forked from jengelh/openldap2
7ecd27d588
password checker, introducing: ppolicy-check-password-1.2.tar.gz ppolicy-check-password.Makefile ppolicy-check-password.conf ppolicy-check-password.5 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch (Implements fate#319461) OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=155
131 lines
3.7 KiB
Diff
131 lines
3.7 KiB
Diff
From b026c9236e6b11c158e69572a28eb0efb174234b Mon Sep 17 00:00:00 2001
|
|
From: HouzuoGuo <guohouzuo@gmail.com>
|
|
Date: Wed, 17 Feb 2016 16:10:05 +0100
|
|
Subject: [PATCH] Fix incorrect calculation of consecutive number of characters
|
|
in a class, when the input is shorter than 6 chars or consecutive chars
|
|
appear at the beginning of input
|
|
|
|
|
|
diff --git a/check_password.c b/check_password.c
|
|
index 0d9f901..acf8eda 100644
|
|
--- a/check_password.c
|
|
+++ b/check_password.c
|
|
@@ -355,18 +355,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
|
int min_quality = DEFAULT_QUALITY;
|
|
int use_cracklib = DEFAULT_CRACKLIB;
|
|
|
|
- /** bail out early as cracklib will reject passwords shorter
|
|
- * than 6 characters
|
|
- */
|
|
-
|
|
nLen = strlen (pPasswd);
|
|
- if ( nLen < 6) {
|
|
- mem_len = realloc_error_message(&szErrStr, mem_len,
|
|
- strlen(PASSWORD_TOO_SHORT_SZ) +
|
|
- strlen(pEntry->e_name.bv_val) + 1);
|
|
- sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
|
|
- goto fail;
|
|
- }
|
|
|
|
if (read_config_file() == -1) {
|
|
syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
|
|
@@ -392,46 +381,38 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
|
*/
|
|
|
|
if ( max_consecutive_per_class != 0 ) {
|
|
- int consec_chars = 1;
|
|
- char type[10] = "unkown";
|
|
- char prev_type[10] = "unknown";
|
|
+ char prev_type = '\0';
|
|
+ char this_type = ' ';
|
|
+ i = 0;
|
|
+ int consec_chars = 0;
|
|
for ( i = 0; i < nLen; i++ ) {
|
|
-
|
|
if ( islower(pPasswd[i]) ) {
|
|
- strncpy(type,"lower",10);
|
|
+ this_type = 'l';
|
|
}
|
|
else if ( isupper(pPasswd[i]) ) {
|
|
- strncpy(type,"upper",10);
|
|
+ this_type = 'u';
|
|
}
|
|
else if ( isdigit(pPasswd[i]) ) {
|
|
- strncpy(type,"digit",10);
|
|
+ this_type = 'd';
|
|
}
|
|
else if ( ispunct(pPasswd[i]) ) {
|
|
- strncpy(type,"punct",10);
|
|
+ this_type = 'p';
|
|
}
|
|
else {
|
|
- strncpy(type,"unknown",10);
|
|
- }
|
|
-
|
|
- if ( consec_chars > max_consecutive_per_class ) {
|
|
- mem_len = realloc_error_message(&szErrStr, mem_len,
|
|
- strlen(CONSEC_FAIL_SZ) +
|
|
- strlen(pEntry->e_name.bv_val));
|
|
- sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
|
|
- goto fail;
|
|
+ this_type = ' ';
|
|
}
|
|
-
|
|
- if ( strncmp(type,prev_type,10) == 0 ) {
|
|
- consec_chars++;
|
|
+ if (this_type == prev_type) {
|
|
+ ++consec_chars;
|
|
+ } else if (i > 0) {
|
|
+ consec_chars = 0;
|
|
}
|
|
- else {
|
|
- if (strncmp("unknown",prev_type,8) != 0) {
|
|
- consec_chars = 1;
|
|
- }
|
|
- else {
|
|
- consec_chars++;
|
|
- }
|
|
- strncpy(prev_type,type,10);
|
|
+ prev_type = this_type;
|
|
+ if ( consec_chars >= max_consecutive_per_class ) {
|
|
+ mem_len = realloc_error_message(&szErrStr, mem_len,
|
|
+ strlen(CONSEC_FAIL_SZ) +
|
|
+ strlen(pEntry->e_name.bv_val));
|
|
+ sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
|
|
+ goto fail;
|
|
}
|
|
}
|
|
}
|
|
diff --git a/check_password_test.c b/check_password_test.c
|
|
index 626d719..d33bd80 100644
|
|
--- a/check_password_test.c
|
|
+++ b/check_password_test.c
|
|
@@ -90,7 +90,6 @@ void setconf(
|
|
}
|
|
|
|
int main(void) {
|
|
-
|
|
// Empty Config, equiv to:
|
|
// 5,3,1,0,0,0,0
|
|
setconf(-1,-1,-1,-1,-1,-1,-1);
|
|
@@ -109,5 +108,16 @@ int main(void) {
|
|
testpass("Test 2.1", "Simp1e", 1);
|
|
testpass("Test 2.2", "SimPle", 1);
|
|
testpass("Test 2.1", "Simp1e!", 0);
|
|
+
|
|
+ setconf(1,0,0,0,0,0,0);
|
|
+ testpass("a", "Ab1,", 0);
|
|
+ testpass("a", "AAb1,", 1);
|
|
+ testpass("a", "Abb1,", 1);
|
|
+
|
|
+ setconf(3,0,0,0,0,0,0);
|
|
+ testpass("a", "AAAbbb111,,,", 0);
|
|
+ testpass("a", "AAAAbbb111,,,,", 1);
|
|
+ testpass("a", "AAAbbbb111,,,", 1);
|
|
+
|
|
return 0;
|
|
}
|
|
--
|
|
2.7.1
|
|
|