summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJackie Huang <jackie.huang@windriver.com>2017-06-16 10:41:12 +0800
committerMartin Jansa <Martin.Jansa@gmail.com>2017-06-19 19:30:41 +0200
commit3b96572070183a02ee4f085cc55f33b6b297bbc9 (patch)
treea92400d11c9563cff673d3fa599d6db38b89bf06
parent0ec8bc87066e30177c8b64b45967a3268320aeba (diff)
downloadmeta-openembedded-3b96572070183a02ee4f085cc55f33b6b297bbc9.tar.gz
passwdqc: add new recipe and replace pam-passwdqc
passwdqc is a password/passphrase strength checking and policy enforcement toolset, including an optional PAM module (pam_passwdqc), command-line programs(pwqcheck and pwqgen), and a library(libpasswdqc). pam_passwdqc 1.0.5 is the final version of pam_passwdqc only before it's turned into passwdqc in 2009, so remove the pam-passwdqc recipe. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r--meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch156
-rw-r--r--meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch11
-rw-r--r--meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb38
-rw-r--r--meta-oe/recipes-support/passwdqc/passwdqc/makefile-add-ldflags.patch31
-rw-r--r--meta-oe/recipes-support/passwdqc/passwdqc_1.3.1.bb63
5 files changed, 94 insertions, 205 deletions
diff --git a/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch b/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch
deleted file mode 100644
index 366d461eb..000000000
--- a/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch
+++ /dev/null
@@ -1,156 +0,0 @@
1diff -urNp pam_passwdqc-1.0.5-orig/pam_passwdqc.c pam_passwdqc-1.0.5/pam_passwdqc.c
2--- pam_passwdqc-1.0.5-orig/pam_passwdqc.c 2008-02-12 15:11:13.000000000 -0500
3+++ pam_passwdqc-1.0.5/pam_passwdqc.c 2009-09-28 12:10:32.171696694 -0400
4@@ -70,6 +70,8 @@ typedef struct {
5 passwdqc_params_t qc;
6 int flags;
7 int retry;
8+ char oldpass_prompt_file[FILE_LEN+1];
9+ char newpass_prompt_file[FILE_LEN+1];
10 } params_t;
11
12 static params_t defaults = {
13@@ -79,10 +81,13 @@ static params_t defaults = {
14 3, /* passphrase_words */
15 4, /* match_length */
16 1, /* similar_deny */
17- 42 /* random_bits */
18+ 42, /* random_bits */
19+ 1 /* firstupper_lastdigit_check */
20 },
21 F_ENFORCE_EVERYONE, /* flags */
22- 3 /* retry */
23+ 3, /* retry */
24+ "", /* oldpass_prompt_file */
25+ "" /* newpass_prompt_file */
26 };
27
28 #define PROMPT_OLDPASS \
29@@ -361,6 +366,37 @@ static int parse(params_t *params, pam_h
30 if (!strcmp(*argv, "use_authtok")) {
31 params->flags |= F_USE_AUTHTOK;
32 } else
33+ if (!strcmp(*argv, "disable_firstupper_lastdigit_check")) {
34+ params->qc.firstupper_lastdigit_check = 0;
35+ } else
36+ if (!strncmp(*argv, "oldpass_prompt_file=", 20)) {
37+ int n;
38+ FILE *fp = fopen(*argv + 20, "r");
39+ if (fp) {
40+ n=fread(params->oldpass_prompt_file, sizeof(char), FILE_LEN, fp);
41+ if (0==n || ferror(fp)!=0 ) {
42+ memset(params->oldpass_prompt_file, '\0', FILE_LEN+1);
43+ }
44+ else {
45+ feof(fp)? (params->oldpass_prompt_file[n-1]='\0'): (params->oldpass_prompt_file[n]='\0');
46+ }
47+ fclose(fp);
48+ }
49+ } else
50+ if (!strncmp(*argv, "newpass_prompt_file=", 20)) {
51+ int n;
52+ FILE *fp = fopen(*argv + 20, "r");
53+ if (fp) {
54+ n=fread(params->newpass_prompt_file, sizeof(char), FILE_LEN, fp);
55+ if (0==n || ferror(fp)!=0 ) {
56+ memset(params->newpass_prompt_file, '\0', FILE_LEN+1);
57+ }
58+ else {
59+ feof(fp)? (params->newpass_prompt_file[n-1]='\0'): (params->newpass_prompt_file[n]='\0');
