packages/libpwquality
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 10:57:44 -04:00
commit 73de95d36e
6 changed files with 310 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
0001-Fix-harmless-one-byte-buffer-underflow-on-read.patch Normal file
View File

@ -0,0 +1,46 @@
From 9d6140b4c37f39cdd0c1947adf07dc5ca1762055 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 26 Mar 2019 10:12:09 +0100
Subject: [PATCH 1/2] Fix harmless one byte buffer underflow on read
When settings file has comments spanning a whole line there
is harmless one byte read before the line buffer.
Thanks Emiel Bruijntjes for finding the issue.
---
src/settings.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/settings.c b/src/settings.c
index 4f11537..922a55d 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -134,7 +134,8 @@ read_config_file(pwquality_settings_t *pwq, const char *cfgfile, void **auxerror
int eq;
len = strlen(linebuf);
- if (linebuf[len - 1] != '\n' && !feof(f)) {
+ /* len cannot be 0 unless there is a bug in fgets */
+ if (len && linebuf[len - 1] != '\n' && !feof(f)) {
(void) fclose(f);
return PWQ_ERROR_CFGFILE_MALFORMED;
}
@@ -146,13 +147,13 @@ read_config_file(pwquality_settings_t *pwq, const char *cfgfile, void **auxerror
}
/* drop terminating whitespace including the \n */
- do {
+ while (ptr > linebuf) {
if (!isspace(*(ptr-1))) {
*ptr = '\0';
break;
}
--ptr;
- } while (ptr > linebuf);
+ }
/* skip initial whitespace */
for (ptr = linebuf; isspace(*ptr); ptr++);
--
1.8.3.1

69
0006-pam_pwquality-Abort-the-retry-loop-when-user-cancels.patch Normal file
View File

@ -0,0 +1,69 @@
From bddd1dfe5a13e39e04ed1593cba4263dfd528fad Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 17 May 2018 15:32:16 +0200
Subject: [PATCH 06/11] pam_pwquality: Abort the retry loop when user cancels
prompt
The retry loop must be aborted for any pam_get_authtok() error
except for PAM_TRY_AGAIN.
Fixes: #7
---
src/pam_pwquality.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c
index dd72380..9c9849d 100644
--- a/src/pam_pwquality.c
+++ b/src/pam_pwquality.c
@@ -209,11 +209,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
*/
retval = pam_get_authtok_noverify(pamh, &newtoken, NULL);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s",
- pam_strerror(pamh, retval));
- continue;
- } else if (newtoken == NULL) { /* user aborted password change, quit */
+ if (retval != PAM_SUCCESS || newtoken == NULL) {
+ if (retval == PAM_AUTHTOK_ERR || newtoken == NULL)
+ pam_syslog(pamh, LOG_INFO, "user aborted password change");
+ else
+ pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s",
+ pam_strerror(pamh, retval));
pwquality_free_settings(options.pwq);
return PAM_AUTHTOK_ERR;
}
@@ -248,12 +249,15 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
retval = pam_get_authtok_verify(pamh, &newtoken, NULL);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s",
- pam_strerror(pamh, retval));
+ if (retval != PAM_SUCCESS || newtoken == NULL) {
pam_set_item(pamh, PAM_AUTHTOK, NULL);
- continue;
- } else if (newtoken == NULL) { /* user aborted password change, quit */
+ if (retval == PAM_TRY_AGAIN)
+ continue;
+ if (retval == PAM_AUTHTOK_ERR || newtoken == NULL)
+ pam_syslog(pamh, LOG_INFO, "user aborted password change");
+ else
+ pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s",
+ pam_strerror(pamh, retval));
pwquality_free_settings(options.pwq);
return PAM_AUTHTOK_ERR;
}
@@ -270,7 +274,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (options.retry_times > 1)
return PAM_MAXTRIES;
else
- return retval;
+ return PAM_AUTHTOK_ERR;
} else {
pwquality_free_settings(options.pwq);
if (ctrl & PAM_DEBUG_ARG)
--
1.8.3.1

24
fix-password-similarity.patch Normal file
View File

@ -0,0 +1,24 @@
From d0a20b9fa44fa39e8401eb1de57bce063bea007e Mon Sep 17 00:00:00 2001
From: cangyi <cangyi@huawei.com>
Date: Tue, 9 Apr 2019 04:58:14 -0400
---
src/pwqprivate.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pwqprivate.h b/src/pwqprivate.h
index 4ac96a7..68cd087 100644
--- a/src/pwqprivate.h
+++ b/src/pwqprivate.h
@@ -37,7 +37,7 @@ struct setting_mapping {
int type;
};
-#define PWQ_DEFAULT_DIFF_OK 1
+#define PWQ_DEFAULT_DIFF_OK 5
#define PWQ_DEFAULT_MIN_LENGTH 8
#define PWQ_DEFAULT_DIG_CREDIT 0
#define PWQ_DEFAULT_UP_CREDIT 0
--
1.8.3.1

BIN
libpwquality-1.4.0.tar.bz2 Normal file
View File

Binary file not shown.

