diff --git a/pam-1.3.1-unix-yescrypt.patch b/pam-1.3.1-unix-yescrypt.patch new file mode 100644 index 0000000..f04a59c --- /dev/null +++ b/pam-1.3.1-unix-yescrypt.patch @@ -0,0 +1,479 @@ +From 16bd523f85ede9fa9115f80e826f2d803d7e61d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= +Date: Thu, 15 Nov 2018 16:38:05 +0100 +Subject: [PATCH] pam_unix: Add support for (gost-)yescrypt hashing methods. + +libxcrypt (v4.2 and later) has added support for the yescrypt +hashing method; gost-yescrypt has been added in v4.3. + +* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt. +* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags. +* modules/pam_unix/pam_unix_auth.c: Likewise. +* modules/pam_unix/pam_unix_passwd.c: Likewise. +* modules/pam_unix/pam_unix_sess.c: Likewise. +* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt. +* modules/pam_unix/passverify.h: Use 64 bit type for control flags. +* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt. +* modules/pam_unix/support.h: Add support for (gost-)yescrypt. +--- + modules/pam_unix/pam_unix.8.xml | 35 +++++++++- + modules/pam_unix/pam_unix_acct.c | 4 +- + modules/pam_unix/pam_unix_auth.c | 4 +- + modules/pam_unix/pam_unix_passwd.c | 12 ++-- + modules/pam_unix/pam_unix_sess.c | 4 +- + modules/pam_unix/passverify.c | 8 ++- + modules/pam_unix/passverify.h | 2 +- + modules/pam_unix/support.c | 33 ++++++---- + modules/pam_unix/support.h | 101 +++++++++++++++-------------- + 9 files changed, 128 insertions(+), 75 deletions(-) + +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index 1b318f11..cae2aeaa 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -331,14 +331,45 @@ + + + ++ ++ ++ ++ ++ ++ ++ When a user changes their password next, ++ encrypt it with the gost-yescrypt algorithm. If the ++ gost-yescrypt algorithm is not known to the ++ crypt3 ++ function, ++ fall back to MD5. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ When a user changes their password next, ++ encrypt it with the yescrypt algorithm. If the ++ yescrypt algorithm is not known to the ++ crypt3 ++ function, ++ fall back to MD5. ++ ++ ++ + + + + + + +- Set the optional number of rounds of the SHA256, SHA512 +- and blowfish password hashing algorithms to ++ Set the optional number of rounds of the SHA256, SHA512, ++ blowfish, gost-yescrypt, and yescrypt password hashing ++ algorithms to + n. + + +diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c +index fbc84e2f..d8d084ac 100644 +--- a/modules/pam_unix/pam_unix_acct.c ++++ b/modules/pam_unix/pam_unix_acct.c +@@ -62,7 +62,7 @@ + #include "support.h" + #include "passverify.h" + +-int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, ++int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl, + const char *user, int *daysleft) + { + int retval=0, child, fds[2]; +@@ -185,7 +185,7 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, + int + pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) + { +- unsigned int ctrl; ++ unsigned long long ctrl; + const void *void_uname; + const char *uname; + int retval, daysleft; +diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c +index 9d9f709d..905fc66c 100644 +--- a/modules/pam_unix/pam_unix_auth.c ++++ b/modules/pam_unix/pam_unix_auth.c +@@ -96,7 +96,7 @@ setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED) + int + pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + { +- unsigned int ctrl; ++ unsigned long long ctrl; + int retval, *ret_data = NULL; + const char *name; + const char *p; +@@ -194,7 +194,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, + { + int retval; + const void *pretval = NULL; +- unsigned int ctrl; ++ unsigned long long ctrl; + + D(("called.")); + +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index f2c42513..df4c1233 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -138,7 +138,7 @@ __taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf) + } + #endif + +-static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) ++static char *getNISserver(pam_handle_t *pamh, unsigned long long ctrl) + { + char *master; + char *domainname; +@@ -233,7 +233,7 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) + + #ifdef WITH_SELINUX + +-static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, ++static int _unix_run_update_binary(pam_handle_t *pamh, unsigned long long ctrl, const char *user, + const char *fromwhat, const char *towhat, int remember) + { + int retval, child, fds[2]; +@@ -388,7 +388,7 @@ static int check_old_password(const char *forwho, const char *newpass) + + static int _do_setpass(pam_handle_t* pamh, const char *forwho, + const char *fromwhat, +- char *towhat, unsigned int ctrl, int remember) ++ char *towhat, unsigned long long ctrl, int remember) + { + struct passwd *pwd = NULL; + int retval = 0; +@@ -512,7 +512,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, + return retval; + } + +-static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl) ++static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned long long ctrl) + { + struct passwd *pwent = NULL; /* Password and shadow password */ + struct spwd *spent = NULL; /* file entries for the user */ +@@ -542,7 +542,7 