From ae8e396328c9b12af10ad8157825a498646c84e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Fri, 23 Nov 2018 17:45:20 +0100 Subject: [PATCH] Update the no-MD5-fallback patch for alignment --- ....patch => pam-1.3.1-unix-no-fallback.patch | 58 ++++++++++++++----- pam.spec | 7 ++- 2 files changed, 49 insertions(+), 16 deletions(-) rename pam-1.2.0-unix-no-fallback.patch => pam-1.3.1-unix-no-fallback.patch (53%) diff --git a/pam-1.2.0-unix-no-fallback.patch b/pam-1.3.1-unix-no-fallback.patch similarity index 53% rename from pam-1.2.0-unix-no-fallback.patch rename to pam-1.3.1-unix-no-fallback.patch index 6295da7..8755cf6 100644 --- a/pam-1.2.0-unix-no-fallback.patch +++ b/pam-1.3.1-unix-no-fallback.patch @@ -1,7 +1,8 @@ -diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml ---- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200 -+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200 -@@ -284,11 +284,10 @@ +Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix.8.xml ++++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml +@@ -293,11 +293,10 @@ When a user changes their password next, @@ -16,7 +17,7 @@ diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1 -@@ -299,11 +298,10 @@ +@@ -308,11 +307,10 @@ When a user changes their password next, @@ -31,7 +32,7 @@ diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1 -@@ -314,11 +312,10 @@ +@@ -323,11 +321,10 @@ When a user changes their password next, @@ -46,10 +47,41 @@ diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1 -diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c ---- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200 -+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200 -@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has +@@ -338,11 +335,10 @@ + + + When a user changes their password next, +- encrypt it with the gost-yescrypt algorithm. If the +- gost-yescrypt algorithm is not known to the ++ encrypt it with the gost-yescrypt algorithm. The ++ gost-yescrypt algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +@@ -353,11 +349,10 @@ + + + When a user changes their password next, +- encrypt it with the yescrypt algorithm. If the +- yescrypt algorithm is not known to the ++ encrypt it with the yescrypt algorithm. The ++ yescrypt algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c +=================================================================== +--- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c ++++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c +@@ -466,10 +466,9 @@ PAMH_ARG_DECL(char * create_password_has sp = crypt(password, salt); #endif if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { @@ -59,10 +91,10 @@ diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2 - "Algo %s not supported by the crypto backend, " - "falling back to MD5\n", + "Algo %s not supported by the crypto backend.\n", + on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" : + on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" : on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : - on(UNIX_SHA256_PASS, ctrl) ? "sha256" : - on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); -@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has +@@ -481,7 +480,7 @@ PAMH_ARG_DECL(char * create_password_has #ifdef HAVE_CRYPT_R free(cdata); #endif diff --git a/pam.spec b/pam.spec index ef0a797..26627b2 100644 --- a/pam.spec +++ b/pam.spec @@ -34,8 +34,6 @@ Patch9: pam-1.3.1-noflex.patch Patch10: pam-1.1.3-nouserenv.patch Patch13: pam-1.1.6-limits-user.patch Patch15: pam-1.1.8-full-relro.patch -# FIPS related - non upstreamable -Patch20: pam-1.2.0-unix-no-fallback.patch Patch28: pam-1.1.1-console-errmsg.patch # Upstreamed partially Patch29: pam-1.3.0-pwhistory-helper.patch @@ -54,6 +52,8 @@ Patch38: pam-1.3.1-unix-gensalt-autoentropy.patch Patch39: pam-1.3.1-unix-crypt_checksalt.patch # https://github.com/linux-pam/linux-pam/commit/16bd523f85ede9fa9115f80e826f2d803d7e61d4 Patch40: pam-1.3.1-unix-yescrypt.patch +# To be upstreamed soon. +Patch41: pam-1.3.1-unix-no-fallback.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -129,7 +129,6 @@ cp %{SOURCE18} . %patch10 -p1 -b .nouserenv %patch13 -p1 -b .limits %patch15 -p1 -b .relro -%patch20 -p1 -b .no-fallback %patch28 -p1 -b .errmsg %patch29 -p1 -b .pwhhelper %patch31 -p1 -b .audit-user-mgmt @@ -142,6 +141,7 @@ cp %{SOURCE18} . %patch38 -p1 -b .gensalt-autoentropy %patch39 -p1 -b .crypt_checksalt %patch40 -p1 -b .yescrypt +%patch41 -p1 -b .no-fallback autoreconf -i @@ -390,6 +390,7 @@ done - Backport upstream commit preferring gensalt with autoentropy - Backport upstream commit using crypt_checksalt for password aging - Backport upstream commit adding support for (gost-)yescrypt +- Update the no-MD5-fallback patch for alignment * Fri Nov 16 2018 Björn Esser - 1.3.1-8 - Use %%ldconfig_scriptlets