+++ /dev/null
-From 26002bd1d02d871e3c0526f3a0b7b99e25f3564c Mon Sep 17 00:00:00 2001
-From: babak sarashki <babak.sarashki@windriver.com>
-Date: Tue, 5 Nov 2019 18:02:38 -0800
-Subject: [PATCH] ltb project openldap ppolicy check password 1.1
-
-From stx 1901 openldap src RPM 2.4.44
-Upstream at https://github.com/ltb-project/openldap-ppolicy-check-password.git
----
- .../INSTALL | 31 ++
- .../LICENSE | 50 ++
- .../Makefile | 48 ++
- .../README | 146 ++++++
- .../check_password.c | 447 ++++++++++++++++++
- 5 files changed, 722 insertions(+)
- create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
- create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
- create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/Makefile
- create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/README
- create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
-
-diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
-new file mode 100644
-index 0000000..eb2dab4
---- /dev/null
-+++ b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
-@@ -0,0 +1,31 @@
-+INSTALLATION
-+============
-+
-+Build dependencies
-+------------------
-+cracklib header files (link with -lcrack). The Makefile does not look for
-+cracklib; you may need to provide the paths manually.
-+
-+Build
-+-----
-+Use the provided Makefile to build the module.
-+
-+Copy the resulting check_password.so into the OpenLDAP modulepath.
-+
-+Or, change the installation path to match with the OpenLDAP module path in the
-+Makefile and use 'make install'.
-+
-+
-+USAGE
-+=====
-+Add objectClass 'pwdPolicyChecker' with an attribute
-+
-+ pwdCheckModule: check_password.so
-+
-+to a password policy entry.
-+
-+The module depends on a working cracklib installation including wordlist files.
-+If the wordlist files are not readable, the cracklib check will be skipped
-+silently.
-+
-+But you can use this module without cracklib, just checks for syntatic checks.
-diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
-new file mode 100644
-index 0000000..03f692b
---- /dev/null
-+++ b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
-@@ -0,0 +1,50 @@
-+OpenLDAP Public License
-+
-+The OpenLDAP Public License
-+ Version 2.8.1, 25 November 2003
-+
-+Redistribution and use of this software and associated documentation
-+("Software"), with or without modification, are permitted provided
-+that the following conditions are met:
-+
-+1. Redistributions in source form must retain copyright statements
-+ and notices,
-+
-+2. Redistributions in binary form must reproduce applicable copyright
-+ statements and notices, this list of conditions, and the following
-+ disclaimer in the documentation and/or other materials provided
-+ with the distribution, and
-+
-+3. Redistributions must contain a verbatim copy of this document.
-+
-+The OpenLDAP Foundation may revise this license from time to time.
-+Each revision is distinguished by a version number. You may use
-+this Software under terms of this license revision or under the
-+terms of any subsequent revision of the license.
-+
-+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
-+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
-+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
-+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
-+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
-+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-+POSSIBILITY OF SUCH DAMAGE.
-+
-+The names of the authors and copyright holders must not be used in
-+advertising or otherwise to promote the sale, use or other dealing
-+in this Software without specific, written prior permission. Title
-+to copyright in this Software shall at all times remain with copyright
-+holders.
-+
-+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
-+
-+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
-+California, USA. All rights reserved. Permission to copy and
-+distribute verbatim copies of this document is granted.
-+
-diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/Makefile b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile
-new file mode 100644
-index 0000000..91de40b
---- /dev/null
-+++ b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile
-@@ -0,0 +1,48 @@
-+# contrib/slapd-modules/check_password/Makefile
-+# Copyright 2007 Michael Steinmann, Calivia. All Rights Reserved.
-+# Updated by Pierre-Yves Bonnetain, B&A Consultants, 2008
-+#
-+
-+CC=gcc
-+
-+# Where to look for the CrackLib dictionaries
-+#
-+CRACKLIB=/usr/share/cracklib/pw_dict
-+
-+# Path to the configuration file
-+#
-+CONFIG=/etc/openldap/check_password.conf
-+
-+CFLAGS+=-fpic \
-+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
-+ -DCONFIG_FILE="\"$(CONFIG)\"" \
-+ -DDEBUG
-+
-+LDAP_LIB=-lldap_r -llber
-+
-+# Comment out this line if you do NOT want to use the cracklib.