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in + } + + static int _pam_unix_approve_pass(pam_handle_t * pamh +- ,unsigned int ctrl ++ ,unsigned long long ctrl + ,const char *pass_old + ,const char *pass_new, + int pass_min_len) +@@ -600,7 +600,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh + int + pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) + { +- unsigned int ctrl, lctrl; ++ unsigned long long ctrl, lctrl; + int retval; + int remember = -1; + int rounds = 0; +diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c +index 03e7dcd9..4b8af530 100644 +--- a/modules/pam_unix/pam_unix_sess.c ++++ b/modules/pam_unix/pam_unix_sess.c +@@ -67,7 +67,7 @@ int + pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) + { + char *user_name, *service; +- unsigned int ctrl; ++ unsigned long long ctrl; + int retval; + const char *login_name; + +@@ -103,7 +103,7 @@ int + pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) + { + char *user_name, *service; +- unsigned int ctrl; ++ unsigned long long ctrl; + int retval; + + D(("called.")); +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 95dfe528..39e2bfac 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -387,7 +387,7 @@ crypt_md5_wrapper(const char *pass_new) + } + + PAMH_ARG_DECL(char * create_password_hash, +- const char *password, unsigned int ctrl, int rounds) ++ const char *password, unsigned long long ctrl, int rounds) + { + const char *algoid; + #if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64 +@@ -404,6 +404,10 @@ PAMH_ARG_DECL(char * create_password_hash, + if (on(UNIX_MD5_PASS, ctrl)) { + /* algoid = "$1" */ + return crypt_md5_wrapper(password); ++ } else if (on(UNIX_YESCRYPT_PASS, ctrl)) { ++ algoid = "$y$"; ++ } else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) { ++ algoid = "$gy$"; + } else if (on(UNIX_BLOWFISH_PASS, ctrl)) { + algoid = "$2b$"; + } else if (on(UNIX_SHA256_PASS, ctrl)) { +@@ -466,6 +470,8 @@ PAMH_ARG_DECL(char * create_password_hash, + pam_syslog(pamh, LOG_ERR, + "Algo %s not supported by the crypto backend, " + "falling back to MD5\n", ++ on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" : ++ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" : + on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : + on(UNIX_SHA256_PASS, ctrl) ? "sha256" : + on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); +diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h +index caf7ae8a..086c28ac 100644 +--- a/modules/pam_unix/passverify.h ++++ b/modules/pam_unix/passverify.h +@@ -66,7 +66,7 @@ read_passwords(int fd, int npass, char **passwords); + #endif + + PAMH_ARG_DECL(char * create_password_hash, +- const char *password, unsigned int ctrl, int rounds); ++ const char *password, unsigned long long ctrl, int rounds); + + PAMH_ARG_DECL(int get_account_info, + const char *name, struct passwd **pwd, struct spwd **spwdent); +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index 8cbc4217..6894288d 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -107,7 +107,7 @@ search_key (const char *key, const char *filename) + + /* this is a front-end for module-application conversations */ + +-int _make_remark(pam_handle_t * pamh, unsigned int ctrl, ++int _make_remark(pam_handle_t * pamh, unsigned long long ctrl, + int type, const char *text) + { + int retval = PAM_SUCCESS; +@@ -122,10 +122,11 @@ int _make_remark(pam_handle_t * pamh, unsigned int ctrl, + * set the control flags for the UNIX module. + */ + +-int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, +- int *pass_min_len, int argc, const char **argv) ++unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember, ++ int *rounds, int *pass_min_len, int argc, ++ const char **argv) + { +- unsigned int ctrl; ++ unsigned long long ctrl; + char *val; + int j; + +@@ -243,15 +244,23 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + set(UNIX__NONULL, ctrl); + } + +- /* Set default rounds for blowfish */ +- if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { +- *rounds = 5; +- set(UNIX_ALGO_ROUNDS, ctrl); ++ /* Set default rounds for blowfish, gost-yescrypt and yescrypt */ ++ if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { ++ if (on(UNIX_BLOWFISH_PASS, ctrl) || ++ on(UNIX_GOST_YESCRYPT_PASS, ctrl) || ++ on(UNIX_YESCRYPT_PASS, ctrl)) { ++ *rounds = 5; ++ set(UNIX_ALGO_ROUNDS, ctrl); ++ } + } + + /* Enforce sane "rounds" values */ + if (on(UNIX_ALGO_ROUNDS, ctrl)) { +- if (on(UNIX_BLOWFISH_PASS, ctrl)) { ++ if (on(UNIX_GOST_YESCRYPT_PASS, ctrl) || ++ on(UNIX_YESCRYPT_PASS, ctrl)) { ++ if (*rounds < 3 || *rounds > 11) ++ *rounds = 5; ++ } else if (on(UNIX_BLOWFISH_PASS, ctrl)) { + if (*rounds < 4 || *rounds > 31) + *rounds = 5; + } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { +@@ -532,7 +541,7 @@ int _unix_comesfromsource(pam_handle_t *pamh, + #include + + static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, +- unsigned int ctrl, const char *user) ++ unsigned long long ctrl, const char *user) + { + int retval, child, fds[2]; + struct sigaction newsa, oldsa; +@@ -658,7 +667,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + */ + + int +-_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) ++_unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name) + { + struct