ("0.'*'.crypt_r",  0, "*", "*0", test_crypt_r);
 +  expect_no_fault ("0.'*'.crypt",    0, "*", FT0,  test_crypt);
 +  expect_no_fault ("0.'*'.crypt_r",  0, "*", FT0,  test_crypt_r);
   expect_no_fault ("0.'*'.crypt_rn", 0, "*", 0,    test_crypt_rn);
   expect_no_fault ("0.'*'.crypt_ra", 0, "*", 0,    test_crypt_ra);
 -  expect_no_fault ("0.'*0'.crypt",    0, "*0", "*1", test_crypt);
 -  expect_no_fault ("0.'*0'.crypt_r",  0, "*0", "*1", test_crypt_r);
 +  expect_no_fault ("0.'*0'.crypt",    0, "*0", FT1,  test_crypt);
 +  expect_no_fault ("0.'*0'.crypt_r",  0, "*0", FT1,  test_crypt_r);
   expect_no_fault ("0.'*0'.crypt_rn", 0, "*0", 0,    test_crypt_rn);
   expect_no_fault ("0.'*0'.crypt_ra", 0, "*0", 0,    test_crypt_ra);
 -  expect_no_fault ("0.'*1'.crypt",    0, "*1", "*0", test_crypt);
 -  expect_no_fault ("0.'*1'.crypt_r",  0, "*1", "*0", test_crypt_r);
 +  expect_no_fault ("0.'*1'.crypt",    0, "*1", FT0,  test_crypt);
 +  expect_no_fault ("0.'*1'.crypt_r",  0, "*1", FT0,  test_crypt_r);
   expect_no_fault ("0.'*1'.crypt_rn", 0, "*1", 0,    test_crypt_rn);
   expect_no_fault ("0.'*1'.crypt_ra", 0, "*1", 0,    test_crypt_ra);
 -  expect_no_fault ("0.p1.crypt",    0, p1, "*0", test_crypt);
 -  expect_no_fault ("0.p1.crypt_r",  0, p1, "*0", test_crypt_r);
 +  expect_no_fault ("0.p1.crypt",    0, p1, FT0,  test_crypt);
 +  expect_no_fault ("0.p1.crypt_r",  0, p1, FT0,  test_crypt_r);
   expect_no_fault ("0.p1.crypt_rn", 0, p1, 0,    test_crypt_rn);
   expect_no_fault ("0.p1.crypt_ra", 0, p1, 0,    test_crypt_ra);
@@ -245,8 +253,8 @@ do_tests(char *page, size_t pagesize)
      bug, but it's impractical to fix without breaking the property
      that 'crypt' _never_ creates a failure token that is equal to the
      setting string, which is more important than this corner case.  */
 -  expect_a_fault ("0.p2.crypt",    0, p2, "*0", test_crypt);
 -  expect_a_fault ("0.p2.crypt_r",  0, p2, "*0", test_crypt_r);
 +  expect_a_fault ("0.p2.crypt",    0, p2, FT0,  test_crypt);
 +  expect_a_fault ("0.p2.crypt_r",  0, p2, FT0,  test_crypt_r);
   expect_a_fault ("0.p2.crypt_rn", 0, p2, 0,    test_crypt_rn);
   expect_a_fault ("0.p2.crypt_ra", 0, p2, 0,    test_crypt_ra);
@@ -257,9 +265,9 @@ do_tests(char *page, size_t pagesize)
       strcpy (page, "p1.'");
       strcat (page, settings[i]);
       strcat (page, "'.crypt");
 -      expect_a_fault (page, p1, settings[i], "*0", test_crypt);
 +      expect_a_fault (page, p1, settings[i], FT0,  test_crypt);
       strcat (page, "_r");
 -      expect_a_fault (page, p1, settings[i], "*0", test_crypt_r);
 +      expect_a_fault (page, p1, settings[i], FT0,  test_crypt_r);
       strcat (page, "n");
       expect_a_fault (page, p1, settings[i], 0,    test_crypt_rn);
       page [strlen (page) - 1] = 'a';
@@ -268,9 +276,9 @@ do_tests(char *page, size_t pagesize)
       strcpy (page, "p2.'");
       strcat (page, settings[i]);
       strcat (page, "'.crypt");
 -      expect_a_fault (page, p2, settings[i], "*0", test_crypt);
 +      expect_a_fault (page, p2, settings[i], FT0,  test_crypt);
       strcat (page, "_r");
 -      expect_a_fault (page, p2, settings[i], "*0", test_crypt_r);
 +      expect_a_fault (page, p2, settings[i], FT0,  test_crypt_r);
       strcat (page, "n");
       expect_a_fault (page, p2, settings[i], 0,    test_crypt_rn);
       page [strlen (page) - 1] = 'a';
@@ -279,8 +287,8 @@ do_tests(char *page, size_t pagesize)
   /* Conversely, when PHRASE is valid, passing an invalid string as SETTING
      should crash reliably.  */
