Backport upstream commit using crypt_checksalt for password aging

pam-1.3.1-unix-crypt_checksalt.patch

@@ -0,0 +1,60 @@
+From 62425bf2a0c72d0e23139d0b285547a7add26251 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Thu, 15 Nov 2018 19:49:44 +0100
+Subject: [PATCH] pam_unix: Add support for crypt_checksalt, if libcrypt
+ supports it.
+
+libxcrypt v4.3 has added the crypt_checksalt function to whether
+the prefix at the begining of a given hash string refers to a
+supported hashing method.
+
+Future revisions of this function will add support to check whether
+the hashing method, the prefix refers to, was disabled or considered
+deprecated by the system's factory presets or system administrator.
+Furthermore it will be able to detect whether the parameters, which
+are used by the corresponding hashing method, being encoded in the
+hash string are not considered to be strong enough anymore.
+
+*modules/pam_unix/passverify.c: Add support for crypt_checksalt.
+---
+ modules/pam_unix/passverify.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 1f433b3a..6132130a 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -244,7 +244,13 @@ PAMH_ARG_DECL(int check_shadow_expiry,
+ 		D(("account expired"));
+ 		return PAM_ACCT_EXPIRED;
+ 	}
++#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
++	if (spent->sp_lstchg == 0 ||
++	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
++	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
++#else
+ 	if (spent->sp_lstchg == 0) {
++#endif
+ 		D(("need a new password"));
+ 		*daysleft = 0;
+ 		return PAM_NEW_AUTHTOK_REQD;
+@@ -255,10 +261,19 @@ PAMH_ARG_DECL(int check_shadow_expiry,
+ 			 spent->sp_namp);
+ 		return PAM_SUCCESS;
+ 	}
++#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
++	if (((curdays - spent->sp_lstchg > spent->sp_max)
++	    && (curdays - spent->sp_lstchg > spent->sp_inact)
++	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
++	    && (spent->sp_max != -1) && (spent->sp_inact != -1))
++	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
++	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
++#else
+ 	if ((curdays - spent->sp_lstchg > spent->sp_max)
+ 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
+ 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
+ 	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
++#endif
+ 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
+ 		D(("authtok expired"));
+ 		return PAM_AUTHTOK_EXPIRED;

pam.spec

@@ -50,6 +50,8 @@ Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
 Patch37: pam-1.3.1-unix-bcrypt_b.patch
 # https://github.com/linux-pam/linux-pam/commit/dce80b3f11b3c3aa137d18f22699809094dd64b6
 Patch38: pam-1.3.1-unix-gensalt-autoentropy.patch
+# https://github.com/linux-pam/linux-pam/commit/4da9febc39b955892a30686e8396785b96bb8ba5
+Patch39: pam-1.3.1-unix-crypt_checksalt.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -136,6 +138,7 @@ cp %{SOURCE18} .
 %patch36 -p1 -b .remove-prototype
 %patch37 -p1 -b .bcrypt_b
 %patch38 -p1 -b .gensalt-autoentropy
+%patch39 -p1 -b .crypt_checksalt
 
 autoreconf -i
 
@@ -382,6 +385,7 @@ done
 - Backport upstream commit removing an obsolete prototype
 - Backport upstream commit preferring bcrypt_b ($2b$) for blowfish
 - Backport upstream commit preferring gensalt with autoentropy
+- Backport upstream commit using crypt_checksalt for password aging
 
 * Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8
 - Use %%ldconfig_scriptlets