passwd *pwd = NULL; + char *salt = NULL; +@@ -706,7 +715,7 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) + } + + int _unix_verify_password(pam_handle_t * pamh, const char *name +- ,const char *p, unsigned int ctrl) ++ ,const char *p, unsigned long long ctrl) + { + struct passwd *pwd = NULL; + char *salt = NULL; +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index 543e9b9f..e02c05e0 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -22,8 +22,8 @@ + + typedef struct { + const char *token; +- unsigned int mask; /* shall assume 32 bits of flags */ +- unsigned int flag; ++ unsigned long long mask; /* shall assume 64 bits of flags */ ++ unsigned long long flag; + unsigned int is_hash_algo; + } UNIX_Ctrls; + +@@ -48,7 +48,7 @@ typedef struct { + + /* the generic mask */ + +-#define _ALL_ON_ (~0U) ++#define _ALL_ON_ (~0ULL) + + /* end of macro definitions definitions for the control flags */ + +@@ -98,47 +98,51 @@ typedef struct { + #define UNIX_QUIET 28 /* Don't print informational messages */ + #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */ + #define UNIX_DES 30 /* DES, default */ ++#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */ ++#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ + /* -------------- */ +-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 33 /* number of ctrl arguments defined */ + +-#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) ++#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + { +-/* symbol token name ctrl mask ctrl * +- * ----------------------- ------------------- --------------------- -------- */ +- +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0}, +-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1}, +-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1}, +-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, +-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, +-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, +-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, +-/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, ++/* symbol token name ctrl mask ctrl * ++ * --------------------------- -------------------- ------------------------- ---------------- */ ++ ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0}, ++/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, ++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1}, ++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, ++/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, ++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, ++/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1}, ++/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1}, ++/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -151,20 +155,23 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + _pam_drop(xx); \ + } + +-extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl +- ,int type, const char *text); +-extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds, +- int *pass_min_len, int argc, const char **argv); ++extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl, ++ int type, const char *text); ++extern unsigned long long _set_ctrl(pam_handle_t * pamh, int flags, ++ int *remember, int *rounds, ++ int *pass_min_len, ++ int argc, const char **argv); + extern int _unix_getpwnam (pam_handle_t *pamh, + const char *name, int files, int nis, + struct passwd **ret); + extern int _unix_comesfromsource (pam_handle_t *pamh, + const char *name, int files, int nis); +-extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl, ++extern int _unix_blankpasswd(pam_handle_t *pamh, unsigned long long ctrl, + const char *name); +-extern int _unix_verify_password(pam_handle_t * pamh, const char *name +- ,const char *p, unsigned int ctrl); ++extern int _unix_verify_password(pam_handle_t * pamh, const char *name, ++ const char *p, unsigned long long ctrl); + + extern int _unix_run_verify_binary(pam_handle_t *pamh, +- unsigned int ctrl, const char *user, int *daysleft); ++ unsigned long long ctrl, ++ const char *user, int *daysleft); + #endif /* _PAM_UNIX_SUPPORT_H */ diff --git a/pam.spec b/pam.spec index 0471891..ef0a797 100644 --- a/pam.spec +++ b/pam.spec @@ -52,6 +52,8 @@ Patch37: pam-1.3.1-unix-bcrypt_b.patch Patch38: pam-1.3.1-unix-gensalt-autoentropy.patch # https://github.com/linux-pam/linux-pam/commit/4da9febc39b955892a30686e8396785b96bb8ba5 Patch39: pam-1.3.1-unix-crypt_checksalt.patch +# https://github.com/linux-pam/linux-pam/commit/16bd523f85ede9fa9115f80e826f2d803d7e61d4 +Patch40: pam-1.3.1-unix-yescrypt.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -139,6 +141,7 @@ cp %{SOURCE18} . %patch37 -p1 -b .bcrypt_b %patch38 -p1 -b .gensalt-autoentropy %patch39 -p1 -b .crypt_checksalt +%patch40 -p1 -b .yescrypt autoreconf -i @@ -386,6 +389,7 @@ done - Backport upstream commit preferring bcrypt_b ($2b$) for blowfish - Backport upstream commit preferring gensalt with autoentropy - Backport upstream commit using crypt_checksalt for password aging +- Backport upstream commit adding support for (gost-)yescrypt * Fri Nov 16 2018 Björn Esser - 1.3.1-8 - Use %%ldconfig_scriptlets