131
libpwquality.spec Normal file
View File

@ -0,0 +1,131 @@
%define _moduledir %{_libdir}/security
%define _secconfdir %{_sysconfdir}/security
Name: libpwquality
Version: 1.4.0
Release: 11
Summary: Library for password quality checking and generating random passwords.
License: BSD or GPLv2+
URL: https://github.com/libpwquality/libpwquality/
Source0: https://github.com/libpwquality/libpwquality/releases/download/libpwquality-%{version}/libpwquality-%{version}.tar.bz2
#patch from Fedora
Patch6000: 0006-pam_pwquality-Abort-the-retry-loop-when-user-cancels.patch
#patch from Fedora
Patch6001: 0001-Fix-harmless-one-byte-buffer-underflow-on-read.patch
Patch9000: modify-pwquality_conf.patch
Patch9001: fix-password-similarity.patch
BuildRequires: gcc cracklib-devel gettext pam-devel
BuildRequires: python2-devel python3-devel
Recommends: cracklib >= 2.8
Requires: pam
%description
The libpwquality library purpose is to provide common functions for password quality checking and also scoring them based on their apparent randomness.
The library also provides a function for generating random passwords with good pronounceability.
The library supports reading and parsing of a configuration file.
%package devel
Summary: Support for development of applications using the libpwquality library
Requires: libpwquality = %{version}-%{release}
Requires: pkgconfig
%description devel
Files needed for development of applications using the libpwquality library.
See the pwquality.h header file for the API.
%package -n python2-pwquality
Summary: Python2 bindings for the libpwquality library
Requires: libpwquality = %{version}-%{release}
%description -n python2-pwquality
This package provides Python2 bindings for the libpwquality library.
%package -n python3-pwquality
Summary: Python3 bindings for the libpwquality library
Requires: libpwquality = %{version}-%{release}
%description -n python3-pwquality
This package provides Python3 bindings for the libpwquality library.
%package_help
%prep
%autosetup -n %{name}-%{version} -p1
rm -rf %{py3dir}
cp -a . %{py3dir}
%build
#python2
%configure --with-securedir=%{_moduledir} \
--with-pythonsitedir=%{python2_sitearch} \
--with-python-binary=%{__python2} \
--disable-static
%make_build
#python3
cd %{py3dir}
%configure --with-securedir=%{_moduledir} \
--with-pythonsitedir=%{python3_sitearch} \
--with-python-binary=%{__python3} \
--disable-static
%make_build
cd -
%install
%make_install
cd %{py3dir}
%make_install -C python
cd -
rm -f %{buildroot}%{_libdir}/*.la
rm -f %{buildroot}%{_moduledir}/*.la
mkdir %{buildroot}%{_secconfdir}/pwquality.conf.d
%find_lang libpwquality
%check
%ldconfig_scriptlets
%files -f libpwquality.lang
%license COPYING
%doc README NEWS AUTHORS
%{_bindir}/pwmake
%{_bindir}/pwscore
%{_moduledir}/pam_pwquality.so
%{_libdir}/libpwquality.so.*
%config(noreplace) %{_secconfdir}/pwquality.conf
%{_secconfdir}/pwquality.conf.d
%files devel
%{_includedir}/pwquality.h
%{_libdir}/libpwquality.so
%{_libdir}/pkgconfig/*.pc
%files -n python2-pwquality
%{python2_sitearch}/pwquality.so
%{python2_sitearch}/*.egg-info
%files -n python3-pwquality
%{python3_sitearch}/*.so
%{python3_sitearch}/*.egg-info
%files help
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man3/*
%{_mandir}/man8/*
%changelog
* Wed Sep 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.4.0-11
- Package init

40
modify-pwquality_conf.patch Normal file
View File

@ -0,0 +1,40 @@
diff -Nupr libpwquality-1.2.3.orig/src/pwquality.conf libpwquality-1.2.3/src/pwquality.conf
--- libpwquality-1.2.3.orig/src/pwquality.conf 2015-08-18 10:29:38.000000000 +0800
+++ libpwquality-1.2.3/src/pwquality.conf 2015-08-18 10:30:57.000000000 +0800
@@ -8,30 +8,30 @@
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
-# minlen = 8
+minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
-# dcredit = 0
+dcredit = 0
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
-# ucredit = 0
+ucredit = 0
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
-# lcredit = 0
+lcredit = 0
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
-# ocredit = 0
+ocredit = 0
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
-# minclass = 0
+minclass = 3
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.