-+# You may have to add an -Ldirectory if the libcrak is not in a standard
-+# location
-+#
-+CRACKLIB_LIB=-lcrack
-+
-+LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
-+
-+LIBDIR=/usr/lib/openldap/
-+
-+
-+all: check_password
-+
-+check_password.o:
-+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
-+
-+check_password: clean check_password.o
-+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
-+
-+install: check_password
-+ cp -f check_password.so ../../../usr/lib/openldap/modules/
-+
-+clean:
-+ $(RM) check_password.o check_password.so check_password.lo
-+ $(RM) -r .libs
-+
-diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/README b/ltb-project-openldap-ppolicy-check-password-1.1/README
-new file mode 100644
-index 0000000..10191c2
---- /dev/null
-+++ b/ltb-project-openldap-ppolicy-check-password-1.1/README
-@@ -0,0 +1,146 @@
-+
-+check_password.c - OpenLDAP pwdChecker library
-+
-+2007-06-06 Michael Steinmann <msl@calivia.com>
-+2008-01-30 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
-+2009 Clement Oudot <clem.oudot@gmail.com> - LTB-project
-+2009 Jerome HUET - LTB-project
-+
-+check_password.c is an OpenLDAP pwdPolicyChecker module used to check the
-+strength and quality of user-provided passwords.
-+
-+This module is used as an extension of the OpenLDAP password policy controls,
-+see slapo-ppolicy(5) section pwdCheckModule.
-+
-+check_password.c will run a number of checks on the passwords to ensure minimum
-+strength and quality requirements are met. Passwords that do not meet these
-+requirements are rejected.
-+
-+
-+Password checks
-+---------------
-+ - passwords shorter than 6 characters are rejected if cracklib is used (because
-+ cracklib WILL reject them).
-+
-+ - syntactic checks controls how many different character classes are used
-+ (lower, upper, digit and punctuation characters). The minimum number of
-+ classes is defined in a configuration file. You can set the minimum for each
-+ class.
-+
-+ - passwords are checked against cracklib if cracklib is enabled at compile
-+ time. It can be disabled in configuration file.
-+
-+INSTALLATION
-+------------
-+Use the provided Makefile to build the module.
-+
-+Compilation constants :
-+
-+CONFIG_FILE : Path to the configuration file.
-+ Defaults to /etc/openldap/check_password.conf
-+
-+DEBUG : If defined, check_password will syslog() its actions.
-+
-+Build dependencies
-+cracklib header files (link with -lcrack). The Makefile does not look for
-+cracklib; you may need to provide the paths manually.
-+
-+Install into the slapd server module path. Change the installation
-+path to match with the OpenLDAP module path in the Makefile.
-+
-+The module may be defined with slapd.conf parameter "modulepath".
-+
-+USAGE
-+-----
-+To use this module you need to add objectClass pwdPolicyChecker with an
-+attribute 'pwdCheckModule: check_password.so' to a password policy entry.
-+
-+The module depends on a working cracklib installation including wordlist files.
-+If the wordlist files are not readable, the cracklib check will be skipped
-+silently.
-+
-+Note: pwdPolicyChecker modules are loaded on *every* password change operation.
-+
-+Configuration
-+-------------
-+The configuration file (/etc/openldap/check_password.conf by default) contains
-+parameters for the module. If the file is not found, parameters are given their
-+default value.
-+
-+The syntax of the file is :
-+
-+parameter value
-+
-+with spaces being delimiters. Parameter names ARE case sensitive (this may
-+change in the future).
-+
-+Current parameters :
-+
-+- useCracklib: integer. Default value: 1. Set it to 0 to disable cracklib verification.
-+ It has no effect if cracklib is not included at compile time.
-+
-+- minPoints: integer. Default value: 3. Minimum number of quality points a new
-+ password must have to be accepted. One quality point is awarded for each character
-+ class used in the password.
-+
-+- minUpper: integer. Defaut value: 0. Minimum upper characters expected.
-+
-+- minLower: integer. Defaut value: 0. Minimum lower characters expected.
-+
-+- minDigit: integer. Defaut value: 0. Minimum digit characters expected.
-+
-+- minPunct: integer. Defaut value: 0. Minimum punctuation characters expected.
-+
-+Logs
-+----
-+If a user password is rejected by an OpenLDAP pwdChecker module, the user will
-+*not* get a detailed error message, this is by design.
-+
-+Typical user message from ldappasswd(5):
-+ Result: Constraint violation (19)
-+ Additional info: Password fails quality checking policy
-+
-+A more detailed message is written to the server log.
-+
-+Server log:
-+ check_password_quality: module error: (check_password.so)
-+ Password for dn=".." does not pass required number of strength checks (2 of 3)
-+
-+
-+Caveats
-+-------
-+Runtime errors with this module (such as cracklib configuration problems) may
-+bring down the slapd process.
-+
-+Use at your own risk.
