From 94c0a4fee4ccd13e3be3e246c2b8745f84b9704a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Sun, 2 Dec 2018 20:11:52 +0100
Subject: [PATCH] Backport upstream commit fixing syslog for disabled or
 invalid hashes

---
 pam-1.3.1-unix-fix_checksalt_syslog.patch | 104 ++++++++++++++++++++++
 pam.spec                                  |   4 +
 2 files changed, 108 insertions(+)
 create mode 100644 pam-1.3.1-unix-fix_checksalt_syslog.patch

diff --git a/pam-1.3.1-unix-fix_checksalt_syslog.patch b/pam-1.3.1-unix-fix_checksalt_syslog.patch
new file mode 100644
index 0000000..41733ae
--- /dev/null
+++ b/pam-1.3.1-unix-fix_checksalt_syslog.patch
@@ -0,0 +1,104 @@
+From d8d11db2cef65da5d2afa7acf21aa9c8cd88abed Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Tue, 27 Nov 2018 16:11:03 +0100
+Subject: [PATCH] pam_unix: Use pam_syslog instead of helper_log_err.
+
+* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
+ PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
+* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
+* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
+ to verify_pwd_hash() call.
+---
+ modules/pam_unix/passverify.c | 24 +++++++++++++-----------
+ modules/pam_unix/passverify.h |  6 +++---
+ modules/pam_unix/support.c    |  2 +-
+ 3 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 2c808eb5..80e32767 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -65,8 +65,8 @@ strip_hpux_aging(char *hash)
+ 	}
+ }
+ 
+-int
+-verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
++PAMH_ARG_DECL(int verify_pwd_hash,
++	const char *p, char *hash, unsigned int nullok)
+ {
+ 	size_t hash_len;
+ 	char *pp = NULL;
+@@ -116,11 +116,10 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
+ 				 * pam_syslog() needs a pam handle,
+ 				 * but that's not available here.
+ 				 */
+-				helper_log_err(LOG_ERR,
+-				  "pam_unix(verify_pwd_hash): The method "
+-				  "for computing the hash \"%.6s\" has been "
+-				  "disabled in libcrypt by the preset from "
+-				  "the system's vendor and/or administrator.",
++				pam_syslog(pamh, LOG_ERR,
++				  "The support for password hash \"%.6s\" "
++				  "has been disabled in libcrypt "
++				  "configuration.",
+ 				  hash);
+ 			}
+ 			/*
+@@ -132,12 +131,15 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
+ 			 * recent implementations of libcrypt.
+ 			 */
+ 			if (retval_checksalt == CRYPT_SALT_INVALID) {
+-				helper_log_err(LOG_ERR,
+-				  "pam_unix(verify_pwd_hash): The hash \"%.6s\""
+-				  "does not use a method known by the version "
+-				  "of libcrypt this system is supplied with.",
++				pam_syslog(pamh, LOG_ERR,
++				  "The password hash \"%.6s\" is unknown to "
++				  "libcrypt.",
+ 				  hash);
+ 			}
++#else
++#ifndef HELPER_COMPILE
++			(void)pamh;
++#endif
+ #endif
+ #ifdef HAVE_CRYPT_R
+ 			struct crypt_data *cdata;
+diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
+index 086c28ac..e9a88fbf 100644
+--- a/modules/pam_unix/passverify.h
++++ b/modules/pam_unix/passverify.h
+@@ -12,9 +12,6 @@
+ 
+ #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
+ 
+-int
+-verify_pwd_hash(const char *p, char *hash, unsigned int nullok);
+-
+ int
+ is_pwd_shadowed(const struct passwd *pwd);
+ 
+@@ -65,6 +62,9 @@ read_passwords(int fd, int npass, char **passwords);
+ #define PAMH_ARG(...)			pamh, __VA_ARGS__
+ #endif
+ 
++PAMH_ARG_DECL(int verify_pwd_hash,
++	const char *p, char *hash, unsigned int nullok);
++
+ PAMH_ARG_DECL(char * create_password_hash,
+ 	const char *password, unsigned long long ctrl, int rounds);
+ 
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 6894288d..ea5594d2 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -770,7 +770,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
+ 			}
+ 		}
+ 	} else {
+-		retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
++		retval = verify_pwd_hash(pamh, p, salt, off(UNIX__NONULL, ctrl));
+ 	}
+ 
+ 	if (retval == PAM_SUCCESS) {
diff --git a/pam.spec b/pam.spec
index 022b2f6..f2bed06 100644
--- a/pam.spec
+++ b/pam.spec
@@ -59,6 +59,8 @@ Patch41: pam-1.3.1-unix-no-fallback.patch
 Patch42: pam-1.3.1-motd-multiple-paths.patch
 # https://github.com/linux-pam/linux-pam/commit/86eed7ca01864b9fd17099e57f10f2b9b6b568a1
 Patch43: pam-1.3.1-unix-checksalt_syslog.patch
+# https://github.com/linux-pam/linux-pam/commit/d8d11db2cef65da5d2afa7acf21aa9c8cd88abed
+Patch44: pam-1.3.1-unix-fix_checksalt_syslog.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -149,6 +151,7 @@ cp %{SOURCE18} .
 %patch41 -p1 -b .no-fallback
 %patch42 -p1 -b .multiple-paths
 %patch43 -p1 -b .checksalt_syslog
+%patch44 -p1 -b .fix_checksalt_syslog
 
 autoreconf -i
 
@@ -393,6 +396,7 @@ done
 %changelog
 * Sun Dec 02 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-13
 - Backport upstream commit reporting disabled or invalid hashes to syslog
+- Backport upstream commit fixing syslog for disabled or invalid hashes
 
 * Wed Nov 28 2018 Robert Fairley <rfairley@redhat.com> 1.3.1-12
 - Backport upstream commit pam_motd: Support multiple motd paths specified, with filename overrides (#69)