60+ }
61+ fclose(fp);
62+ }
63+ } else
64 break;
65 argc--; argv++;
66 }
67@@ -406,7 +442,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
68
69 if (ask_oldauthtok && !am_root(pamh)) {
70 status = converse(pamh, PAM_PROMPT_ECHO_OFF,
71- PROMPT_OLDPASS, &resp);
72+ strlen(params.oldpass_prompt_file) ? params.oldpass_prompt_file : PROMPT_OLDPASS, &resp);
73
74 if (status == PAM_SUCCESS) {
75 if (resp && resp->resp) {
76@@ -540,8 +576,7 @@ retry:
77 MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED);
78 return PAM_AUTHTOK_ERR;
79 }
80-
81- status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp);
82+ status = converse(pamh, PAM_PROMPT_ECHO_OFF, strlen(params.newpass_prompt_file) ? params.newpass_prompt_file : PROMPT_NEWPASS1, &resp);
83 if (status == PAM_SUCCESS && (!resp || !resp->resp))
84 status = PAM_AUTHTOK_ERR;
85
86diff -urNp pam_passwdqc-1.0.5-orig/passwdqc_check.c pam_passwdqc-1.0.5/passwdqc_check.c
87--- pam_passwdqc-1.0.5-orig/passwdqc_check.c 2008-02-12 14:31:52.000000000 -0500
88+++ pam_passwdqc-1.0.5/passwdqc_check.c 2009-09-25 22:45:16.080842425 -0400
89@@ -90,10 +90,12 @@ static int is_simple(passwdqc_params_t *
90
91 /* Upper case characters and digits used in common ways don't increase the
92 * strength of a password */
93- c = (unsigned char)newpass[0];
94- if (uppers && isascii(c) && isupper(c)) uppers--;
95- c = (unsigned char)newpass[length - 1];
96- if (digits && isascii(c) && isdigit(c)) digits--;
97+ if (params->firstupper_lastdigit_check) {
98+ c = (unsigned char)newpass[0];
99+ if (uppers && isascii(c) && isupper(c)) uppers--;
100+ c = (unsigned char)newpass[length - 1];
101+ if (digits && isascii(c) && isdigit(c)) digits--;
102+ }
103
104 /* Count the number of different character classes we've seen. We assume
105 * that there are no non-ASCII characters for digits. */
106diff -urNp pam_passwdqc-1.0.5-orig/passwdqc.h pam_passwdqc-1.0.5/passwdqc.h
107--- pam_passwdqc-1.0.5-orig/passwdqc.h 2008-02-12 14:30:00.000000000 -0500
108+++ pam_passwdqc-1.0.5/passwdqc.h 2009-09-25 14:08:56.214695858 -0400
109@@ -7,12 +7,15 @@
110
111 #include <pwd.h>
112
113+#define FILE_LEN 4096 /* Max file len = 4096 */
114+
115 typedef struct {
116 int min[5], max;
117 int passphrase_words;
118 int match_length;
119 int similar_deny;
120 int random_bits;
121+ int firstupper_lastdigit_check;
122 } passwdqc_params_t;
123
124 extern char _passwdqc_wordset_4k[0x1000][6];
125diff -urNp pam_passwdqc-1.0.5-orig/README pam_passwdqc-1.0.5/README
126--- pam_passwdqc-1.0.5-orig/README 2008-02-12 14:43:33.000000000 -0500
127+++ pam_passwdqc-1.0.5/README 2009-09-28 12:12:40.251016423 -0400
128@@ -41,9 +41,12 @@ words (see the "passphrase" option below
129 N3 and N4 are used for passwords consisting of characters from three
130 and four character classes, respectively.
131
132+ disable_firstupper_lastdigit_check []
133+
134 When calculating the number of character classes, upper-case letters
135 used as the first character and digits used as the last character of a
136-password are not counted.
137+password are not counted. To disable this, you can specify
138+"disable_firstupper_lastdigit_check".
139
140 In addition to being sufficiently long, passwords are required to
141 contain enough different characters for the character classes and
142@@ -142,6 +145,14 @@ This disables user interaction within pa
143 the only difference between "use_first_pass" and "use_authtok" is that
144 the former is incompatible with "ask_oldauthtok".