-+
-+
-+TODO
-+----
-+* use proper malloc function, see ITS#4998
-+
-+
-+HISTORY
-+-------
-+* 2009-10-30 Clement OUDOT - LTB-project
-+ Version 1.1
-+ - Apply patch from Jerome HUET for minUpper/minLower/minDigit/minPunct
-+
-+* 2009-02-05 Clement Oudot <clem.oudot@gmail.com> - LINAGORA Group
-+ Version 1.0.3
-+ - Add useCracklib parameter in config file (with help of Pascal Pejac)
-+ - Prefix log messages with "check_password: "
-+ - Log what character type is found for quality checking
-+
-+* 2008-01-31 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
-+ Version 1.0.2
-+ - Several bug fixes.
-+ - Add external config file
-+
-+* 2007-06-06 Michael Steinmann <msl@calivia.com>
-+ Version 1.0.1
-+ - add dn to error messages
-+
-+* 2007-06-02 Michael Steinmann <msl@calivia.com>
-+ Version 1.0
-+
-diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
-new file mode 100644
-index 0000000..f4dd1cb
---- /dev/null
-+++ b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
-@@ -0,0 +1,447 @@
-+/*
-+ * check_password.c for OpenLDAP
-+ *
-+ * See LICENSE, README and INSTALL files
-+ */
-+
-+#include <string.h>
-+#include <ctype.h>
-+#include <portable.h>
-+#include <slap.h>
-+
-+#ifdef HAVE_CRACKLIB
-+#include <crack.h>
-+#endif
-+
-+#if defined(DEBUG)
-+#include <syslog.h>
-+#endif
-+
-+#ifndef CRACKLIB_DICTPATH
-+#define CRACKLIB_DICTPATH "/usr/share/cracklib/pw_dict"
-+#endif
-+
-+#ifndef CONFIG_FILE
-+#define CONFIG_FILE "/etc/openldap/check_password.conf"
-+#endif
-+
-+#define DEFAULT_QUALITY 3
-+#define DEFAULT_CRACKLIB 1
-+#define MEMORY_MARGIN 50
-+#define MEM_INIT_SZ 64
-+#define FILENAME_MAXLEN 512
-+
-+#define PASSWORD_TOO_SHORT_SZ \
-+ "Password for dn=\"%s\" is too short (%d/6)"
-+#define PASSWORD_QUALITY_SZ \
-+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
-+#define BAD_PASSWORD_SZ \
-+ "Bad password for dn=\"%s\" because %s"
-+#define UNKNOWN_ERROR_SZ \
-+ "An unknown error occurred, please see your systems administrator"
-+
-+typedef int (*validator) (char*);
-+static int read_config_file ();
-+static validator valid_word (char *);
-+static int set_quality (char *);
-+static int set_cracklib (char *);
-+
-+int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
-+
-+struct config_entry {
-+ char* key;
-+ char* value;
-+ char* def_value;
-+} config_entries[] = { { "minPoints", NULL, "3"},
-+ { "useCracklib", NULL, "1"},
-+ { "minUpper", NULL, "0"},
-+ { "minLower", NULL, "0"},
-+ { "minDigit", NULL, "0"},
-+ { "minPunct", NULL, "0"},
-+ { NULL, NULL, NULL }};
-+
-+int get_config_entry_int(char* entry) {
-+ struct config_entry* centry = config_entries;
-+
-+ int i = 0;
-+ char* key = centry[i].key;
-+ while (key != NULL) {
-+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
-+ if ( centry[i].value == NULL ) {
-+ return atoi(centry[i].def_value);
-+ }
-+ else {
-+ return atoi(centry[i].value);
-+ }
-+ }
-+ i++;
-+ key = centry[i].key;
-+ }
-+
-+ return -1;
-+}
-+
-+void dealloc_config_entries() {
-+ struct config_entry* centry = config_entries;
-+
-+ int i = 0;
-+ while (centry[i].key != NULL) {
-+ if ( centry[i].value != NULL ) {
-+ ber_memfree(centry[i].value);
-+ }
-+ i++;
-+ }
-+}
-+
-+char* chomp(char *s)
-+{
-+ char* t = ber_memalloc(strlen(s)+1);
-+ strncpy (t,s,strlen(s)+1);
-+
-+ if ( t[strlen(t)-1] == '\n' ) {
-+ t[strlen(t)-1] = '\0';
-+ }
-+
-+ return t;
-+}
-+
-+static int set_quality (char *value)
-+{
-+#if defined(DEBUG)
-+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value);
-+#endif
-+
-+ /* No need to require more quality than we can check for. */
-+ if (!isdigit(*value) || (int) (value[0] - '0') > 4) return DEFAULT_QUALITY;
