Completely drop the check of invalid or disabled salt via crypt_checksalt

pam-1.3.1-unix-crypt_checksalt.patch

@@ -38,23 +38,3 @@ index 1f433b3a..6132130a 100644
  		D(("need a new password"));
  		*daysleft = 0;
  		return PAM_NEW_AUTHTOK_REQD;
-@@ -255,10 +261,19 @@ PAMH_ARG_DECL(int check_shadow_expiry,
- 			 spent->sp_namp);
- 		return PAM_SUCCESS;
- 	}
-+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-+	if (((curdays - spent->sp_lstchg > spent->sp_max)
-+	    && (curdays - spent->sp_lstchg > spent->sp_inact)
-+	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
-+	    && (spent->sp_max != -1) && (spent->sp_inact != -1))
-+	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
-+	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
-+#else
- 	if ((curdays - spent->sp_lstchg > spent->sp_max)
- 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
- 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
- 	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-+#endif
- 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
- 		D(("authtok expired"));
- 		return PAM_AUTHTOK_EXPIRED;

pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch

@@ -1,31 +0,0 @@
-commit 3374f53d96aeea7760fb689f4acc89e9ac727428
-Author: Björn Esser <besser82@fedoraproject.org>
-Date:   Sun Nov 25 07:11:23 2018 +0100
-
-    pam_unix: Do not fail passphraseless sudo on locked accounts.
-    
-    Commit 4da9febc39b9 introduced a regression that made passphraseless
-    sudo fail when it was invoked from a user with a locked passphrase.
-    Thus we should check for such a scenario when evaluating the return
-    value of crypt_checksalt(3).
-    
-    * modules/pam_unix/passverify.c (check_shadow_expiry): Do not return
-    PAM_AUTHTOK_EXPIRED on locked user accounts.
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 39e2bfa..7c0be8d 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -266,8 +266,10 @@ PAMH_ARG_DECL(int check_shadow_expiry,
- 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
- 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
- 	    && (spent->sp_max != -1) && (spent->sp_inact != -1))
--	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
--	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
-+	    || (((crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
-+		 || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID))
-+	        && ((spent->sp_pwdp != NULL)
-+		    && !((spent->sp_pwdp[0] == '!') || (spent->sp_pwdp[0] == '*'))))) {
- #else
- 	if ((curdays - spent->sp_lstchg > spent->sp_max)
- 	    && (curdays - spent->sp_lstchg > spent->sp_inact)

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 10%{?dist}
+Release: 11%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -54,9 +54,6 @@ Patch39: pam-1.3.1-unix-crypt_checksalt.patch
 Patch40: pam-1.3.1-unix-yescrypt.patch
 # To be upstreamed soon.
 Patch41: pam-1.3.1-unix-no-fallback.patch
-# https://github.com/linux-pam/linux-pam/pull/80
-# Fixes rhbz#1653023
-Patch42: pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -145,7 +142,6 @@ cp %{SOURCE18} .
 %patch39 -p1 -b .crypt_checksalt
 %patch40 -p1 -b .yescrypt
 %patch41 -p1 -b .no-fallback
-%patch42 -p1 -b .checksalt-passphraseless-sudo
 
 autoreconf -i
 
@@ -388,6 +384,9 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
+* Mon Nov 26 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-11
+- Completely drop the check of invalid or disabled salt via crypt_checksalt
+
 * Sun Nov 25 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-10
 - Fix passphraseless sudo with crypt_checksalt (#1653023)