145
146+ oldpass_prompt_file=absolute-file-path []
147+ newpass_prompt_file=abosulte-file-path []
148+
149+The options "oldpass_prompt_file" and "newpass_prompt_file" can be used
150+to override prompts while requesting old password and new password,
151+respectively. The maximum size of the prompt files can be 4096
152+characters at present. If the file size is more than 4096 characters, the
153+output will be truncated to 4096 characters.
154 --
155 Solar Designer <solar at openwall.com>
156
diff --git a/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch b/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch
deleted file mode 100644
index 536fba132..000000000
--- a/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch
+++ /dev/null
@@ -1,11 +0,0 @@
1--- pam_passwdqc-1.0.5/Makefile.orig 2012-10-02 20:53:55.443592886 +0900
2+++ pam_passwdqc-1.0.5/Makefile 2012-10-02 20:54:19.076108001 +0900
3@@ -2,7 +2,7 @@
4 # Copyright (c) 2000-2003,2005 by Solar Designer. See LICENSE.
5 #
6
7-CC = gcc
8+#CC = gcc
9 LD = $(CC)
10 RM = rm -f
11 MKDIR = mkdir -p
diff --git a/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb b/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb
deleted file mode 100644
index cb9aa22cf..000000000
--- a/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb
+++ /dev/null
@@ -1,38 +0,0 @@
1SUMMARY = "Pluggable password quality-control module."
2DESCRIPTION = "pam_passwdqc is a simple password strength checking module for \
3PAM-aware password changing programs, such as passwd(1). In addition \
4to checking regular passwords, it offers support for passphrases and \
5can provide randomly generated passwords. All features are optional \
6and can be (re-)configured without rebuilding."
7
8HOMEPAGE = "http://www.openwall.com/passwdqc/"
9SECTION = "System Environment/Base"
10
11LICENSE = "BSD"
12LIC_FILES_CHKSUM = "file://LICENSE;md5=e284d013ef08e66d4737f446c5890550"
13
14SRC_URI = "http://www.openwall.com/pam/modules/pam_passwdqc/pam_passwdqc-1.0.5.tar.gz \
15 file://1000patch-219201.patch \
16 file://7000Makefile-fix-CC.patch \
17"
18SRC_URI[md5sum] = "cd9c014f736158b1a60384a8e2bdc28a"
19SRC_URI[sha256sum] = "32528ddf7d8219c788b6e7702361611ff16c6340b6dc0f418ff164aadc4a4a88"
20
21
22S = "${WORKDIR}/pam_passwdqc-${PV}"
23
24DEPENDS = "libpam"
25
26EXTRA_OEMAKE = "CFLAGS="${CFLAGS} -Wall -fPIC -DHAVE_SHADOW" \
27 SECUREDIR=${base_libdir}/security \
28"
29
30TARGET_CC_ARCH += "${LDFLAGS}"
31
32do_install() {
33 oe_runmake install DESTDIR=${D}
34}
35
36FILES_${PN} += "${base_libdir}/security/pam_passwdqc.so"
37FILES_${PN}-dbg += "${base_libdir}/security/.debug"
38
diff --git a/meta-oe/recipes-support/passwdqc/passwdqc/makefile-add-ldflags.patch b/meta-oe/recipes-support/passwdqc/passwdqc/makefile-add-ldflags.patch
new file mode 100644
index 000000000..e9023492e
--- /dev/null
+++ b/meta-oe/recipes-support/passwdqc/passwdqc/makefile-add-ldflags.patch
@@ -0,0 +1,31 @@
1Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this variable.