-+ return (int) (value[0] - '0');
-+
-+}
-+
-+static int set_cracklib (char *value)
-+{
-+#if defined(DEBUG)
-+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value);
-+#endif
-+
-+
-+ return (int) (value[0] - '0');
-+
-+}
-+
-+static int set_digit (char *value)
-+{
-+#if defined(DEBUG)
-+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value);
-+#endif
-+ if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
-+ return (int) (value[0] - '0');
-+}
-+
-+static validator valid_word (char *word)
-+{
-+ struct {
-+ char * parameter;
-+ validator dealer;
-+ } list[] = { { "minPoints", set_quality },
-+ { "useCracklib", set_cracklib },
-+ { "minUpper", set_digit },
-+ { "minLower", set_digit },
-+ { "minDigit", set_digit },
-+ { "minPunct", set_digit },
-+ { NULL, NULL } };
-+ int index = 0;
-+
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word);
-+#endif
-+
-+ while (list[index].parameter != NULL) {
-+ if (strlen(word) == strlen(list[index].parameter) &&
-+ strcmp(list[index].parameter, word) == 0) {
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Parameter accepted.");
-+#endif
-+ return list[index].dealer;
-+ }
-+ index++;
-+ }
-+
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Parameter rejected.");
-+#endif
-+
-+ return NULL;
-+}
-+
-+static int read_config_file ()
-+{
-+ FILE * config;
-+ char * line;
-+ int returnValue = -1;
-+
-+ line = ber_memcalloc(260, sizeof(char));
-+
-+ if ( line == NULL ) {
-+ return returnValue;
-+ }
-+
-+ if ( (config = fopen(CONFIG_FILE, "r")) == NULL) {
-+#if defined(DEBUG)
-+ syslog(LOG_ERR, "check_password: Opening file %s failed", CONFIG_FILE);
-+#endif
-+
-+ ber_memfree(line);
-+ return returnValue;
-+ }
-+
-+ returnValue = 0;
-+
-+ while (fgets(line, 256, config) != NULL) {
-+ char *start = line;
-+ char *word, *value;
-+ validator dealer;
-+
-+#if defined(DEBUG)
-+ /* Debug traces to syslog. */
-+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line);
-+#endif
-+
-+ while (isspace(*start) && isascii(*start)) start++;
-+
-+ /* If we've got punctuation, just skip the line. */
-+ if ( ispunct(*start)) {
-+#if defined(DEBUG)
-+ /* Debug traces to syslog. */
-+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line);
-+#endif
-+ continue;
-+ }
-+
-+ if( isascii(*start)) {
-+
-+ struct config_entry* centry = config_entries;
-+ int i = 0;
-+ char* keyWord = centry[i].key;
-+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
-+ while ( keyWord != NULL ) {
-+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
-+
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value);
-+#endif
-+
-+ centry[i].value = chomp(value);
-+ break;
-+ }
-+ i++;
-+ keyWord = centry[i].key;
-+ }
-+ }
-+ }
-+ }
-+ fclose(config);
-+ ber_memfree(line);
-+
-+ return returnValue;
-+}
-+
-+static int realloc_error_message (char ** target, int curlen, int nextlen)
-+{
-+ if (curlen < nextlen + MEMORY_MARGIN) {
-+#if defined(DEBUG)
-+ syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
-+ curlen, nextlen + MEMORY_MARGIN);
-+#endif
-+ ber_memfree(*target);
-+ curlen = nextlen + MEMORY_MARGIN;
-+ *target = (char *) ber_memalloc(curlen);
-+ }
-+
-+ return curlen;
-+}
-+
-+int
-+check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
-+{
-+
-+ char *szErrStr = (char *) ber_memalloc(MEM_INIT_SZ);
-+ int mem_len = MEM_INIT_SZ;
-+
-+ int nLen;
-+ int nLower = 0;
-+ int nUpper = 0;
-+ int nDigit = 0;
-+ int nPunct = 0;
-+ int minLower = 0;
-+ int minUpper = 0;
-+ int minDigit = 0;
-+ int minPunct = 0;
-+ int nQuality = 0;
-+ int i;
-+
-+ /* Set a sensible default to keep original behaviour. */
-+ int minQuality = DEFAULT_QUALITY;
