From d8d11db2cef65da5d2afa7acf21aa9c8cd88abed Mon Sep 17 00:00:00 2001

From: Tomas Mraz <tmraz@fedoraproject.org>

Date: Tue, 27 Nov 2018 16:11:03 +0100

Subject: [PATCH] pam_unix: Use pam_syslog instead of helper_log_err.

* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via

 PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().

* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().

* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument

 to verify_pwd_hash() call.

---

 modules/pam_unix/passverify.c | 24 +++++++++++++-----------

 modules/pam_unix/passverify.h |  6 +++---

 modules/pam_unix/support.c    |  2 +-

 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c

index 2c808eb5..80e32767 100644

--- a/modules/pam_unix/passverify.c

+++ b/modules/pam_unix/passverify.c

@@ -65,8 +65,8 @@ strip_hpux_aging(char *hash)

 	}

 }

-int

-verify_pwd_hash(const char *p, char *hash, unsigned int nullok)

+PAMH_ARG_DECL(int verify_pwd_hash,

+	const char *p, char *hash, unsigned int nullok)

 {

 	size_t hash_len;

 	char *pp = NULL;

@@ -116,11 +116,10 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)

 				 * pam_syslog() needs a pam handle,

 				 * but that's not available here.

 				 */

-				helper_log_err(LOG_ERR,

-				  "pam_unix(verify_pwd_hash): The method "

-				  "for computing the hash \"%.6s\" has been "

-				  "disabled in libcrypt by the preset from "

-				  "the system's vendor and/or administrator.",

+				pam_syslog(pamh, LOG_ERR,

+				  "The support for password hash \"%.6s\" "

+				  "has been disabled in libcrypt "

+				  "configuration.",

 				  hash);

 			}

 			/*

@@ -132,12 +131,15 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)

 			 * recent implementations of libcrypt.

 			 */

 			if (retval_checksalt == CRYPT_SALT_INVALID) {

-				helper_log_err(LOG_ERR,

-				  "pam_unix(verify_pwd_hash): The hash \"%.6s\""

-				  "does not use a method known by the version "

-				  "of libcrypt this system is supplied with.",

+				pam_syslog(pamh, LOG_ERR,

+				  "The password hash \"%.6s\" is unknown to "

+				  "libcrypt.",

 				  hash);

 			}

+#else

+#ifndef HELPER_COMPILE

+			(void)pamh;

+#endif

 #endif

 #ifdef HAVE_CRYPT_R

 			struct crypt_data *cdata;

diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h

index 086c28ac..e9a88fbf 100644

--- a/modules/pam_unix/passverify.h

+++ b/modules/pam_unix/passverify.h

@@ -12,9 +12,6 @@

 #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"

-int

-verify_pwd_hash(const char *p, char *hash, unsigned int nullok);

-

 int

 is_pwd_shadowed(const struct passwd *pwd);

@@ -65,6 +62,9 @@ read_passwords(int fd, int npass, char **passwords);

 #define PAMH_ARG(...)			pamh, __VA_ARGS__

 #endif

+PAMH_ARG_DECL(int verify_pwd_hash,

+	const char *p, char *hash, unsigned int nullok);

+

 PAMH_ARG_DECL(char * create_password_hash,

 	const char *password, unsigned long long ctrl, int rounds);

diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c

index 6894288d..ea5594d2 100644

--- a/modules/pam_unix/support.c

+++ b/modules/pam_unix/support.c

@@ -770,7 +770,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name

 			}

 		}

 	} else {

-		retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));

+		retval = verify_pwd_hash(pamh, p, salt, off(UNIX__NONULL, ctrl));

 	}

 	if (retval == PAM_SUCCESS) {