2
3Upstream-Status: Pending
4
5Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
6
7diff --git a/Makefile b/Makefile
8index 49d622d..cd17334 100644
9--- a/Makefile
10+++ b/Makefile
11@@ -48,18 +48,17 @@ CFLAGS = -Wall -W -O2
12 CFLAGS_lib = $(CFLAGS) -fPIC
13 CFLAGS_bin = $(CFLAGS) -fomit-frame-pointer
14
15-LDFLAGS =
16 LDFLAGS_shared = --shared
17 LDFLAGS_shared_LINUX = --shared
18 LDFLAGS_shared_SUN = -G
19 LDFLAGS_shared_HP = -b
20 LDFLAGS_lib = $(LDFLAGS_shared)
21-LDFLAGS_lib_LINUX = $(LDFLAGS_shared_LINUX) \
22+LDFLAGS_lib_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \
23 -Wl,--soname,$(SHARED_LIB),--version-script,$(MAP_LIB)
24 LDFLAGS_lib_SUN = $(LDFLAGS_shared_SUN)
25 LDFLAGS_lib_HP = $(LDFLAGS_shared_HP)
26 LDFLAGS_pam = $(LDFLAGS_shared)
27-LDFLAGS_pam_LINUX = $(LDFLAGS_shared_LINUX) \
28+LDFLAGS_pam_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \
29 -Wl,--version-script,$(MAP_PAM)
30 LDFLAGS_pam_SUN = $(LDFLAGS_shared_SUN)
31 LDFLAGS_pam_HP = $(LDFLAGS_shared_HP)
diff --git a/meta-oe/recipes-support/passwdqc/passwdqc_1.3.1.bb b/meta-oe/recipes-support/passwdqc/passwdqc_1.3.1.bb
new file mode 100644
index 000000000..b8f923c29
--- /dev/null
+++ b/meta-oe/recipes-support/passwdqc/passwdqc_1.3.1.bb
@@ -0,0 +1,63 @@
1SUMMARY = "A password/passphrase strength checking and enforcement toolset"
2DESCRIPTION = "\
3passwdqc is a password/passphrase strength checking and policy enforcement \
4toolset, including an optional PAM module (pam_passwdqc), command-line \
5programs (pwqcheck and pwqgen), and a library (libpasswdqc). \
6pam_passwdqc is normally invoked on password changes by programs such as \
7passwd(1). It is capable of checking password or passphrase strength, \
8enforcing a policy, and offering randomly-generated passphrases, with \
9all of these features being optional and easily (re-)configurable. \
10\
11pwqcheck and pwqgen are standalone password/passphrase strength checking \
12and random passphrase generator programs, respectively, which are usable \
13from scripts. \
14\
15libpasswdqc is the underlying library, which may also be used from \
16third-party programs. \
17"
18
19HOMEPAGE = "http://www.openwall.com/passwdqc"
20SECTION = "System Environment/Base"
21
22DEPENDS += "libpam"
23
24LICENSE = "BSD"
25LIC_FILES_CHKSUM = "file://LICENSE;md5=1b4af6f3d4ee079a38107366e93b334d"
26
27SRC_URI = "http://www.openwall.com/${BPN}/${BP}.tar.gz \
28 file://makefile-add-ldflags.patch \
29 "
30SRC_URI[md5sum] = "3878b57bcd3fdbcf3d4b362dbc6228b9"
31SRC_URI[sha256sum] = "d1fedeaf759e8a0f32d28b5811ef11b5a5365154849190f4b7fab670a70ffb14"
32
33# explicitly define LINUX_PAM in case DISTRO_FEATURES no pam
34# this package's pam_passwdqc.so needs pam
35CFLAGS_append += "-Wall -fPIC -DHAVE_SHADOW -DLINUX_PAM"
36
37# -e is no longer default setting in bitbake.conf
38EXTRA_OEMAKE = "-e"
39
40do_compile() {
41 # make sure sub make use environment to override variables in Makefile
42 # Linux) $(MAKE), there is a tab between
43 sed -i -e 's/Linux) $(MAKE) CFLAGS_lib/Linux) $(MAKE) -e CFLAGS_lib/' ${S}/Makefile
44
45 # LD_lib and LD must be CC because of Makefile
46 oe_runmake LD="${CC}"
47}
48
49do_install() {
50 oe_runmake install DESTDIR=${D} SHARED_LIBDIR=${base_libdir} \
51 DEVEL_LIBDIR=${libdir} SECUREDIR=${base_libdir}/security \
52 INSTALL="install -p"
53}
54
55PROVIDES += "pam-${BPN}"
56PACKAGES =+ "lib${BPN} pam-${BPN}"
57
58FILES_lib${BPN} = "${base_libdir}/libpasswdqc.so.0"
59FILES_pam-${BPN} = "${base_libdir}/security/pam_passwdqc.so"
60FILES_${PN}-dbg += "${base_libdir}/security/.debug"
61
62RDEPENDS_${PN} = "lib${BPN}"
63RDEPENDS_pam-${BPN} = "lib${BPN}"