-+ int useCracklib = DEFAULT_CRACKLIB;
-+
-+ /** bail out early as cracklib will reject passwords shorter
-+ * than 6 characters
-+ */
-+
-+ nLen = strlen (pPasswd);
-+ if ( nLen < 6) {
-+ mem_len = realloc_error_message(&szErrStr, mem_len,
-+ strlen(PASSWORD_TOO_SHORT_SZ) +
-+ strlen(pEntry->e_name.bv_val) + 1);
-+ sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
-+ goto fail;
-+ }
-+
-+ if (read_config_file() == -1) {
-+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
-+ }
-+
-+ minQuality = get_config_entry_int("minPoints");
-+ useCracklib = get_config_entry_int("useCracklib");
-+ minUpper = get_config_entry_int("minUpper");
-+ minLower = get_config_entry_int("minLower");
-+ minDigit = get_config_entry_int("minDigit");
-+ minPunct = get_config_entry_int("minPunct");
-+
-+ /** The password must have at least minQuality strength points with one
-+ * point for the first occurrance of a lower, upper, digit and
-+ * punctuation character
-+ */
-+
-+ for ( i = 0; i < nLen; i++ ) {
-+
-+ if ( islower (pPasswd[i]) ) {
-+ minLower--;
-+ if ( !nLower && (minLower < 1)) {
-+ nLower = 1; nQuality++;
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality);
-+#endif
-+ }
-+ continue;
-+ }
-+
-+ if ( isupper (pPasswd[i]) ) {
-+ minUpper--;
-+ if ( !nUpper && (minUpper < 1)) {
-+ nUpper = 1; nQuality++;
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality);
-+#endif
-+ }
-+ continue;
-+ }
-+
-+ if ( isdigit (pPasswd[i]) ) {
-+ minDigit--;
-+ if ( !nDigit && (minDigit < 1)) {
-+ nDigit = 1; nQuality++;
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality);
-+#endif
-+ }
-+ continue;
-+ }
-+
-+ if ( ispunct (pPasswd[i]) ) {
-+ minPunct--;
-+ if ( !nPunct && (minPunct < 1)) {
-+ nPunct = 1; nQuality++;
-+#if defined(DEBUG)
-+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality);
-+#endif
-+ }
-+ continue;
-+ }
-+ }
-+
-+ /*
-+ * If you have a required field, then it should be required in the strength
-+ * checks.
-+ */
-+
-+ if (
-+ (minLower > 0 ) ||
-+ (minUpper > 0 ) ||
-+ (minDigit > 0 ) ||
-+ (minPunct > 0 ) ||
-+ (nQuality < minQuality)
-+ ) {
-+ mem_len = realloc_error_message(&szErrStr, mem_len,
-+ strlen(PASSWORD_QUALITY_SZ) +
-+ strlen(pEntry->e_name.bv_val) + 2);
-+ sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
-+ nQuality, minQuality);
-+ goto fail;
-+ }
-+
-+#ifdef HAVE_CRACKLIB
-+
-+ /** Check password with cracklib */
-+
-+ if ( useCracklib > 0 ) {
-+ int j = 0;
-+ FILE* fp;
-+ char filename[FILENAME_MAXLEN];
-+ char const* ext[] = { "hwm", "pwd", "pwi" };
-+ int nErr = 0;
-+
-+ /**
-+ * Silently fail when cracklib wordlist is not found
-+ */
-+
-+ for ( j = 0; j < 3; j++ ) {
-+
-+ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
-+ CRACKLIB_DICTPATH, ext[j]);
-+
-+ if (( fp = fopen ( filename, "r")) == NULL ) {
-+
-+ nErr = 1;
-+ break;
-+
-+ } else {
-+
-+ fclose (fp);
-+
-+ }
-+ }
-+
-+ char *r;
-+ if ( nErr == 0) {
-+
-+ r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
-+ if ( r != NULL ) {
-+ mem_len = realloc_error_message(&szErrStr, mem_len,
-+ strlen(BAD_PASSWORD_SZ) +
-+ strlen(pEntry->e_name.bv_val) +
-+ strlen(r));
-+ sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
-+ goto fail;
-+ }
-+ }
-+ }
-+
-+ else {
-+#if defined(DEBUG)
-+ syslog(LOG_NOTICE, "check_password: Cracklib verification disabled by configuration");
-+#endif
-+ }
-+
-+#endif
-+ dealloc_config_entries();
-+ *ppErrStr = strdup ("");
-+ ber_memfree(szErrStr);
-+ return (LDAP_SUCCESS);
-+
-+fail:
-+ dealloc_config_entries();
-+ *ppErrStr = strdup (szErrStr);
-+ ber_memfree(szErrStr);
-+ return (EXIT_FAILURE);
-+
-+}
---
-2.17.1
-
Code Review / pti / rtp.git / blobdiff