 -  expect_a_fault ("ph.p2.crypt",    phrase, p2, "*0", test_crypt);
 -  expect_a_fault ("ph.p2.crypt_r",  phrase, p2, "*0", test_crypt_r);
 +  expect_a_fault ("ph.p2.crypt",    phrase, p2, FT0,  test_crypt);
 +  expect_a_fault ("ph.p2.crypt_r",  phrase, p2, FT0,  test_crypt_r);
   expect_a_fault ("ph.p2.crypt_rn", phrase, p2, 0,    test_crypt_rn);
   expect_a_fault ("ph.p2.crypt_ra", phrase, p2, 0,    test_crypt_ra);
@@ -292,9 +300,9 @@ do_tests(char *page, size_t pagesize)
       strcpy (page, "ph.'");
       strcat (page, settings[i]);
       strcat (page, ".crypt");
 -      expect_a_fault (page, phrase, p1, "*0", test_crypt);
 +      expect_a_fault (page, phrase, p1, FT0, test_crypt);
       strcat (page, "_r");
 -      expect_a_fault (page, phrase, p1, "*0", test_crypt_r);
 +      expect_a_fault (page, phrase, p1, FT0, test_crypt_r);
       strcat (page, "n");
       expect_a_fault (page, phrase, p1, 0,    test_crypt_rn);
       page [strlen (page) - 1] = 'a';
 diff --git a/test-crypt-bcrypt.c b/test-crypt-bcrypt.c
 index c984e4d47d8df2c6..bf149b405bd408c7 100644
 --- a/test-crypt-bcrypt.c
 +++ b/test-crypt-bcrypt.c
@@ -194,8 +194,12 @@ main (void)
       errno = 0;
       p = crypt (key, setting);
       errnm = errno;
 +#if ENABLE_FAILURE_TOKENS
       match = strcmp (p, hash);
 -      if ((!ok && !errno) || strcmp (p, hash))
 +#else
 +      match = (ok ? strcmp (p, hash) : p != 0);
 +#endif
 +      if ((!ok && !errno) || match)
         {
           printf ("FAIL: %d/crypt.1: key=%s setting=%s: xhash=%s xerr=%d, "
                   "p=%s match=%d err=%s\n",
--- a/libxcrypt-rh1899716.patch
+++ b/libxcrypt-rh1899716.patch
--- a/libxcrypt.spec
+++ b/libxcrypt.spec
--- a/plans/ci.fmf
+++ b/plans/ci.fmf
@ -1,23 +0,0 @@
 /fips-disabled-buildroot-disabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/libxcrypt
      name: /plans/ci/fips-disabled-buildroot-disabled
 /fips-disabled-buildroot-enabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/libxcrypt
      name: /plans/ci/fips-disabled-buildroot-enabled
 /fips-enabled-buildroot-disabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/libxcrypt
      name: /plans/ci/fips-enabled-buildroot-disabled
 /fips-enabled-buildroot-enabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/libxcrypt
      name: /plans/ci/fips-enabled-buildroot-enabled
--- a/3
+++ b/3
@ -1,2 +1 @@
-SHA512 (libxcrypt-4.4.36.tar.xz) = 468560e6f90877540d22e32c867cbcf3786983a6fdae6ef86454f4b7f2bbaae1b6589d1af75cda73078fa8f6e91b1a32f8353f26d433246eef7be3e96d4ae1c7
+SHA512 (libxcrypt-4.1.1.tar.gz) = 64f9453ffd0128e65dbafb981e5ee0e20eb1dcabae6290053a9ad30a071e37c8f970c83d2c58c61bddc7f3793af2e32344260cbfc9a69af8beca0b1650e44dff
 SHA512 (libxcrypt-gpgkey.gpg) = 723ce5d76676e4366959e03850f8814d5b30f8b20a39629f0ccff61bb2b2bef64223fd78e719ad23d7dd272ca6c0177089749f9b508099d56750a8bb466d006c
		`@ -1,2 +0,0 @@`
			`e5e1f4caee0a01de2aee26e3138807d6d3ca2b8e67287966d1fefd65e1fd8943 libxcrypt-4.4.36.tar.xz`
			`04f2985349a027dd544806b2b6888402fbfd71322c210a94271e1e02f46fbf74 libxcrypt-4.4.36.tar.xz.asc`
`@ -1,2 +1 @@`
	`SHA512 (libxcrypt-4.4.36.tar.xz) = 468560e6f90877540d22e32c867cbcf3786983a6fdae6ef86454f4b7f2bbaae1b6589d1af75cda73078fa8f6e91b1a32f8353f26d433246eef7be3e96d4ae1c7`	`SHA512 (libxcrypt-4.1.1.tar.gz) = 64f9453ffd0128e65dbafb981e5ee0e20eb1dcabae6290053a9ad30a071e37c8f970c83d2c58c61bddc7f3793af2e32344260cbfc9a69af8beca0b1650e44dff`
	`SHA512 (libxcrypt-gpgkey.gpg) = 723ce5d76676e4366959e03850f8814d5b30f8b20a39629f0ccff61bb2b2bef64223fd78e719ad23d7dd272ca6c0177089749f9b508099d56750a8bb466d006c`